Paul Mutton, the man responsible for unearthing a Cross-Site Request Forgery (CSRF) attack vulnerability in O2's Wireless Box II and III (Thomson TG585 and TG585n) broadband routers last year (here), recently informed us that the problem had not been correctly resolved.The situation is particularly unusual because an O2 spokesperson told us last September that the operator had, "identified a solution" and would "be applying this remotely to all of our customers O2 wireless boxes" (here). Needless to say O2 did not offer a time frame but 5-6 months is surely far too long to wait for a proper solution.
Upon contacting several of O2's customers we were able to confirm that some of their O2 Wireless Box II and Wireless Box III broadband routers still had vulnerable firmware. This matched Mr Mutton's experienced and appeared to confirm that O2 had not corrected the problem for everybody.
Paul Mutton blogged:
"I asked O2 whether this was going to be fixed, and I was told that I could resolve it by performing a hard reset of my router. I was rather sceptical of this working, and indeed it did not fix the problem. I'm truly disappointed by this. From my point of view at least, O2 does not appear to have fixed the firmware.
...
For avoidance of doubt, I have just re-run the proofs of concept that I came up with last year and these confirm that the O2 Wireless Box III is still vulnerable to CRSF attacks that allow an attacker to steal your WEP/WPA key, set up port forwarding, and so on. I don't think that's an acceptable position to leave customers in, particularly more than 5 months after claiming to have identified a solution."
"I asked O2 whether this was going to be fixed, and I was told that I could resolve it by performing a hard reset of my router. I was rather sceptical of this working, and indeed it did not fix the problem. I'm truly disappointed by this. From my point of view at least, O2 does not appear to have fixed the firmware.
...
For avoidance of doubt, I have just re-run the proofs of concept that I came up with last year and these confirm that the O2 Wireless Box III is still vulnerable to CRSF attacks that allow an attacker to steal your WEP/WPA key, set up port forwarding, and so on. I don't think that's an acceptable position to leave customers in, particularly more than 5 months after claiming to have identified a solution."
We have subsequently been in contact with O2 throughout the week and are pleased to say that they have now taken action to correct the mistake. It’s understood that the operator’s temporary 2009 fix could have been wiped off by a hard reset, which the new firmware will not be susceptible to.
An O2 Spokesperson told ISPreview:
"The factory reset done with Mr Mutton on 13 February wiped off the temporary fix put in place last year. We have now pushed new firmware to the router that can’t be removed by performing a factory reset, as part of a rollout to all affected customers which fixes the underlying issues."
"The factory reset done with Mr Mutton on 13 February wiped off the temporary fix put in place last year. We have now pushed new firmware to the router that can’t be removed by performing a factory reset, as part of a rollout to all affected customers which fixes the underlying issues."
The update (8.2.N.1 for Wireless Box III owners) is expected to be rolled out to customers in the very near future (hopefully without another 6 month wait). In the meantime O2 has very kindly gifted Paul a year's free broadband to make up for the hassle.
Tweet
Comments: 1
Andy PiperPosted: 16 March, 2010 - 4:12 PM
Link to comment
Apparently "very near future" means more than 1 month, since here we are on 16th March and my router still shows 8.2.L.0 with no obvious means for obtaining an upgrade.
Generated in 0.5167 seconds.
DB queries: 8
Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved (Terms, Privacy Policy, Links (.), Live Chat & Website Rules).