O2 has confirmed that its home broadband routers are affected by a vulnerability that could allow intruders to take extensive control and steal the wireless password.
The broadband and mobile operator, and the routers' manufacturer Thomson, said they are working on a fix for the cross-site request forgery flaw. O2 refused to comment on the details of the problem, but said in a statement on Tuesday that it was cooperating with the security researcher who reported the vulnerability to understand it.
The potential flaw was first reported on 28 August by Paul Mutton, a security researcher and O2 home broadband customer.
On his blog, he wrote that the O2 Wireless Box II and Wireless Box III, customised versions of the Thomson TG585 and TG585n routers respectively, suffered from "a serious security vulnerability that allows remote attackers to access a home user's private network and view/change settings on the router".
Mutton noted that several defences against cross-site request forgery (CSRF) — a type of attack whereby unauthorised commands are sent to a website from the user's IP address — had been used in the routers, but said a design flaw meant these protections could be bypassed.
"This flaw allows remote attackers to take almost full control of the router, including stealing the wireless encryption key (even if the most advanced WPA2 setting was enabled) and forwarding external ports to internal IP addresses," Mutton wrote.
The researcher said he would not reveal specific details of the flaw until it had been fixed.
O2 said: "The vast majority of home routers are manufactured by Thomson, and the same [problem] will apply to all."
On Thursday, Thomson said in a statement that it was "working closely with O2 on this matter", but would not say what other ISPs use the TG585n or how many of the routers are in circulation in the UK.
According to Mutton, some routers from Be Broadband, which is owned by O2, and Zen Internet are affected.
Talkback
According to O2, <a href="http://community.zdnet.co.uk/blog/0,1000000567,10013681o-2000331761b,00.htm">a remote fix is on its way</a>...
Having recently set up a relatives O2 / Thomson router and being refused support from O2 when it did not work correctly, (Nice service huh! all I wanted was advice on port forwarding) I was amazed to find after very little web searching that these thomsons are very insecure anyway.
It is really easy to hack this router from inside the LAN to be able to change the settings and enable features O2 don't want you using. What's more worrying is that all these routers have an inbuilt remote access user account and the username / password is easy to find on the web. So for customers with a static IP- if you want to enter their network from outside the LAN, all you need is the IP address of the customer-(which we all know is not hard to find) it would be a simple matter of going to this WAN IP address, entering the default LAN IP of the router and using the inbuilt remote access username and password. carte blanche access for free- enough said! For those customers with a static IP this could obviously be terminal.
Naturally I changed the router to a decent one with NO unchangeable remote access user / password built in like the O2 Thomson, I recommend everyone using O2 do the same.
Thats atrocious these should be pulled if true, people should stick to Linksys routers there superb.