cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet Hub One needs security fix

Newbie
Posts: 3
Thanks: 2
Registered: ‎04-05-2018

Plusnet Hub One needs security fix

Hello

Yesterday researchers posted a security flaw that allows fibre broadband routers to be accessed without a username and password.  I am curious as to whether anyone else is experiencing this problem.

Reference see SCMagazineUK with the article on 'Millions of fibre broadband routers open to remote control by hackers'.

If you access your router by typing in the URL as in 192.168.1.1 or 192.168.1.254 or whatever it is and append this: ?images/ to the end, it gives anyone instant access.  This is a huge security hole and wonder when this will be fixed.

For example, going to 192.168.1.1?images/ or 192.168.1.254?images means that users who should not be able to access the router without a password could click on 'Disconnect' or 'Configure'.  Advanced Settings are still protected by a password (provided people have set this up), but this means if anyone accesses their router over the internet (which you shouldn't do anyway) or uses it in a work environment or other place where it is not one's specific family who access the network, then hackers can easily manipulate the router to their own advantage.

When can we expect an update to the firmware to resolve this security hole?

 

7 REPLIES 7
Pro
Posts: 408
Thanks: 127
Fixes: 1
Registered: ‎21-02-2013

Re: Plusnet Hub One needs security fix

For reference: https://www.scmagazineuk.com/millions-of-fibre-broadband-routers-open-to-remote-control-by-hackers/a...

There appears to be nothing related to.the hub one. Just routers in Mexico, Vietnam and Kazakhstan primarily. Made by a router manufacturer that isn't the people who make the hub one .
Aspiring Hero
Posts: 2,540
Thanks: 956
Fixes: 50
Registered: ‎02-03-2016

Re: Plusnet Hub One needs security fix

192.168.x.y addresses are not accessible over the internet so I fail to see how remote control is even possible.
Ex-Plusnetter now living life in the G,fast lane!
Community Gaffer
Community Gaffer
Posts: 14,808
Thanks: 2,378
Fixes: 163
Registered: ‎04-04-2007

Re: Plusnet Hub One needs security fix

This vulnerability reportedly affects GPON devices, so I'm not entirely sure what router(s) you're referring too?

It certainly doesn't affect the Hub One.

Huh

Edit: others beat me to it Wink

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Moderator
Moderator
Posts: 20,453
Thanks: 3,812
Fixes: 423
Registered: ‎06-04-2007

Re: Plusnet Hub One needs security fix

Moderator's note:

Moved from Fibre Broadband to My Router.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Newbie
Posts: 3
Thanks: 2
Registered: ‎04-05-2018

Re: Plusnet Hub One needs security fix

Thanks for the reference.  Who makes the Plusnet Hub One?

Newbie
Posts: 3
Thanks: 2
Registered: ‎04-05-2018

Re: Plusnet Hub One needs security fix

Obviously 192.168.x.x wouldn't be accessible directly but one could setup a router to access web servers and such using services like DynDNS and others to direct internet traffic to the router.  As I mentioned, it's foolish to be able to setup a dynamic DNS to one's own network to tweak router settings, but some people do.  The 192.168.x.x would be masked to the internet IP address whatever that is.

Community Gaffer
Community Gaffer
Posts: 14,808
Thanks: 2,378
Fixes: 163
Registered: ‎04-04-2007

Re: Plusnet Hub One needs security fix

Even if somebody does have access to the local network, browsing to the Hub One using https://192.168.1.254?images/ does nothing to bypass the admin password.

The device is manufactured by Sagemcom.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