back to article Hyperoptic's ZTE-made 1Gbps routers had hyper-hardcoded hyper-root hyper-password

A security vulnerability has been found in Brit broadband biz Hyperoptic's home routers that exposes tens of thousands of its subscribers to hackers. The gigabit provider's routers are made by ZTE, the Chinese electronics giant that American and British spy agencies have sounded an alarm over. The United States has also …

  1. sanmigueelbeer Silver badge
    Stop

    The gigabit provider's routers are made by ZTE

    Should I be surprised at this development?

    Quantity (price) vs Quality ... we know what the score is.

    1. Tom 38 Silver badge

      Re: The gigabit provider's routers are made by ZTE

      Actually they were very up front about it. The engineer who did my install said that the router is pretty good, but they mainly chose it for its wifi performance, so if I wanted to get as close to 1000Mbit as possible I'd need a better router.

      I use an ER-lite, and the ZTE router as an AP.

      1. Anonymous Coward
        Anonymous Coward

        Re: The gigabit provider's routers are made by ZTE

        "we know the router's crap, buy another" hardly inspires confidence in the overall product - and these are the sorts of companies that are trying to challenge Openreach and Virgin?

        Do Hyperoptic even do IPv6 yet? Yet another major omission (which is strange considering that even BT, with their masses of legacy kit and stifling bureaucracy, has managed it)

        1. Tom 38 Silver badge

          Re: The gigabit provider's routers are made by ZTE

          Its not crap, it tops out at around 850Mbit - most routers would. If you want more than that, yes, buy a different one.

          1. Anonymous Coward
            Anonymous Coward

            Re: The gigabit provider's routers are made by ZTE

            It's supposed to be a premium service. It should be capable of routing at line speed. "it does 850Mbps" is a cop out when you're paying for what is nominally a gigabit service (well, around 940Mbps after overheads etc)

            (and considering this news article - the router clearly is crap)

            1. Anonymous Coward
              Anonymous Coward

              Re: The gigabit provider's routers are made by ZTE

              Um, is that with or without the overhead (I believe Ethernet uses 8b/10b coding at the physical layer)?

      2. gordonsj

        Re: The gigabit provider's routers are made by ZTE

        I think you have it the wrong way around. The wired performance of the ZTE router is pretty good however if you have a Gbit connection and want fast wifi you need a third party router that does MU MIMO.

  2. Norman Nescio Silver badge

    Hardcoded root?!

    That might explain why I was getting more than the expected number of ssh root login attempts from Chinese IP addresses on the router I put on a Hyperoptic connection in place of the supplied one.

    You expect to get bots trying to exploit ssh, but from all around the world. These were from (mostly) one particular (large) Chinese ISP, and persisted over a period of months. It might just be a coincidence, but who knows?

    I tend to regard ISP-supplied CPE with a fair amount of suspicion. At least I know (or can teach myself) how to set up a basic router. Lots of people can't (or won't), and that 's a problem for which I have no reasonable solutions.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hardcoded root?!

      I tend to regard ISP-supplied CPE with a fair amount of suspicion.

      As a customer of Virgin Media, and blessed with their shitbag Hub 3, I can understand why. Unfortunately for most high speed broadband providers the ISP offers no choice of modem, and the bimbling idiots of Ofcom turn a blind eye to the EU rules requiring that ISPs provide a choice of terminal equipment.

      Yet another reason to shut down the Ofcom Home for the Useless, and turn them all out onto the streets (ideally from a third floor window).

      1. Anonymous Coward
        Anonymous Coward

        Re: Hardcoded root?!

        "Unfortunately for most high speed broadband providers the ISP offers no choice of modem, and the bimbling idiots of Ofcom turn a blind eye to the EU rules requiring that ISPs provide a choice of terminal equipment."

        With the sole exception of Sky, no UK ISP actively prevents you from using your own router. Virgin require that the superturd be used, but at least there is a modem mode to turn off most of the nastiness. FTTH networks like Openreach's (for the few who can get it) necessitate the use of the telco supplied modem, but you can still use your own router. ADSL and FTTC customers can buy one of many models of modem or modem+router - from a TPlink cheapie all the way to a Cisco ISR if you are so inclined.

