Hyperoptic routers expose customers to cyber security threat

© Hyperoptic

The flaw was found in Hyperoptic's H298N home router, which is manufactured by Chinese firm ZTE.

The routers all had the same hardcoded root password, which theoretically made it very easy for cyber attackers to take over all of these routers simply by luring individuals to click on a link in a phishing message.

Once the link is clicked, attackers could then log into the victim's home router and gain complete control of their home Wi-fi network. This could lead to any number of problems, such as changing passwords, spying on browsing and attacking connected devices.

Threat discovered last year

Security experts at Context Information Security, which supports businesses and organisations to deal with cyber threats, first found the problem last year and alerted Hyperoptic immediately.

Dan Cater, Lead Security Consultant at Context, said: "The vulnerabilities we found allow an attacker on the internet to fully compromise the router of any Hyperoptic customer just by sending the victim a link...This has implications for the customers' own data, but also if an attacker compromises enough routers of an ISP [internet service provider], the threat is elevated and has the potential to impact national security."

He went on to warn all ISPs to "take this type of attack seriously, and invest in thoroughly testing their consumer devices and their infrastructure if they are not already doing so."

In response to the warning, in December last year Hyperoptic worked to secure all of its ZTE home broadband routers (both the H298N and the more recent H298A), and in April of this year it implemented a further fix which included new individual root passwords for each router.

Steve Holford, Chief Customer Officer at Hyperoptic, responded to the problem: "As soon as we were made aware of the concern, we immediately changed the passwords to safeguard these devices, and we have been working together with our supplier to implement new security controls so that our customers can be confident the concern has now been resolved."

To read about how we can all take measures to keep our wireless routers safe from attack, take a look at our comprehensive guide here.

We also have a series of guides about how to stay safe online, including how to keep our personal information safe, how to avoid communication scams and how to find things, like software, that can protect our devices.

Warnings about ZTE

Although Hyperoptic has now resolved the security problem with its routers, the national security warnings from Context in relation to the flaw are still relevant.

Just last week, the National Cyber Security Centre (NCSC) released advice to UK telecommunications companies warning them about the use of equipment and services from ZTE, which is state-owned by the Chinese government.

Dr Ian Levy, Technical Director of the NCSC, said: "It is entirely appropriate and part of NCSC's duty to highlight potential risks to the UK's national security and provide advice based on our technical expertise. NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated."

This comes hot on the heels of a US trading ban against ZTE, which means US companies can't sell parts and services to the Chinese company for at least seven years.

The ban was implemented after the US government discovered that the state-owned ZTE was selling US technology to prohibited nations, such as Iran and North Korea.

Hyperoptic broadband

For further reading on Hyperoptic, which offers full-fibre broadband services, we've got an extensive review of the company's broadband deals here. We also compare Hyperoptic's broadband with Virgin's fibre packages here.

In recent news, at the end of last year Hyperoptic announced plans to expand its full-fibre network to five million homes by 2025, thereby stepping up its game against big rivals BT and Virgin.

In line with its expansion plans and to attract as many customers as possible, the company has also recently rewarded both new and renewing customers with a 50% speed boost at no extra cost.