Feeds

back to article BT home router wide open to hijackers

If you rely on BT for high-speed internet or VoIP, there's a good chance a pair of UK-based researchers know how to enable a backdoor in your router that leaves you wide open to eavesdropping, caller spoofing and other nasty attacks. The vulnerability resides in the BT Home Hub, one of the UK's most popular home routers, …

COMMENTS

This topic is closed for new posts.

Page:

Thumb Down

Well.......

BT needed to offer a draft N1 router anyway this just gives them an excuse!!!

Or they'll prob just release a crappy firmware update that will make the process 5mins longer!

0
0
Dead Vulture

It's no secret that the home hub is insecure.

By default they use WEP protection, and I'll bet 99.9% of them are still set to WEP.

Somehow I mistrusted my Home hub, it's always sat in the box whilst I use my previous router.

But the Internet here is 100% useless anyway, with AOL it constantly drops out from 1.1Mbps, and with BT it runs stable at a mind bending 300kbps. And it costs £60 for an engineer to turn up and declare everything to be fine.

0
0
Paris Hilton

WEP

Tiscali's gear also uses WEP. When do these companies grow up to their task?

0
0
Coat

@WEP

Perhaps they're keeping the fact in mind that Nintendo's console doesn't support WPA, and they're just avoiding the headache. Worse still? No DS update to allow for WPA support, and probably never will be.

Sure, Nintendo might be stupid to not provide an upgrade, but I'll take a region-free handheld over a region-locked one any day.

0
0
Paris Hilton

@@WEP

Maybe not the DS, but the Wii supports WPA and does the job very well also. Forgive me if I am wrong, but I believe that WPA was bought in with the advent of 802.11G, and as the DS is only 802.11B capable, that WPA authentication could not be built in because of this (only reason I mention this is that I have several 802.11B adaptors here that do not support WPA either regardless of driver revisions or firmware updates due to hardware limitations - the answer given by the manufacturers when asked if WPA will ever be enabled within them). Obviously these have all been upgraded to faster adaptors now so no problems here.

0
0
Thumb Up

Wii not using WPA?

Hang on there me bucko, Wii does support WPA encryption.

0
0
cor
Paris Hilton

That's nearly as bad as...

Ireland's Eircom and their bb wifi box:

A bit of Jimi Hendrix (!), and hey presto you've just reverse-engineered the WEP key. Love it.

link to blog of original finder:

http://www.minds.nuim.ie/~cyberax/blog/?p=43

Cormac

0
0
Dam
Paris Hilton

RIAA GO GO

Reckon if these consumers get pwnd by Virtual 3D Internet Piratey Terrorists that maliciously install spam and P2P software and an illegal version of Clara Morgane's songs the RIAssA will go after the users ?

On a side note: where's the Nicole R. angle ?

0
0

Welll d'uh...

If it is abything like the good ol' BT voyager routers then this is the least of their worries..... The BT voyager router where changing the default settings password through the web interface doesn't affect the default password for the Telnet/SSH interface... All those routers with a randomised 10 character alphanumeric web-interface password and the u/pw of "admin/admin" for SSH. Shocking

0
0
Coat

@@@WEP

Forgive me if I'm also wrong, but isn't WPA hardware independent? Ie, it depends on the software/firmware of devices? Also this comes as a surprise given I've had 802.11b cards running a WPA/AES/PEAP-EAP-TLS stack on them...

Also, that Paris Hilton icon is haawwwt. I'm pitching a tent already.

Also, if that's not what the green icon is, wtf is it?

0
0

What;'t this got to do with WEP?

The hack is perpetrated down the broadband link, so it doesn't matter if you are running an open, WEP secured or WPA secured wireless network or no wireless network at all, your router is still pwned.

0
0

BT Fails Duty of Care?

BT has repeatedly tried to get me to take their home hub and sign-up for 18 months. They want me to throw away my firewall/router to replace it with something totally insecure - and the blurb mentioned some 'security device later'. I think this stinks from a major provider - and I think El Reg should take this up with them.

0
0

@@@WEP

Having an 802.11b adapter doesn't necessarily limit you to WEP and exclude WPA. I have a Wii (which by the way comes with an 802.11b adapter), which connects by WPA2.

