O2 broadband routers vulnerable to remote attack, user finds

If you get your broadband from O2, and have a router from O2, you have a problem. A very serious problem. According to a report by Paul Mutton, an O2 customer who has tried repeatedly to get O2 to take some notice of the vulnerability,

The O2 Wireless Box III (a customised Thomson TG585n router) is an ADSL modem and wireless router used by O2 Broadband customers. Two weeks ago, I discovered a serious security vulnerability that allows remote attackers to access a home user's private network and view/change settings on the router.

a remote attacker can:

• Steal the router's wireless encryption key (even if WPA2 is enabled).
• List all internal IP addresses being used on the home network.
• Forward external ports to those internal IP addresses, allowing remote access to individual home computers.
• ... plus much more!

The details are complex - it depends on "cross-site request forgery" (which personally I'd never heard of before).

This is serious, and you should indeed Worry. If you have an O2-supplied ADSL router, it would make sense (as it always has) to (a) change the default password (b) check that O2 hasn't changed it remotely back - as Andrew Brown has discovered, to his fright.

(To clarify, it is the router admin password that you should change, not your wireless network password.)

And how many might be affected? According to Mutton,

I'm not entirely sure how many users are affected by this problem, but it could be quite a lot. O2 has 457,000 fixed broadband customers as at 30 June 2009 [source: O2 PR], most of which will probably be using a Wireless Box II or III (these are the only routers currently offered to home users of O2 Broadband).

Zen Broadband and Be did respond though to find out whether the routers they supply might be affected.

O2 has apparently been making some remote updates:

So, O2 has applied a remote update to their Wireless Boxes which sets the password to the box's serial number. This does indeed mitigate the problem to some extent, but it does not remove the risk completely. The software release is still identified as 8.2.L.0 and it is still vulnerable to CSRF. The proofs of concept that I demonstrated to O2 (and several other ISPs) still work without further user interaction providing you have recently logged in to your router.

The solution? There isn't a simple one. (It would be interesting to know how many other routers on the market are vulnerable to this, though, and whether Thomson - which makes it - has updated its firmware at all to deal with it - or whether firmware is O2's responsibility.) We'll aim to speak to O2 later to find out what it is really doing.

Update: Here's the email that Be sent to its customers. (Ta, Keith Emmerson.)

We want to let you know that we've recently been informed of a security problem that could affect the BE Box, among other routers. Essentially, the problem could allow somebody to change your router settings, and nobody wants that. For you tech savvies, we've included more details at the bottom of this email.

Here's what we're doing:

We want everyone to be protected - even the people who don't read this email, so, we've decided to automatically update the password for everyone. It will be unique to each user: we are running a script to change the password to the individual serial number on your BE Box (found on the bottom of the router). If you want to change it after that, go here for a guide: https://www.bethere.co.uk/web/beportal/beboxpassword

Just to be clear, we aren't changing the wireless key - it's the password to the administrator web interface. That's the only change we will.or would.make.

We will be starting to run this script first thing Monday 7th September, if you don't want us to do it (although we do recommend it), you can stop us by either:

a) Downloading and running the tool here:
http://www.beusergroup.co.uk/downloads/BEBox_OptOut.exe

b) Following the manual guide here:
http://www.beusergroup.co.uk/technotes/index.php/How_To_Fully_Secure_The_Beb
ox

The Techie Stuff: The BE Box is vulnerable to an XSS (cross-site scripting) combined with a CRSF (cross-site request forgery) that allows a remote attacker to perform actions on the Web UI (user interface), via the use of JavaScript - and without the user's knowledge or consent.

In the short term, in order to stop this from occurring we are going to set the password on everyone's BE Box.

After we've done this, if someone tries to attack your router, you will be prompted to enter your Administrator Password. Don't do it, otherwise the attack will be successful. (We'd like to think that most people wouldn't enter their username and password for a random unexpected login prompt)

In the long run we're working with Thomson to improve the firmware's
resilience to such attacks.

Do take note of that penultimate paragraph: remote attacks will lead to an unexpected demand for your router admin password. You shouldn't ever get that unless you're asking for it. So beware, and be aware. Good to se Be being cautious on this. It seems O2 has been doing the same thing - hence people finding their admin passwords abruptly changing.