Customers at full-fibre internet service provider Hyperoptic could have been put at risk by a severe vulnerability with the company’s router meaning it could be hacked with a phishing message.

Hyperoptic has responded by fixing the issue to its router and claims that there’s no longer any risk to Hyperoptic customers.

Router reviews – see our in-depth testing, including security, of internet service provider (ISP) and third-party routers

Critical vulnerability

Hyperoptic provides ultra-fast fibre broadband of up to 1Gbps to 400,000 homes in various British cities and towns, including Cardiff, Glasgow, London, Newcastle and Reading.

Last November, security experts Context IS alerted Which? to critical vulnerabilities found in the Hyperoptic broadband home router, H298N, manufactured by Chinese company, ZTE.

Context IS found that the flaw could allow any attacker on the internet to fully compromise the router of any Hyperoptic customer merely by sending the victim a web link (via email, social media, or any other method).

Unlike an attack such as Krack on WPA2, you don’t need to be on the same local network to execute the attack and so can carry it out from anywhere via the internet.

After the user clicks the link, the attacker can then log into the victim’s router and gain full control over their home network.

This would open up a long list of possibilities; including being able to change any settings, such as the network password, or snoop in on what the user was browsing.

The flaw could also be used to weaken the user’s firewall to make attacks on other connected devices easier. Or the router could be hijacked into a high-bandwidth botnet, used to take down websites via a Distributed Denial of Service (DDoS) attack.

Hyperoptic responds

Since Which? and Context IS disclosed the vulnerability to Hyperoptic, the company has been working with supplier ZTE to fix the flaw.

This fix, including new individual root passwords being set for every router to increase security, was completed on 23 April 2018.

As well as all H298N routers, Hyperoptic confirmed that it has also applied the update to its newer routers, the ZTE H298A.

Steve Holford, Hyperoptic chief customer officer, said: “Hyperoptic considers the security of customer data and connections to be our highest priority and we thank Which? for highlighting this particular issue.

“As soon as we were made aware of the concern, we immediately changed the passwords to safeguard these devices, and we have been working together with our supplier to implement new security controls so that our customers can be confident the concern has now been resolved.

“At this time we’re not aware of any customers impacted by the issue highlighted by Which?, but we wanted to invest in further securing our customers connection.”

‘Not just customers put at risk’

The National Cyber Security Centre (NCSC) recently wrote to telecoms companies in the UK warning them about the use of ZTE-made equipment and services.

We shared our Hyperoptic findings with the NCSC prior to publication, although the two situations are unrelated.

Daniel Cater, the security researcher at Context IS who discovered the flaw, said that this could have had an impact beyond just the risk to customers.

“This has implications for the customers’ own data, but also if an attacker compromises enough routers of an ISP, the threat is elevated and has the potential to impact national security, such as via mass surveillance or DDoS attacks against critical infrastructure,” he explained.

“Recent announcements from NCSC have shown that attacks such as this against other ISPs and routers are not hypothetical.

“All ISPs should take this seriously, and invest in thoroughly testing their consumer devices and their infrastructure if they are not already doing so.”