Social Networks

Flawed routers with hardcoded passwords were manufactured by firm that posed “national security risk” to UK

Earlier this month the UK’s National Cyber Security Centre (NCSC) issued a warning to telecoms firms about the potential risks posed by devices manufactured by Chinese-state owned enterprise ZTE.

“NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated,” said Dr Ian Levy, technical director of the NCSC.

At the same time, which is headquartered in the city of Shenzhen, was fined over one billion dollars and banned from importing American component for seven years, after illegally shipping telecoms equipment to Iran and North Korea in violation of regulations, and misleading the US Department of Commerce.

In other words, ZTE is something of a controversial company, and not having the best of months.

How does this affect the average user who may never have heard of ZTE?

Well, this week it has been revealed that British customers of high-speed fibre broadband supplier Hyperoptic could have been at risk of having their Hyperoptic HyperHub routers hijacked.

And who manufactures those Hyperoptic routers? You guessed it, ZTE.

Security researchers at Context IS discovered that just visiting a malicious webpage was enough to compromise any of Hyperoptic’s HyberHub routers, who have hundreds of thousands of customers in the UK.

The researchers, working with “Which?” magazine, discovered last year that it was possible to compromise the ZTE-manufactured routers simply by tricking an intended victim into clicking on a malicious link.

Exploiting the vulnerability was possible because the routers were using a hardcoded password for the devices’ root accounts.

Potential attackers did not even have to be on the same Wi-Fi network as the vulnerable device. The attack could be done remotely from the other side of the world, allowing a hacker from another country to log into a victim’s router, gain full control of their network, and potentially spy or steal information.

The serious security flaw was disclosed responsibly to Hyperoptic who pushed out a firmware security upgrade to all affected customer routers this month:

“As soon as we were made aware of the concern, we immediately changed the passwords to safeguard these devices, and we have been working together with our supplier to implement new security controls so that our customers can be confident the concern has now been resolved.”

Daniel Cater, the security researcher who uncovered the router flaw, emphasised that more needed to be done by companies to ensure that internet-enabled devices do not contain vulnerabilities:

“All ISPs should take this seriously, and invest in thoroughly testing their consumer devices and their infrastructure if they are not already doing so.”

The truth is that its unlikely that Hyperoptic is the only company which is giving its customers internet devices containing ZTE technology, and therefore it’s quite possible that security holes like this may not be limited purely to Hyperoptic routers.

Stay safe folks. We live in interesting times.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.