2 min read

Flawed routers with hardcoded passwords were manufactured by firm that posed "national security risk" to UK

Graham CLULEY

April 27, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Flawed routers with hardcoded passwords were manufactured by firm that posed "national security risk" to UK

Earlier this month the UK’s National Cyber Security Centre (NCSC) issued a warning to telecoms firms about the potential risks posed by devices manufactured by Chinese-state owned enterprise ZTE.

“NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated,” said Dr Ian Levy, technical director of the NCSC.

At the same time, which is headquartered in the city of Shenzhen, was fined over one billion dollars and banned from importing American component for seven years, after illegally shipping telecoms equipment to Iran and North Korea in violation of regulations, and misleading the US Department of Commerce.

In other words, ZTE is something of a controversial company, and not having the best of months.

How does this affect the average user who may never have heard of ZTE?

Well, this week it has been revealed that British customers of high-speed fibre broadband supplier Hyperoptic could have been at risk of having their Hyperoptic HyperHub routers hijacked.

And who manufactures those Hyperoptic routers? You guessed it, ZTE.

Security researchers at Context IS discovered that just visiting a malicious webpage was enough to compromise any of Hyperoptic’s HyberHub routers, who have hundreds of thousands of customers in the UK.

The researchers, working with “Which?” magazine, discovered last year that it was possible to compromise the ZTE-manufactured routers simply by tricking an intended victim into clicking on a malicious link.

Exploiting the vulnerability was possible because the routers were using a hardcoded password for the devices’ root accounts.

Potential attackers did not even have to be on the same Wi-Fi network as the vulnerable device. The attack could be done remotely from the other side of the world, allowing a hacker from another country to log into a victim’s router, gain full control of their network, and potentially spy or steal information.

The serious security flaw was disclosed responsibly to Hyperoptic who pushed out a firmware security upgrade to all affected customer routers this month:

“As soon as we were made aware of the concern, we immediately changed the passwords to safeguard these devices, and we have been working together with our supplier to implement new security controls so that our customers can be confident the concern has now been resolved.”

Daniel Cater, the security researcher who uncovered the router flaw, emphasised that more needed to be done by companies to ensure that internet-enabled devices do not contain vulnerabilities:

“All ISPs should take this seriously, and invest in thoroughly testing their consumer devices and their infrastructure if they are not already doing so.”

The truth is that its unlikely that Hyperoptic is the only company which is giving its customers internet devices containing ZTE technology, and therefore it’s quite possible that security holes like this may not be limited purely to Hyperoptic routers.

Stay safe folks. We live in interesting times.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read