@Paul Thomas - he wasn't talking about the Wii. His post clearly mentioned the DS, and not the Wii.

0
0
Paris Hilton

Sky

By far teh worest router I have seen is the netgear router Sky provide, with the admin user name and password printed helpful on the router, broacasting the SSID as every other Sky router and with both WPA and WEP diabled let alone locked to mac address.. It is provide wided up to the world.

ISP's really should get their acts together here, they provide a route, and even go to the length of sending an engineer to install, but dont bother spending, what 15minutes explaining the security options to teh user, but instead leaves the router wide open to the world, with a common password.

I think they have a duty of care, there is usual a clause in the contract that says the user has to take all reasonable security precurations, and yet the router is supply with the security rating of a choclate fire guard.

The router should be supplied in its must secure form, WPA enablled (with a random key not the same one on every router), random SSID which isint being broadcast.

Then it is teh choice of teh user if they wise to open the router up.

0
0
Joke

Black Sky

Just gone onto Sky broadband and the firstthing I did with it is to change the admin name and password. Then changed the security settings, backed up the config file and copied all the IP settings onto my other netgear router. I'm again properly firewalled, secure and don't broadcast my SSID.

A few simple precaution is all that is needed.

On another note, when configuring my daughter's laptop, I discovered that one of our neighbours had a totally open network and she was getting a connection on that one. When will people learn to protect what is theirs?

0
0
MrT
Bronze badge
Coat

WPA on 802.11B does work...

...but only if the firmware is updated by manufacturers. I've an iPaq 5550, with B-WiFi, and HP issued an upgrade about 2 years down the line from purchase to enable WPA - which it does fine. The difference between this and most consumer devices is it's a high-end business-oriented PDA and HP's customer base in that area have a bit more clout than someone buying the stuff that PC World sell to Joe Public. Cheaper stuff tends not to be upgradable if the firmware is burnt into ROM rather than flash RAM

It was a fairly hefty ROM image, needing three Softpaq updates to raise the radio firmware to the necessary level before the OS could be patched - get the order wrong and it won't even work on WEP. It's a bit like upgrading a Mobile 5 PDA or smartphone to Mobile 6, which is also possible, but so is the likelyhood of 'bricking' the thing if the steps are not followed precisely. Not the sort of thing most people would consider, and also not the sort of thing Nintendo would like most people to do - they don't want a flood of warranty returns on bricked DS's because the official patch failed...

So, the DS could use B and WPA if Nintendo so wish - may need a different ROM image (not sure if it's home-flashable) - but there's nothing to stop a B device using higher encryption than WEP. Of course, it takes more out of the CPU to run the higher authentication, so the device would slow down - maybe B-WEP on a DS is the best compromise that doesn't impact gameplay?

Here's a solution though - hook up a cheap B access point to the DMZ of the faster G or pre-N router - then let the firewalls sort out authorised traffic between the home network and the less secure DS. Not got a DMZ?

As for the HomeHub, it runs a modified Linux OS - have these guys suggested a hack to fix the hole? There's all sorts of stuff it can do that BT don't officially sanction (print-serving, use USB disks to provide NAS, etc). The user base should have enough sway with BT to press for changes to fix all the holes - there are over a million of them out there.

0
0

Problem with buy-to-let hardware

One reason why I look for linux routers ONLY with root access for ME is so that I can modify and change the software myself, change the root password if I need to and so on.

Problem is that even for the tech-heads who DO know what to do, the manufacturers are still in the "Closed Source" mindset where they believe THEY own the device after you've bought it and are just magnanimously letting you use it.

PS this story has nothing to do with the wireless side. It's when you visit a web page, the script there connects to your router and runs stuff that (without requiring a password) can open up your machine completely, which allows it to take any passwords it wants, INCLUDING the WPA key (unless, maybe, if you use RADIUS, but they still get to see every packet sent).

0
0
Thumb Down

If you're daft enough..

...to be lured to a phising site then you DESERVE to have your router hacked.

0
0
Anonymous Coward

Re: Sky

A non-tech neighbour recently got Sky broadband, their Netgear DG834 was (imo) reasonably secure, with a non-default SSID and non-default key printed on the router and a handy reference card. The router's admin password is the same as every other Sky router's, but so what, and so what if the SSID and key is printed on the router and on a handy reference card, if you've got physical access to the router/LAN, there's scope for lots of exploits.

