Customers of broadband ISP O2 UK can finally rest easy after the operator confirmed that a fix had been created for the serious security Cross-Site Request Forgery (CSRF) flaw that we first reported earlier this week (here). The issue is known to affect both the O2 Wireless Box II and III (Thomson TG585 and TG585n) router modems.
Never the less it is still deeply frustrating to see how much effort Paul Mutton, the individual responsible for discovering the flaw (we should all give Paul a pat on the back for doing so), was forced to go through before O2 and others took the problem seriously.
Several other UK ISPs also use the same Thomson routers, such as Tiscali (Nildram), PlusNet, Be Broadband, and are known to be investigating whether their kit is vulnerable. It's understood that Thomson themselves are also aware of the vulnerability.
This situation should serve as an important reminder to UK broadband ISPs, especially those who bundle their own branded and pre-configured router/modems to customers, that having an on-site ability to investigate reports of security flaws is critically important.
O2 Statement:
"Having been notified of a potential security issue with our O2 wireless box we have been working to find a solution. We have taken this issue very seriously and have been continuing to investigating it with the routers manufacturer, Thomson. As a result we have identified a solution and we will be applying this remotely to all of our customers O2 wireless boxes. This means that customers will not have to take any action themselves."
"Having been notified of a potential security issue with our O2 wireless box we have been working to find a solution. We have taken this issue very seriously and have been continuing to investigating it with the routers manufacturer, Thomson. As a result we have identified a solution and we will be applying this remotely to all of our customers O2 wireless boxes. This means that customers will not have to take any action themselves."
Never the less it is still deeply frustrating to see how much effort Paul Mutton, the individual responsible for discovering the flaw (we should all give Paul a pat on the back for doing so), was forced to go through before O2 and others took the problem seriously.
Several other UK ISPs also use the same Thomson routers, such as Tiscali (Nildram), PlusNet, Be Broadband, and are known to be investigating whether their kit is vulnerable. It's understood that Thomson themselves are also aware of the vulnerability.
This situation should serve as an important reminder to UK broadband ISPs, especially those who bundle their own branded and pre-configured router/modems to customers, that having an on-site ability to investigate reports of security flaws is critically important.
Tweet
Comments: 1
kja999Posted: 18 September, 2009 - 5:17 PM
Link to comment
I have been away on holiday to find an email from Be Broadband saying they have updated my router for this.
What I find most confusing, is what is the backdoor they have available in my router to have performed a remote fix ?!
Generated in 0.50185 seconds.
DB queries: 8
Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved (Terms, Privacy Policy, Links (.), Live Chat & Website Rules).