Posted: 01st Sep, 2009 By: MarkJ
Customers of O2 UK could be at risk after one of the ISPs users claimed to have discovered a serious security vulnerability in the operators home broadband routers. The issue, which allows remote attackers to access a home users private network and view/change settings on the router, allegedly affects both the O2 Wireless Box II and III.
The threat, which was discovered by Paul Mutton, appears to be a Cross-Site Request Forgery (CSRF) attack that could affect a significant number of O2's 456,882 broadband customers. The O2 Wireless Box III is a branded version of the Thomson TG585n router, which is also used by other UK / EU ISPs and users - highlighting the potential for serious widespread impact.
Wikipedia's CSRF Description:Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF ("sea-surf") or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
The implication appears to be that a hacker could abuse this exploit via an Internet website and thus remotely gain unauthorised access to an O2 customer’s broadband router. Such a serious flaw should surely deserve O2's immediate attention, yet Mutton has had a different experience:
Paul Mutton told ISPreview:
"I'm appalled at how hard it has been to try and report this problem to O2. Even after making it clear that the problem allows a remote attacker to view and change settings on the box, they continually fobbed me off by claiming their security is acceptable for home use. I can't imagine many home users agreeing with that."
Naturally we attempted to contact O2 for ourselves, in the hope of finding out precisely what the situation is. The operator responded by claiming that it has taken steps to ensure customers are aware of how to change their settings and protect themselves from the vulnerability.
O2 Statement to ISPreview:
"The default SSID and WEP encryption settings supplied with the O2 Wireless Box can be easily changed to avoid any concerns, which we recommend doing on set up. We have taken several steps to ensure our customers are aware of how to do this.
If a customer has already changed the name of their O2 Wireless Network from the default format of [O2Wireless123456] or changed the Network’s secure password during the set-up process (as we recommend) then they do not need to do anything. If, however, they did not change the default settings on their O2 Wireless Box when they were setting up, they should change the O2 Wireless Network’s name and/or secure password now. There are very simple instructions on our website to show you how to do this.
Customers are directed to make these changes when setting up O2 Broadband (via the setup CD) and information is available on our website.
Please note, this is not specific to O2 – the vast majority of home routers are manufactured by Thompson and the same will apply to all."
It is difficult to know whether O2's advice would be effective because Paul has wisely chosen not to release his proof of concept code to the public. Still, he claims that the O2 recommendations would not protect against this kind of CSRF attack.
Paul has since setup a new website page, which details his many attempts and difficulty at getting O2 to recognise and fix the flaw -
http://www.jibble.org/o2-broadband-fail/ . It represents an extremely damning report of the operators seeming inability to recognise the problem.
Pauls latest update states:"I had a metaphorical poke around with the box and found that a number of good practices had been employed to defend against cross-site request forgery (CSRF) attacks. In particular, a
nonce is used to ensure that all configuration changes originate from the router's own HTTP configuration interface.
However, after a bit more poking, I found a design flaw which allows this protection to be bypassed. This flaw allows remote attackers to take almost full control of the router, including stealing the wireless encryption key (even if the most advanced WPA2 setting was enabled) and forwarding external ports to internal IP addresses."
Presently O2 have requested that Paul escalate his concern via the O2 complaint process, which requires him to send a detailed explanation via the slow postal service. That's perhaps not the fastest way to deal with what could be an extremely serious security flaw affecting thousands, maybe even hundreds of thousands, of customers.
UPDATE - 2nd September 2009 @ 08:32am:UK ISP O2 and its sister provider Be Broadband are now taking the problem seriously, likewise another UK ISP Zen Internet has said that it is raising the problem with Thomson too. O2 has also apologised for the way the situation has been handled so far.
An update on Pauls site reads:
"O2 is going to work with Thomson to introduce a fix. We also discussed ways to address the problem in the meantime. O2 Broadband customers can mitigate the risk of attack by enabling authentication on their router's HTTP configuration interface (by default, the device lets you browse directly to http://192.168.1.254 without requiring a password)."
UPDATE - 4th September 2009:It's now been
FIXED.