There aren't so many WLANs these days with SSID of LINKSYS or BELKIN or ... and zero security, but there are still some.

Disabling SSID broadcast is often suggested but imo pointless. It's about as sensible as taking the house number off your front door so you don't get broken into. People can see your house even when it's got no number, people can find an SSID even when it's not being broadcast.

0
0

RE: Sky

Don't know what sky router you got but my one came with a random SSID (well it mentions sky in it but the rest of it is random) and by default WPA enabled with a random password (Unless they use the same algorithm as Eircom but it looks random). Yes the SSID is broadcast and the key is printed on the router but then if they have the level of access someone could just as easily plug a cable into it...

0
0
Anonymous Coward

@Anonymous Coward

Possibly your grasp of the web is similar to your grasp of English. The tooltip explains the icon. This is fairly standard.

0
0
IT Angle

But why

Would anyone use the free hardware provided by an ISP? I wouldn't trust them to make a hardware decision on my behalf, if you want to be cheap then you only have yourselves to blame.

0
0
Silver badge
Paris Hilton

Nice features though...

I quite like the BT router. I mean, apart from its tendency to fall over when you put anything more intensive than a single html request through it, the annoying habit it has to completely lock up when you try and use wireless and its periodic absolute loss of any ability to resolve new DNS requests it's quite nice. Shiny. If I could keep the fancy graphical user interface they've put on top of iptables and dump the rest I'd be very happy indeed.

0
0
Silver badge
Paris Hilton

Hit reply, engage brain

Of course "html request" should be "http request"...

Where's me coat?

0
0
Dead Vulture

Fantastic Customer Service, As Always

Here's BT's word for word reply to my support request on this. Of particular delight is the sentence "As it is already been secure, there will not be a necessary to obtain a patch to address this vulnerability."

Dear xxxx,

Thank you for your e-mail dated 9th October 2007, your e-mail has been logged under the reference number xxxx.

I am writing further to the concerns which you have raised about the security vulnerability with the BT Home Hub. You wish to know where to obtain a patch to address this vulnerability.

Please note that BT Home Hub has many advanced features. The BT Home Hub has been designed for all current and future BT Total Broadband services - including high-speed Internet access, cheap broadband phone calls, wireless Internet, BT Fusion and more - all from one box. Key benefits include:

• Security: An enhanced security package to keep you, your computer, and your family safe and secure

• Wireless: Advanced features to free you from restrictive wires and help you connect to multiple PCs, printers, and games consoles

• Gaming: Features to help you match your skills against the best gamers in the world

• Remote updating: Get access to new products and services as they are launched

• BT Broadband Talk: Make the most of great value calling plans, low cost calls over your PC, and video calls

Please be informed that wireless routers use various security technologies to prevent unauthorised users connecting to the Internet over your wireless network. The BT Home Hub or BT Voyager Wireless routers, Voyager 2091 for example, are preset with WEP wireless security and are protected by a key known as a wireless network key. WEP security offers protection against unwanted connections on a typical home/small office network. As it is already been secure, there will not be a necessary to obtain a patch to address this vulnerability. Your patience and understanding is highly appreciated. Please visit the following link for more information about secured wireless connection:

http://btybb.custhelp.com/cgi-bin/btybb.cfg/php/enduser/cci/bty_adp.php?p_sid=tJyptKNi&p_faqid=7490

If you need any further assistance with your BT Total Broadband service, please visit our website http://www.bt.com/broadband/help for solutions to most technical questions and to contact us in future.

Thank you for using BT Total Broadband.

xxxx

BT Total Broadband Support Team

0
0
Tim

Broadcasting SSID

Having your router broadcast the SSID is in fact no security threat. It's just as insecure if it hides it, and worse you have a lot of problems to boot as the likes of Windows has headaches if you hide the SSID even if you tell it what it is.

Hiding SSID is one of the classic security myths of wireless net and breaks the intended design of the system. Likely half the complaints to tech support lines are because people have read myths like this.

MAC address locking is also not invulnerable. Takes a simple packet sniff and then just spoof the MAC.

0
0

@@Anonymous Coward

To me the green icon looks like the invisible man with his raincoat on getting a hand job from some obliging fellow.

