The broadband and mobile operator, and the routers' manufacturer Thomson, said they are working on a fix for the cross-site request forgery flaw. O2 refused to comment on the details of the problem, but said in a statement on Tuesday that it was cooperating with the security researcher who reported the vulnerability to understand it.
The potential flaw was first reported on 28 August by Paul Mutton, a security researcher and O2 home broadband customer. On his blog, he wrote that the O2 Wireless Box II and Wireless Box III, customised versions of the Thomson TG585 and TG585n routers respectively, suffered from "a serious security vulnerability that allows remote attackers to access a home user's private network and view/change settings on the router".
Mutton noted that several defences against cross-site request forgery (CSRF) — a type of attack whereby unauthorised commands are sent to a website from the user's IP address — had been used in the routers, but said a design flaw meant these protections could be bypassed.
"This flaw allows remote attackers to take almost full control of the router, including stealing the wireless encryption key (even if the most advanced WPA2 setting was enabled) and forwarding external ports to internal IP addresses," Mutton wrote.
The researcher said he would not reveal specific details of the flaw until it had been fixed.
O2 said: "The vast majority of home routers are manufactured by Thomson, and the same [problem] will apply to all."
On Thursday, Thomson said in a statement that it was "working closely with O2 on this matter", but would not say what other ISPs use the TG585n or how many of the routers are in circulation in the UK.
According to Mutton, some routers from Be Broadband, which is owned by O2, and Zen Internet are affected.