Posted: 04th Sep, 2009 By: MarkJ
Customers of broadband ISP O2 UK can finally rest easy after the operator confirmed that a fix had been created for the serious security Cross-Site Request Forgery (CSRF) flaw that we first reported earlier this week (
here). The issue is known to affect both the O2 Wireless Box II and III (Thomson TG585 and TG585n) router modems.
O2 Statement:
"Having been notified of a potential security issue with our O2 wireless box we have been working to find a solution. We have taken this issue very seriously and have been continuing to investigating it with the routers manufacturer, Thomson. As a result we have identified a solution and we will be applying this remotely to all of our customers O2 wireless boxes. This means that customers will not have to take any action themselves."
Never the less it is still deeply frustrating to see how much effort Paul Mutton, the individual responsible for discovering the flaw (we should all give Paul a pat on the back for doing so), was forced to go through before O2 and others took the problem seriously.
Several other UK ISPs also use the same Thomson routers, such as Tiscali (Nildram), PlusNet, Be Broadband, and are known to be investigating whether their kit is vulnerable. It's understood that Thomson themselves are also aware of the vulnerability.
This situation should serve as an important reminder to UK broadband ISPs, especially those who bundle their own branded and pre-configured router/modems to customers, that having an on-site ability to investigate reports of security flaws is critically important.