I'm definitely not going near any tooltip for that. ;)

0
0
Tom
Paris Hilton

Re: Sky

My dad was in the first wave of Sky broadband and they gave him a router with WPA running and the key for it printed on the box... non-default SSID and no admin password in site... in fact we've been unable to find anywhere the login and password for the router. What is the default login for a Sky router?

0
0
MrT
Bronze badge
Thumb Up

@ Mark

Fantastic! BT using cut'n'paste marketing material for their responses... Oh no! A ravenous bugblatter beast of Traal! Where's my towel? http://www.urbandictionary.com/define.php?term=Ravenous+Bugblatter+Beast+of+Traal

I've checked the BT Broadband Forums and got this thread on the matter...

http://www.beta.bt.com/bta/forums/thread.jspa?threadID=376&tstart=0

Now, in the earlier version of that thread, Sandy Woolsgrove (who writes in other threads as if a BT Help employee) had said that BT were "checking the validity of this claim" - but it looks like the thread has been edited to remove this response...

That thread is about the FON firmware roll-out (amongst other stuff) - I wonder if the router can be compromised for all users by someone on the 'public' side accessing whatever website contains the hack? The blurb says the two channels are kept totally separate, but they all go down the same bb line. If so, it's not purely down to the HomeHub owner being careful...

0
0

BT response and other stories

That BT response is shocking. They've clearly just looked through their list of automated responses and picked one without bothering to check what the issue really is.

@Kenny Millar

Ummm you do realise that almost *any* site can be compromised and made to feed exploits, whether directly or via their ad service? You don't need to visit www.gethaxxed.com.

And yes, the argument that Sky printing the WPA info on the router itself is insecure overlooks the fact that if a ne'er do well is in my house looking at my router the least of my concerns is how secure my wireless connection is!

0
0
Joke

@mark

Clearly what's happened there is your router had already been rooted, and your mail to BT was redirected to nigerian phishers.

0
0

BT HomeHub - WEP & Dell

Previously all wireless laptops set to WPA. This is OK with BT Voyager series. Using BT HomeHub I found they crash out, irregularly and unpredicatably, when WPA is enabled in BTHomeHub, so using BT's equipment "HomeHub" I had to reset to WEP to enable continuous use of my Dell Laptops. [No useful help from BT help-folk on this problem when reported, indeed a misunderstanding like 'what is WPA?' I am thinking of going back to old Voyager router or do folks have a better recommendation when using BT as an ISP?

0
0

@ Tom

Try admin and password sky.. that may well do the trick

0
0

sharing BT wifi

I enjoy being right about poor security. All the talk about encryption doesn't really matter. Download a copy of BackTrack from exploit.org and with some intelligence/time you can break WPA. Not very surprising that a week or so after BT decides to 'share' your wifi there is a leak about a backdoor. Surprise, surprise.

0
0

Here we go again

Firstly the BT Homehub is insecure out of the box no matter what firmware is installed, 'normal users' will continue to keep it insecure.

It's 4 minutes from start to finish to break a normal HomeHub (I proved it to a journalist in work as a bet).

Even my really old Thomson (pre Alcatel) had the admin password set to the routers serial number.

As for spilling it's guts via a malicious web page, I'm not surprised, I notice it's BT taking the bashing and not Alcatel who no doubt provide the branded firmware.

With WPA I have had to step back down to WEP varients due to the performance hit, when more than 2 machines are connencted to the router (if I had wanted a modem I would have bought one)

Hiding the SSID, why do people bother any wardriving (I hate that term) software had had that covered for the last 3 years anyway.

You want something to happen, go to your local newspaper or TV company and demonstrate it for them. The tech press can bitch all they want, it's a niche market, that has no real muscle.

Get the great unwashed involved and it's a different matter, phone Watchdog and watch BT (& Alcatel) take some action pretty quickly.

0
0

This post has been deleted by its author

IT Angle

I'm sorry.

I know this hole has nothing to do with WiFI, but I felt it prudent to mention that the Home Hub uses WEP by default, i consider it another, even bigger hole.

0
0

Actually people have noticed

Quote :

Dear god, pretty much all these comments are people bitching about wifi security. Read the frikkin article and you might see it has all of nothing to do with wifi!

Yeah some of us noticed, the answer kick up a fuss with both BT & Alcatel and it will be fixed (hopefully sooner than later)

I assume that BT can push out an update to the routers rather than relying on the end user to do so (oops am I showing my stalinist tendencys), cos if we are relying on the end user then nothing will happen, even if BT/Alcatel provide a patch quickly.

The longer term issue (to me and others) is with how the feckers are set up in the 1st place.

0
0
Thumb Down

A Classic quote.......

BT could not pour piss out of a wellington boot if the instructions were printed on the heel.

0
0
Thumb Down

Aye, I know it is not an article on WiFi...

.. however WiFi has been discussed extensively, so:

Hiding SSID is not pointless, but it is of course no obstacle to the determined. WEP is relatively insecure, to the determined. WPA is potentially breakable, by the determined. MAC authentication is not secure against a sufficiently determined attacker.

Hmm, spot a theme? That's right! A *determined* attacker can break security. This is news, why? It's hardly a specific WiFi issue and it doesn't mean you ought not to use security precautions. Script kiddies often don't even get past the "scanning for SSIDs with no encryption" stage when looking to break WiFi nets and MAC screening is pretty effective, as it takes a reasonably techincally capable attacker to figure out what MAC he needs to spoof and how to spoof it. Bottom line? It's always worth securing your network but you have to operate on the assumption that is insecure, just as with any other line of communication.

0
0
Coat

WEP

Be boxes are pre-configured with WEP and WPA-PSK - you can only crack a WEP key if a device is actually encrypting data with it

0
0

@ Matthew Robinson then my take

The Be Box comes with no admin password, highly secure - NOT.

The main point is until RIAA come knocking with their law suit 99.9999% at least of the "general public" wouldn't know if their bb connection is being compromised or not.

The "great unwashed" really shouldn't be allowed anywhere near PCs, at least not ones with an internet connection that isn't supported by someone who knows what they're doing. If you don't know how something works and the risks involved then you really get everything you deserve. Never mind blame everyone except yourself. That culture is why you can now almost jump off a cliff and sue someone for the cliff not being fit for purpose if you don't manage to kill yourself. The great unwashed and the internet is like letting a 3 year old loose in charge of the shuttle - haven't got a clue what that button does, but, it's big, it flashes and I'm sure it won't do anything bad ...

I've spent too many hours fixing machines of friends and family who screw them up by just pressing that big, flashing f-ing button. I now charge everyone £200 per hour plus travelling costs to fix their machine (including my mother). Telephone support is £150 per hour and emails cost £100 per email. People never start a conversation with "My computer's broken" anymore.

0
0
Anonymous Coward

Hiding ssid beacons

Pros:

o might help to not confuse Aunty Flo next door when she looks at her 'wireless neighbourhood'

o erm, none

Cons:

o some client devices cannot access a node without visible ssid beacons

o if wpa type security is set up then the visibility of ssid is moot

o it doesn't matter that a 'script kiddie' would be stopped by it because they would be much better stopped anyway with a strong wpa key

o it doesn't matter that a 'determined hacker' can still see the ssid because they are stopped anyway with a strong wpa key

o hiding ssid beacons does not prevent the ssid from easily being discovered as soon as a client device exchanges keys

o it gives people a false sense of security because their router informs them that they are 'hidden' or 'cloaked' - sounds cool doesn't it, gotta have some of that!

It's akin to having a very strong vault door to protect against professional safe crackers, then hanging a curtain over it to fool average passers by into not realising it's there. If they know it's there it doesn't matter because they're not professional crackers, and if they're professional crackers they're not fooled by a curtain.

0
0
Dead Vulture

Errr not at all

If a user can manage to gather together enough brain cells to turn off their SSID then they can turn on WEP. At that point hiding your SSID absolutely pointless (ot's not 2002 any more)

Actually one reason for not hiding your SSID is to allow people in the neighbourhood to see your base station and choose a suitably distant channel, rather than everyvody sitting in 11 and making a shitty connection even more shitty.

WPA and their ilk tend to be easy enough to break if you want to put the effort in (the usual poorly selected key), but I couldn't really be bothered.

Anyway the homehub is interesting as for once it's easer than attacking either the wireless network or the client machines.

