O2 and Be Broadband Router Security Fail

router-cables-only Attention O2 and Be Broadband customers: if you use the O2 or Be Broadband-branded wireless routers (the O2 Wireless Box and Be Box) you’re going to want to check your settings sharpish.

A vulnerability discovered by O2 Broadband customer Paul Mutton has prompted O2 to remotely configure the settings of customers routers. The security loophole is thought to affect both the O2 Wireless Box II and Wireless Box III devices, used with the Standard and Premium/Pro ADSL2+ packages respectively.

The loophole could potentially allow for hackers to gain remote access to the device and cause untold damage. O2 has now changed the passwords on all Wireless Box devices to the serial number located on the bottom. By entering the follow, you will be able to log in to your O2 Wireless Box router:

Username: Administrator
Password: [uppercase serial number from the bottom of your O2 Wireless Box]

As always it’s advised that you change the password, if you haven’t already done so. Note that this is the login details required for your router (which you’ll need if you want to change firewall settings) and not your encryption key.

The O2 Wireless Box II and III are the O2 branded names of the Thompson TG585 and TG585n routers respectively. The Be Box routers used by Be Broadband customers are the same, and so are vulnerable to the same security flaws.

Be Broadband customers should have by now received the following email:

We want to let you know that we’ve recently been informed of a security problem that could affect the BE Box, among other routers. Essentially, the problem could allow somebody to change your router settings, and nobody wants that. For you tech savvies, we’ve included more details at the bottom of this email.

Here’s what we’re doing:

We want everyone to be protected – even the people who don’t read this email, so, we’ve decided to automatically update the password for everyone. It will be unique to each user: we are running a script to change the password to the individual serial number on your BE Box (found on the bottom of the router). If you want to change it after that, go here for a guide: https://www.bethere.co.uk/web/beportal/beboxpassword

Just to be clear, we aren’t changing the wireless key – it’s the password to the administrator web interface. That’s the only change we will.or would.make.

We will be starting to run this script first thing Monday 7th September, if you don’t want us to do it (although we do recommend it), you can stop us by either:

a) Downloading and running the tool here:

http://www.beusergroup.co.uk/downloads/BEBox_OptOut.exe

b) Following the manual guide here:

http://www.beusergroup.co.uk/technotes/index.php/How_To_Fully_Secure_The_Beb

ox

The Techie Stuff: The BE Box is vulnerable to an XSS (cross-site scripting) combined with a CRSF (cross-site request forgery) that allows a remote attacker to perform actions on the Web UI (user interface), via the use of JavaScript – and without the user’s knowledge or consent.

In the short term, in order to stop this from occurring we are going to set the password on everyone’s BE Box.

After we’ve done this, if someone tries to attack your router, you will be prompted to enter your Administrator Password. Don’t do it, otherwise the attack will be successful. (We’d like to think that most people wouldn’t enter their username and password for a random unexpected login prompt)

In the long run we’re working with Thomson to improve the firmware’s resilience to such attacks..