cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Plusnet Hub One needs security fix

canadianbill
Newbie
Posts: 3
Thanks: 2
Registered: ‎04-05-2018

Plusnet Hub One needs security fix

‎04-05-2018 9:27 AM

Hello

Yesterday researchers posted a security flaw that allows fibre broadband routers to be accessed without a username and password.  I am curious as to whether anyone else is experiencing this problem.

Reference see SCMagazineUK with the article on 'Millions of fibre broadband routers open to remote control by hackers'.

If you access your router by typing in the URL as in 192.168.1.1 or 192.168.1.254 or whatever it is and append this: ?images/ to the end, it gives anyone instant access.  This is a huge security hole and wonder when this will be fixed.

For example, going to 192.168.1.1?images/ or 192.168.1.254?images means that users who should not be able to access the router without a password could click on 'Disconnect' or 'Configure'.  Advanced Settings are still protected by a password (provided people have set this up), but this means if anyone accesses their router over the internet (which you shouldn't do anyway) or uses it in a work environment or other place where it is not one's specific family who access the network, then hackers can easily manipulate the router to their own advantage.

When can we expect an update to the firmware to resolve this security hole?

 

Message 1 of 8
(1,809 Views)
7 REPLIES 7
ScottStorey
Pro
Posts: 410
Thanks: 130
Fixes: 1
Registered: ‎21-02-2013

Re: Plusnet Hub One needs security fix

‎04-05-2018 9:37 AM

For reference: https://www.scmagazineuk.com/millions-of-fibre-broadband-routers-open-to-remote-control-by-hackers/a...

There appears to be nothing related to.the hub one. Just routers in Mexico, Vietnam and Kazakhstan primarily. Made by a router manufacturer that isn't the people who make the hub one .
Message 2 of 8
(1,791 Views)
0 Thanks
Browni
Aspiring Hero
Posts: 2,673
Thanks: 1,055
Fixes: 60
Registered: ‎02-03-2016

Re: Plusnet Hub One needs security fix

‎04-05-2018 9:43 AM

192.168.x.y addresses are not accessible over the internet so I fail to see how remote control is even possible.
Live router stats
Message 3 of 8
(1,779 Views)
0 Thanks
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,887
Thanks: 4,979
Fixes: 316
Registered: ‎04-04-2007

Re: Plusnet Hub One needs security fix

‎04-05-2018 9:45 AM - edited ‎04-05-2018 9:46 AM

This vulnerability reportedly affects GPON devices, so I'm not entirely sure what router(s) you're referring too?

It certainly doesn't affect the Hub One.

Huh

Edit: others beat me to it Wink

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 4 of 8
(1,772 Views)
0 Thanks
Mav
Moderator
Moderator
Posts: 22,392
Thanks: 4,736
Fixes: 515
Registered: ‎06-04-2007

Re: Plusnet Hub One needs security fix

‎04-05-2018 9:47 AM

Moderator's note:

Moved from Fibre Broadband to My Router.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Message 5 of 8
(1,765 Views)
0 Thanks
canadianbill
Newbie
Posts: 3
Thanks: 2
Registered: ‎04-05-2018

Re: Plusnet Hub One needs security fix

‎04-05-2018 10:03 AM

Thanks for the reference.  Who makes the Plusnet Hub One?

Message 6 of 8
(1,736 Views)
0 Thanks
canadianbill
Newbie
Posts: 3
Thanks: 2
Registered: ‎04-05-2018

Re: Plusnet Hub One needs security fix

‎04-05-2018 10:05 AM

Obviously 192.168.x.x wouldn't be accessible directly but one could setup a router to access web servers and such using services like DynDNS and others to direct internet traffic to the router.  As I mentioned, it's foolish to be able to setup a dynamic DNS to one's own network to tweak router settings, but some people do.  The 192.168.x.x would be masked to the internet IP address whatever that is.

Message 7 of 8
(1,732 Views)
0 Thanks
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,887
Thanks: 4,979
Fixes: 316
Registered: ‎04-04-2007

Re: Plusnet Hub One needs security fix

‎05-05-2018 12:48 PM

Even if somebody does have access to the local network, browsing to the Hub One using https://192.168.1.254?images/ does nothing to bypass the admin password.

The device is manufactured by Sagemcom.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 8 of 8
(1,623 Views)
0 Thanks