Hyperoptic ZTE home routers

Hardcoded account allows compromise of all Hyperoptic ZTE home routers

Publish date

25 April 2018

Identifier

TBC

Manufacturer

Hyperoptic /ZTE

Product

ZTE H298N and ZTE H298A

Patched

Patched on 30th April 2018. Updated firmware versions:
H298N: V1.1.3_HOP15T2
H298A: V1.0.25_HOP.1T3

Authors

Daniel Cater

Description

The combination of a DNS rebinding vulnerability and a hardcoded root account allow an Internet-based attacker to compromise all customer routers of UK ISP Hyperoptic via a malicious webpage. The vulnerabilities are present on both “HyperHub” router models, the ZTE H298N and the newer ZTE H298A, affecting all customers using the provided routers.

Context disclosed these vulnerabilities in collaboration with our partner Which? on 31st October 2017. Hyperoptic confirmed that the after working with their supplier ZTE, the patch was rolled out to all customers for both routers on 30th April 2018. The NCSC (National Cyber Security Centre) were also advised of the vulnerability prior to public disclosure.
Disclosure timeline:

  • 31st October 2017: Context disclose the vulnerabilities to Hyperoptic via our partner Which?
  • 10th November 2017: Hyperoptic accept the findings and commit to working with ZTE to fix them
  • December 2017: Hyperoptic change the shared root password which had been posted previously on a public website to a new shared root password
  • 23rd April 2018: Hyperoptic inform Which? that unique root passwords per customer have been rolled out
  • 25th April 2018: Context and Which? publish articles
  • 26th April 2018: Context test two additional devices and find that they still share the same root password. This is queried with Hyperoptic
  • 30th April 2018: Hyperoptic confirm that unique passwords have now been rolled out to all customers. Context verify this on the devices tested previously
CREST
CREST STAR
CHECK IT Health Check Service
CTAS - CESG Tailored Assurance Service
CBEST
Cyber Essentials
CESG Certified Product
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor