O2 routers could be hacked into following the discovery of a flaw

A vulnerability in O2 home routers that could lead to the theft of wireless passwords and the ability for intruders to take control of the routers has now been confirmed by broadband provider, O2.

A fix for the cross-site request forgery flaw is currently being worked on by the routers’ manufacturer, Thomson and the mobile and broadband operator. In a recent statement O2 confirmed that it was currently working closely with the security researcher who discovered this vulnerability in an effort to understand it, although it declined to comment any further on exactly what the problem was.

Security researcher and O2 home broadband user, Paul Mutton first reported the flaw to O2 on 28th August and in his blog he advised that the customised versions of the Thomson TG585 and TG585n, which were called the O2 Wireless Box II and Wireless Box III, were affected by “a serious security vulnerability that allows remote attackers to access a home user’s private network and view/change settings on the router.”

A design flaw in the routers meant that certain protections could be bypassed even though the router had a number of defenses against cross-site request forgery (CSRF), which is an attack that allows unauthorised commands to be sent from a users IP address to a website, according to Mutton.

He wrote in his blog “This flaw allows remote attackers to take almost full control of the router, including stealing the wireless encryption key (even if the most advanced WPA2 setting was enabled) and forwarding external ports to internal IP addresses.”

Until this flaw has been fixed, the researcher refused to provide any further specific details.

In a recent statement O2 advised “The vast majority of home routers are manufactured by Thomson, and the same [problem] will apply to all.”

Source – Zdnet