Publish date
25 April 2018
Identifier
TBC
Manufacturer
Hyperoptic /ZTE
Product
ZTE H298N and ZTE H298A
Patched
Patched on 30th April 2018. Updated firmware versions:
H298N: V1.1.3_HOP15T2
H298A: V1.0.25_HOP.1T3
Authors
Daniel Cater
Description
The combination of a DNS rebinding vulnerability and a hardcoded root account allow an Internet-based attacker to compromise all customer routers of UK ISP Hyperoptic via a malicious webpage. The vulnerabilities are present on both “HyperHub” router models, the ZTE H298N and the newer ZTE H298A, affecting all customers using the provided routers.
Context disclosed these vulnerabilities in collaboration with our partner Which? on 31st October 2017. Hyperoptic confirmed that the after working with their supplier ZTE, the patch was rolled out to all customers for both routers on 30th April 2018. The NCSC (National Cyber Security Centre) were also advised of the vulnerability prior to public disclosure.
Disclosure timeline:
- 31st October 2017: Context disclose the vulnerabilities to Hyperoptic via our partner Which?
- 10th November 2017: Hyperoptic accept the findings and commit to working with ZTE to fix them
- December 2017: Hyperoptic change the shared root password which had been posted previously on a public website to a new shared root password
- 23rd April 2018: Hyperoptic inform Which? that unique root passwords per customer have been rolled out
- 25th April 2018: Context and Which? publish articles
- 26th April 2018: Context test two additional devices and find that they still share the same root password. This is queried with Hyperoptic
- 30th April 2018: Hyperoptic confirm that unique passwords have now been rolled out to all customers. Context verify this on the devices tested previously