2 min read

Flawed routers with hardcoded passwords were manufactured by firm that posed "national security risk" to UK

Graham CLULEY

April 27, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Flawed routers with hardcoded passwords were manufactured by firm that posed "national security risk" to UK

Earlier this month the UK’s National Cyber Security Centre (NCSC) issued a warning to telecoms firms about the potential risks posed by devices manufactured by Chinese-state owned enterprise ZTE.

“NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated,” said Dr Ian Levy, technical director of the NCSC.

At the same time, which is headquartered in the city of Shenzhen, was fined over one billion dollars and banned from importing American component for seven years, after illegally shipping telecoms equipment to Iran and North Korea in violation of regulations, and misleading the US Department of Commerce.

In other words, ZTE is something of a controversial company, and not having the best of months.

How does this affect the average user who may never have heard of ZTE?

Well, this week it has been revealed that British customers of high-speed fibre broadband supplier Hyperoptic could have been at risk of having their Hyperoptic HyperHub routers hijacked.

And who manufactures those Hyperoptic routers? You guessed it, ZTE.

Security researchers at Context IS discovered that just visiting a malicious webpage was enough to compromise any of Hyperoptic’s HyberHub routers, who have hundreds of thousands of customers in the UK.

The researchers, working with “Which?” magazine, discovered last year that it was possible to compromise the ZTE-manufactured routers simply by tricking an intended victim into clicking on a malicious link.

Exploiting the vulnerability was possible because the routers were using a hardcoded password for the devices’ root accounts.

Potential attackers did not even have to be on the same Wi-Fi network as the vulnerable device. The attack could be done remotely from the other side of the world, allowing a hacker from another country to log into a victim’s router, gain full control of their network, and potentially spy or steal information.

The serious security flaw was disclosed responsibly to Hyperoptic who pushed out a firmware security upgrade to all affected customer routers this month:

“As soon as we were made aware of the concern, we immediately changed the passwords to safeguard these devices, and we have been working together with our supplier to implement new security controls so that our customers can be confident the concern has now been resolved.”

Daniel Cater, the security researcher who uncovered the router flaw, emphasised that more needed to be done by companies to ensure that internet-enabled devices do not contain vulnerabilities:

“All ISPs should take this seriously, and invest in thoroughly testing their consumer devices and their infrastructure if they are not already doing so.”

The truth is that its unlikely that Hyperoptic is the only company which is giving its customers internet devices containing ZTE technology, and therefore it’s quite possible that security holes like this may not be limited purely to Hyperoptic routers.

Stay safe folks. We live in interesting times.

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read