Hyperoptic provides fibre broadband to homes in various British cities, including London, Glasgow, Newcastle, Reading and Cardiff.
Daniel Cater, Lead Security Consultant at Context, found that the flaw in the router could have allowed an attacker to fully compromise the router of any Hyperoptic customer by sending them a web link. Unlike an attack such as Krack on WPA2, you wouldn’t have needed to be on the same local network to execute the attack and so it could have been done from anywhere over the Internet. If the user clicked the link, the attacker’s web page could then have logged into the victim’s router (using a shared root password that had been posted previously on a public website) and gained full control over their home network.
With our partner Which?, Context disclosed the vulnerability to Hyperoptic, and the company has been working with supplier ZTE over the past six months to fix the flaw. An interim update was pushed out in December to change the shared root password (which was available on a public website) to a new shared root password. However, an attacker with access to one of the devices (either by being a customer, or by purchasing a second-hand device online) could have quickly obtained the updated password and continued to exploit the vulnerability. We demonstrated this by obtaining the updated password within 20 minutes of discovering that it had been changed.
The more recent fix, including new individual root passwords being set for every router, was completed on 30th April, 2018. More details of the fix can be found here.
Daniel Cater, Lead Security Consultant, Context, said:
“The vulnerabilities we found could have allowed an attacker on the Internet to fully compromise the router of any Hyperoptic customer just by sending the victim a link (via email, Twitter, or any other method). After the link is clicked, the attacker can then log into the victim’s router, read or modify any settings including the Wi-Fi SSID and password, hijack DNS queries, read files from an attached USB memory stick, remove firewall rules allowing subsequent attack of other internal devices, monitor all traffic, filter traffic to block certain websites, inject content into unencrypted websites, proxy malicious traffic to hide the attacker’s true source, or create a botnet from all customers’ routers. As you can see, it’s a pretty extensive list.
This has implications for the customers’ own data, but also if an attacker compromises enough routers of a major ISP, the threat is elevated and has the potential to impact national security, such as via mass surveillance or DDoS attacks against critical infrastructure. Recent announcements from NCSC have shown that attacks such as this against other ISPs and routers are not hypothetical.
All ISPs should take this type of attack seriously, and invest in thoroughly testing their consumer devices and their infrastructure if they are not already doing so.”
- 31st October 2017: Context disclose the vulnerabilities to Hyperoptic via our partner Which?
- 10th November 2017: Hyperoptic accept the findings and commit to working with ZTE to fix them
- December 2017: Hyperoptic change the shared root password which had been posted previously on a public website to a new shared root password
- 23rd April 2018: Hyperoptic inform Which? that unique root passwords per customer have been rolled out
- 25th April 2018: Context and Which? publish articles
- 26th April 2018: Context test two additional devices and find that they still share the same root password. This is queried with Hyperoptic
- 30th April 2018: Hyperoptic confirm that unique passwords have now been rolled out to all customers. Context verify this on the devices tested previously
Context regularly partner with Which? to investigate and disclose vulnerabilities found in consumer products.
The full story can be read on the Which? website. https://www.which.co.uk/news/2018/04/hyperoptic-router-at-risk-of-being-hacked/
Further technical details describing the vulnerabilities and how they could have been exploited will be published in a future blog post.
Update (2nd May 2018): This article was updated with further details of the fixes and of the disclosure timeline.