cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet Hub One needs security fix

canadianbill
Newbie
Posts: 3
Thanks: 2
Registered: ‎04-05-2018

Plusnet Hub One needs security fix

Hello

Yesterday researchers posted a security flaw that allows fibre broadband routers to be accessed without a username and password.  I am curious as to whether anyone else is experiencing this problem.

Reference see SCMagazineUK with the article on 'Millions of fibre broadband routers open to remote control by hackers'.

If you access your router by typing in the URL as in 192.168.1.1 or 192.168.1.254 or whatever it is and append this: ?images/ to the end, it gives anyone instant access.  This is a huge security hole and wonder when this will be fixed.

For example, going to 192.168.1.1?images/ or 192.168.1.254?images means that users who should not be able to access the router without a password could click on 'Disconnect' or 'Configure'.  Advanced Settings are still protected by a password (provided people have set this up), but this means if anyone accesses their router over the internet (which you shouldn't do anyway) or uses it in a work environment or other place where it is not one's specific family who access the network, then hackers can easily manipulate the router to their own advantage.

When can we expect an update to the firmware to resolve this security hole?

 

7 REPLIES
ScottStorey
Aspiring Pro
Posts: 385
Thanks: 86
Fixes: 1
Registered: ‎21-02-2013

Re: Plusnet Hub One needs security fix

For reference: https://www.scmagazineuk.com/millions-of-fibre-broadband-routers-open-to-remote-control-by-hackers/a...

There appears to be nothing related to.the hub one. Just routers in Mexico, Vietnam and Kazakhstan primarily. Made by a router manufacturer that isn't the people who make the hub one .
Browni
Aspiring Hero
Posts: 2,291
Thanks: 787
Fixes: 46
Registered: ‎02-03-2016

Re: Plusnet Hub One needs security fix

192.168.x.y addresses are not accessible over the internet so I fail to see how remote control is even possible.
I must have been really bad in a previous life as this was my 3rd ISP in a row that used lithium.
Now you're stuck with me because my new ISP doesn't run a forum Cheesy
Community Gaffer
Community Gaffer
Posts: 13,479
Thanks: 1,197
Fixes: 95
Registered: ‎04-04-2007

Re: Plusnet Hub One needs security fix

This vulnerability reportedly affects GPON devices, so I'm not entirely sure what router(s) you're referring too?

It certainly doesn't affect the Hub One.

Huh

Edit: others beat me to it Wink

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Moderator
Moderator
Posts: 18,464
Thanks: 2,836
Fixes: 226
Registered: ‎06-04-2007

Re: Plusnet Hub One needs security fix

Moderator's note:

Moved from Fibre Broadband to My Router.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

canadianbill
Newbie
Posts: 3
Thanks: 2
Registered: ‎04-05-2018

Re: Plusnet Hub One needs security fix

Thanks for the reference.  Who makes the Plusnet Hub One?

canadianbill
Newbie
Posts: 3
Thanks: 2
Registered: ‎04-05-2018

Re: Plusnet Hub One needs security fix

Obviously 192.168.x.x wouldn't be accessible directly but one could setup a router to access web servers and such using services like DynDNS and others to direct internet traffic to the router.  As I mentioned, it's foolish to be able to setup a dynamic DNS to one's own network to tweak router settings, but some people do.  The 192.168.x.x would be masked to the internet IP address whatever that is.

Community Gaffer
Community Gaffer
Posts: 13,479
Thanks: 1,197
Fixes: 95
Registered: ‎04-04-2007

Re: Plusnet Hub One needs security fix

Even if somebody does have access to the local network, browsing to the Hub One using https://192.168.1.254?images/ does nothing to bypass the admin password.

The device is manufactured by Sagemcom.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