        Not really sure what Ofcom or the EU have to do with this. Even TalkTalk have an automated phone line where it'll read out your PPP username and password for any router of your choice.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hardcoded root?!

          With the sole exception of Sky, no UK ISP actively prevents you from using your own router.

          Sorry, I should have been clearer: I don't class 80 Mbps as high speed broadband, and was referring to the primarily cable and (real) fibre networks, which is primarily, but not solely Virgin Media

          Not really sure what Ofcom or the EU have to do with this

          EU rules require that ISPs allow customers a choice of "terminal equipment", Ofcom are (laughably) the enforcer of relevant EU regulations. You get that choice with most Openreach ISPs, not with most non-Openreach networks - again Vermin Media are the prime suspects. Ofcom had a timid look at these rules in the middle of last year, and then backed off without saying or doing anything.

  3. Craigie

    UK ISP Hyperoptic

    Who??????

  4. Anonymous Coward
    Anonymous Coward

    Who??????

    You could do a search on them, but to explain why not that many people have heard of them, they specialise in "built in at construction" gigabit broadband networks, usually for multi-occupancy buildings or estates of apartments. They install under contract to the developer, and that gives them a virtual monopoly on ISP services because nobody else would risk trying to retrofit FTTP into apartment blocks already served by a gigabit network. So no real need to advertise at all.

    Having worked with developers on a similiar (non telecoms) concepts, I wouldn't be surprised if Hyperoptic have to pay a big fat wad to the developer for the right to do this, then add that to the costs served to almost captive customers. Headline pricing for Hyperoptic doesn't actually look at all bad, but I suspect that their costs are far lower than anybody trying to build FTTP by retrofit, there's no marketing costs of significance, and the churn is probably tiny, so margins are probably very healthy (until they're bought by some slimeball corporation and the M&A costs get added to the bills).

    1. Tom 38 Silver badge

      I pay £38/month for gigabit, but that was on a deal. My entire estate (~5k homes) has access to hyperoptic. We also all have BT FTTH, so no monopoly, but since that is ~£60/month for 300Mbit, not many people take that. From the wifi that pop up on my phone, there are a few BT, a fair few SkyFibre, and a lot of hyperoptic.

      1. FrogsAndChips Silver badge

        Same situation as Tony38, except that we also have Virgin cable. No copper, so no ADSL available, you are limited to cable or fibre providers. I only pay £22/month but that's because I chose a 30Mb package which is enough for my home use. And no phone line required, so it's a no-brainer compared to BT!

      2. Anonymous Noel Coward
        WTF?

        "there are a few BT"

        Why on Earth would anyone pay £60/month for 300 Mbit when they can get Gigabit for £38?

        1. FrogsAndChips Silver badge

          General reason: people don't do their homework to find the best possible options.

          Other possibilities:

          - better deal negociated with BT

          - Hyperoptic doesn't offer TV or phone packages (besides a phone line)

          - bad experience with another provider

          - Openreach ONT was already installed when they moved in (was my case) and they followed the path of least resistance to get a connection (brings us back to the general reason)

    2. Norman Nescio Silver badge

      They certainly did do retrofits. I don't know if they still do. But if you think you will get nice bright and shiny IPv6 with your bright and shiny new Gigabit-capable network, you'll need to think again*. No IPv6, and they use Carrier-Grade NAT. This takes the shine off things a bit.

      *Apparently, it is finally being rolled out, but it hasn't reached the routers I am responsible for.

      https://www.ispreview.co.uk/index.php/2017/12/gigabit-fttb-fibre-broadband-isp-hyperoptic-start-uk-ipv6-rollout.html

  5. JJKing Silver badge
    Black Helicopters

    Tinfoil hat, mask and gloves already being worn.

    WTF? Why with all the knowledge that has accumulated in the past years, does anyone (manufacturer) find the need to hard code credentials into hardware unless it is for nefarious reasons. This shit does not help with my over abundant paranoia.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tinfoil hat, mask and gloves already being worn.

      Well, given the likelihood everyone ELSE is doing the same thing, if not to the same people, you have to start asking if you're ready to roll your own silicon?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019