Wednesday, May 23rd, 2018 (7:49 am) - Score 4,718

One of the older D-Link based ADSL2+ broadband routers from UK ISP TalkTalk has been found to still be vulnerable to a security exploit, which was first notified to the provider all the way back in 2014. This enables a hacker to gain access to your wireless (WiFi) network by sniffing out the WPS password.

According to a new security advisory from IndigoFuzz (bonus credits to The Register for spotting), the Wi-Fi Protected Setup (WPS) feature on the D-Link (RT2860 chipset) router is insecure and always-on (even if the WPS pairing button is not used).

As a result all it takes is for somebody within range of the wireless signal to use a common hacking tool in order to automatically probe the network and uncover its password, which all happens in the space of a few seconds.

Contrary to the above statement we do not believe that the aforementioned router is one of TalkTalk’s more modern VDSL2 equipped “Super Routers“, as this term tends to only be used when referencing their Huawei HG633, HG635 or the D-Link 3782 device (the latter was released in 2017). At present it is not known how many of their customers still use the older RT2860 based D-Link kit (the model number isn’t stated).

Admittedly back in 2014 TalkTalk’s approach to security was somewhat more lax than it is today and things didn’t really improve until after the 2015 cyber-attack on their website (here), which sent their reputation and customer base into free fall for awhile.

One small upside to this case is that their older router didn’t deliver a particularly good WiFi signal in the first place and as a result the hacker would have needed to be practically inside your house in order to gain a stable connection. At the time of writing TalkTalk has not provided a comment but we will update once they do.

UPDATE 4:58pm

After a long wait TalkTalk has issued the following statement.