Full Fibre UK ISP Hyperoptic Fix Serious ZTE Router Security Flaw UPDATE

Fibre optic broadband ISP Hyperoptic has patched a major security flaw in their ZTE built H298N and H298A (pictured) “HyperHub” routers, which could have allowed an attacker to remotely take over the device by using a simple phishing message and website link.

Apparently the problem was first spotted last year by security experts at Context Information Security, which shared some of their findings with consumer magazine Which?. The team discovered that Hyperoptic customers with the ZTE H298N router merely needed to click on the web link in a phishing message (email, website etc.) and a hacker could then gain full control of their router, which would have also enabled them to access the victims home network.

ZTE H298N Features

* Gigabit Ethernet uplink
* Maximum wireless speed up to 300Mbps
* Comprehensive VoIP services
* DHCP Server
* USB Host 2.0 for 3G dongle connection
* UPnP AV/DLNA for home media sharing
* IPv6 ready
* Robust TR069 remote management

Suffice to say that allowing a hacker to snoop on your home network, computers and personal data is not something that anybody would want. Alternatively the attacker could have also hijacked the device and turned it into another zombie member of a botnet, which could have been used to attack other internet users or servers. This would be particularly bad since Hyperoptic offer FTTP/B speeds of up to 1Gbps (fuel for DDoS).

The good news is that Hyperoptic has now issued a firmware patch to fix the significant flaw, which is a process that completed on 23rd April 2018 and hence today’s disclosure. Details of the exploit will no doubt surface, although we know that the fix included setting “new individual root passwords” for every router.

The same update has also been applied to the provider’s latest ZTE H298A router, which among other things adds faster AC spec WiFi (MIMO 2*2) that can support dual band wireless network speeds of up to 1200Mbps. However most of Hyperoptic’s subscribers will not yet be using this newer model as it only began to surface toward the end of last year (sometimes you can get swapped to it with a quick call).

Steve Holford, Hyperoptic’s Chief Customer Officer, said:

“Hyperoptic considers the security of customer data and connections to be our highest priority and we thank Which? for highlighting this particular issue.

As soon as we were made aware of the concern, we immediately changed the passwords to safeguard these devices, and we have been working together with our supplier to implement new security controls so that our customers can be confident the concern has now been resolved.

At this time we’re not aware of any customers impacted by the issue highlighted by Which?, but we wanted to invest in further securing our customers connection.”

The news comes hot on the heels of a separate announcement from the National Cyber Security Centre (NCSC), which last week warned UK telecoms and broadband operators of the “potential risks to the UK’s national security” of using hardware and services supplied by China’s ZTE (here).

However it’s important to put all of this into some context. Hackers are constantly targeting broadband routers (both those supplied by ISPs and third-party devices) and we’ve often had to report on serious security flaws with such devices, like when the Mirai malware (worm) infected a large number of routers used by TalkTalk, Post Office and other UK ISPs in 2016 (here).

On top of that Which?’s article wrongfully claims that “Hyperoptic provides ultra-fast fibre broadband of up to 1Gbps to 400,000 homes,” which appears to confuse their premises passed (coverage) figure with actual subscribers and as a result a couple of other media reports have thus misinterpreted this. So far as we are aware the ISP has a take-up rate of around 25% and so the actual subscriber figure should be closer to 100,000 (please correct us if wrong Hyperoptic).

Overall bad news days are something that Hyperoptic has generally managed to avoid and in this case we can at least be thankful for the fact that Context IS discovered the problem before hackers did, at least so far as we’re aware.

UPDATE 26th April 2018

The related security advisory is online and it adds a little extra detail: “The combination of a hardcoded root account and a DNS rebinding vulnerability allows an Internet-based attacker to compromise all customer routers of UK ISP Hyperoptic via a malicious webpage. The vulnerabilities are present on both “HyperHub” router models, the ZTE H298N and the newer ZTE H298A, affecting hundreds of thousands of devices.”