ROUTERS FROM FIBRE PROVIDER HYPEROPTIC contain a flaw that left up to 400,000 British users open to potential hacking.
The H298N routers Hyperoptic provides to its UK users come courtesy of Chinese electronics firm ZTE.
But security firm Context IS discovered that the devices contained "the combination of a hardcoded root account and a DNS rebinding vulnerability", which could have allowed an "internet-based attacker to compromise all customer routers of UK ISP Hyperoptic via a malicious webpage".
Nasty stuff, particularly as the there's no need for a hacker to be on the same network as a targeted router.
Once compromised, a hacker could carry out all manner of nefarious activity, such as sucking up the network's password, snooping on data, or slaving the router into a high-bandwidth botnet that could be used to conduct distributed denial of service attacks.
Working with its partner Which?, Context IS alerted Hyperoptic to the flaw. The broadband provider then jumped into action to plug the vulnerability, and so far there are no murmurs of the security hole being exploited.
"As soon as we were made aware of the concern, we immediately changed the passwords to safeguard these devices, and we have been working together with our supplier to implement new security controls so that our customers can be confident the concern has now been resolved," said Hyperoptic's chief customer officer Steve Holford.
It looks like the security hole can be firmly laid at the doorstep of ZTE. The Chinese company has come under scrutiny from the UK's National Cyber Security Centre (NCSC) which warned telecoms companies operating in Britain to avoid using ZTE tech.
According to Which? the NCSC's warning wasn't related to the router security woes faced by Hyperoptic, though we suspect the broadband provider will think twice about using ZTE routers in the future.
"All ISPs should take this seriously, and invest in thoroughly testing their consumer devices and their infrastructure if they are not already doing so," highlighted Daniel Cater, the security researcher at Context IS, the chap who discovered the router flaw. Sounds like a sensible approach to us, rather than immediately blame Chinese tech. µ
The week in Google
The scandal that just keeps giving
Clip to the end....