Flawed routers with hardcoded passwords were manufactured by firm that posed “national security risk” to UK

Earlier this month the UK’s National Cyber Security Centre (NCSC) issued a warning to telecoms firms about the potential risks posed by devices manufactured by Chinese-state owned enterprise ZTE.

“NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated,” said Dr Ian Levy, technical director of the NCSC.

At the same time, which is headquartered in the city of Shenzhen, was fined over one billion dollars and banned from importing American component for seven years, after illegally shipping telecoms equipment to Iran and North Korea in violation of regulations, and misleading the US Department of Commerce.

In other words, ZTE is something of a controversial company, and not having the best of months.

How does this affect the average user who may never have heard of ZTE?

Well, this week it has been revealed that British customers of high-speed fibre broadband supplier Hyperoptic could have been at risk of having their Hyperoptic HyperHub routers hijacked.

And who manufactures those Hyperoptic routers? You guessed it, ZTE.

Security researchers at Context IS discovered that just visiting a malicious webpage was enough to compromise any of Hyperoptic’s HyberHub routers, who have hundreds of thousands of customers in the UK.

The researchers, working with “Which?” magazine, discovered last year that it was possible to compromise the ZTE-manufactured routers simply by tricking an intended victim into clicking on a malicious link.

Exploiting the vulnerability was possible because the routers were using a hardcoded password for the devices’ root accounts.

Potential attackers did not even have to be on the same Wi-Fi network as the vulnerable device. The attack could be done remotely from the other side of the world, allowing a hacker from another country to log into a victim’s router, gain full control of their network, and potentially spy or steal information.

The serious security flaw was disclosed responsibly to Hyperoptic who pushed out a firmware security upgrade to all affected customer routers this month:

“As soon as we were made aware of the concern, we immediately changed the passwords to safeguard these devices, and we have been working together with our supplier to implement new security controls so that our customers can be confident the concern has now been resolved.”

Daniel Cater, the security researcher who uncovered the router flaw, emphasised that more needed to be done by companies to ensure that internet-enabled devices do not contain vulnerabilities:

“All ISPs should take this seriously, and invest in thoroughly testing their consumer devices and their infrastructure if they are not already doing so.”

The truth is that its unlikely that Hyperoptic is the only company which is giving its customers internet devices containing ZTE technology, and therefore it’s quite possible that security holes like this may not be limited purely to Hyperoptic routers.

Stay safe folks. We live in interesting times.



*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Graham Cluley. Read the original post at: https://hotforsecurity.bitdefender.com/blog/flawed-routers-with-hardcoded-passwords-were-manufactured-by-firm-that-posed-national-security-risk-to-uk-19821.html