‘Ziggo’ ISP Scared Customers With Spammy Security Notice

• The Dutch ISP ‘Ziggo’ sent email messages to warn all subscribers about a security risk regarding one of its products.
• The emails contained links to instructions, vague information about the threat, and reached many who weren’t using the device.
• Ziggo managed to scare people with the email rather than to help them secure their hardware against potential hacks.

The ‘Ziggo’ ISP (internet service provider) in the Netherlands has engaged in some scare tactics with its customers, sending emails that looked like phishing at first sight. The ISP’s purpose was to inform its clients of a security vulnerability affecting a specific device that they sell to their customers, the TP-Link-based “WiFiBooster Ziggo C7.”

This is a very popular device among Ziggo subscribers, as it helps extend or strengthen WiFi signals and network coverage on home networks.

Source: Ziggo

The problem with the particular device is that it comes with weak credentials by default, so a hacker could easily brute-force them and take over control of the network. Even a botnet with hard-coded credentials could do it, so users needed to change the password to something non-guessable.

This should have been advised during the purchase or via a note in the box (like TP-Link does). Ziggo could have even urged the user to change the password during the installation of the device since the ISP is using custom firmware anyway. Somehow, Ziggo missed all of these opportunities and then tried to save the day via email.

The message, as translated by Malwarebytes in English, was saying the following:

Urging the recipient to follow a link to access instructions on how to change their WiFi device password sounds like phishing, right? Ziggo should have included these instructions right on the email message, but this wasn’t even their only mistake.

The ISP actually sent the above email to all of its subscribers, not only those who had bought the Wifibooster Ziggo C7. So, this is basically spamming as well. And thirdly, Ziggo preferred not to give away many details about the actual threat, which makes the message suspiciously generic. Instead, they could have published a security advisory for the product, detailing the security risks, and offering mitigating steps.

Ziggo is one of those ISPs who stand behind its subscribers’ privacy rights, denying anti-piracy groups its client identification details. The company is also quite active when it comes to proactively evaluating its products’ security, which is what happened in this case. However, their approach when it comes to informing their customers of a security risk suffers, and it’s an example for everyone else of how not to do things.