Matthew Robinson : I suggest that you should read a little more before making such statements, it is perfectly possible to forge an ARP request for a WEP based network without seeing any traffic. Once again things have moved forward since 2002

0
0
MrT
Bronze badge
IT Angle

Are they attacking the router directly...?

From the GNUCitizen article, Adrian Pastor says this in one of the comments..."If you are a fan of Firefox extensions, NoScript filters cross-site POST requests from untrusted to trusted sites. This protection should avoid someone exploiting your router if properly configured."

This suggests that the vulnerability in the hub uses a vulnerability in the client machine to access either the SuperUser or remote assistance Tech user accounts. If a Firefox extension can prevent the hack from working, then it is another of those foibles in IE that creates the pathway via the client machine. Would it be stopped by altering the IE security settings to block access across domains?

The standard way of gaining SuperUser rights to the HomeHub involves requesting a Remote Assistance session, then opening another browser window using the details on the RA request page. This gives access to the router's ini file and all that it controls. (including the user lists, password hashes, VoIP channels, etc). An attacker wouldn't need to do much to gain control - just insert their own hash for the Tech user, for example, or add another SuperUser

Mind you, when I tried it, after a soft reset the HH firewall bombed out to 'block all' (with no other options available) and although the VoIP channel still worked, nothing else could get out of the home network - PCs could find the Hub, the Hub reported a valid connection to the Internet, but the two sides were kept apart. Which also means the firewall doesn't watch the VoIP connection.

BTW, with all the FON stuff rolling out, there may be a potential WiFi risk - not sure yet if it's possible to attack a HH w new firmware to enable the 'BT Openzone' public access side of things without the hub owner knowing. However, (to answer myself from earlier), if the firewall works like it did in my test then the private network *may* be kept safe if someone on the public side visits and exploit site, but the VoIP traffic might still be at risk.

0
0
Dead Vulture

More from BT

In case anyone's interested... had another message from BT. Not entirely convinced, but then again - who am I to say, without trying this myself?

Dear xxxx,

Thank you for your e-mail dated 9th October 2007, your e-mail has been logged under the reference number xxxx.

I am writing further to your query concerning the security vulnerability with the BT Home Hub. I apologize for the inconvenience you have recently encountered with the security vulnerability of the hub.

Please note that BT has released a new version for the firmware of the BT Home Hub. The installation of the new firmware should resolve all the issues related to the security vulnerability of the BT Home Hub.

If you need any further assistance with your BT Total Broadband service, please visit our website http://www.bt.com/broadband/help for solutions to most technical questions and to contact us in future.

Thank you for using BT Total Broadband.

xxxx

BT Total Broadband Support Team.

0
0
MrT
Bronze badge

@ Mark

Folk will move on from this thread pretty quickly as the story gets older I guess, but it's still of interest...

I've also been in touch with BT, although they still respond that they are investigating. Until they've had a chance to check this against the new FON-enabled firmware they can't really say for surer.

0
0
Coat

A thread purely for BT broadband

How about El Reg starts a thread purely for BT broadband horror stories. I reckon I could post 30+ straight away. It could be under some sort of fiction heading as most people wouldn't believe that a company could be run so badly and stay in business.

0
0
Jobs Horns

Erm,

If someone has the skills to try and crack your WEP/WPA keys then no amount of SSID hiding & MAC binding will help you. WPA needs a LONG key (think 20+ digits) to be safe against dictionary/brute force attacks. The home hub gives 10 hex digits of WEP by default! :-0

Also, the home hub IS a thompson speedtouch in a snazzy new box. It is, as its predecessors were, a crock of shit. Mine has dropped its connection about ten times in the last couple of days. I don't know if this is down to BT's frantic firmware upgrading or haxorz attempting (and maybe succeeding) in pwning me or just it's general shitness. Whatever the cause I'm not terribly bothered as I'm using another (better) router upstream of it.

Roger Heathcote.

PS: It's just crapped out again when I tried to post this LOL!

0
0
Thumb Up

@ Hiding ssid beacons

I do it to stop passing gypsies armed with stolen laptops, from stealing my laptops.

Show me a house with nothing inside worth stealing, but with WiFi.

0
0

Page:

This topic is closed for new posts.