back to article UK's number one router open to VoIP hijacking

Principals of the ethical hacking outfit GNUCitizen say they have found a serious security bug in the BT Home Hub that could allow attackers to engage in identity theft and other types of fraud by hijacking calls routed over the internet. The vulnerability allows an attacker to initiate VoIP calls on the user's machine. From …

COMMENTS

This topic is closed for new posts.
  1. Mark Jan
    Paris Hilton

    Why only recommend Firefox?

    Opera is regarded as being the most secure browser out there, and as a fan, I'm surprised you didn't recommend it.

    Having said that, it may have been almost as good to just say, do not use IE, ever - if you can avoid it.

    Obviously Paris Hilton as IE is about as secure as her underwear and offering about as much protection, even when it's on, which it's not, by default.

  2. Byron Langslow
    Alert

    W00 FIRST POST!

    This is amazing. In this day and age of fraud, phishing and the like, I dont care who calls me or how they try to tell me in their indian accent they are from ANZ bank (australia) I am not surrendering any details. They can tell me what its about, and give me my account numbers as a means of authenticating me.

    Otherwise, they can mail me a letter, or fax me a letter on orficial letter head.

    COME ON PEOPLE! how hard is it not to be phished? I have been internet banking since 1997 and still haven't been done. However I do take all the necessary precautions.

    Hack away. I dont use voip. I can afford a land line =)

  3. Nick

    Eigh?

    Sorry, wasn't this posted before xmas? Or is this an exploit of a fixed firmware. Not that I'm worried, I don't use the HomeHub.

  4. Andy Barber
    Unhappy

    BT Home Hub

    Come on on only TWO RJ-45 ports! What use is that? I still haven't un-boxed their HUGE & to me un-usable Alcatel kit. My Linksys router works, (with FOUR RJ-45's,) so I'm not going to fix it!

  5. Brooklyn
    Jobs Halo

    Meh! (w00t another first post!)

    "I dont use voip. I can afford a land line =)"

    Iirc, you require a land line for VoIP to work? Or are you using some form of experimental broadband delivery service we don't know about that doesn't require a standard land line?

    Never worried about phishing, especially as the HMRC/MoD/BA seem to be doing a good enough job already at handing out my details ;)

  6. Luke

    Proof of concept

    Might be a good idea to tell people not to click that 'proof of concept' link late at night as I think I just woke up my housemates by doing it! hahaha

  7. Anonymous Coward
    Alert

    I can't believe how stupid some people are!!

    I can't believe how stupid / gullible some people are to accept a VoIP call (or any other form of communication) from an anonymous caller who asks for your financial details! Come on!!

    Im not with BT broadband so don't use the BT homehub, my Netgear DG834G V3 has worked fine since day 1, before that I had the version 2 model (wired only), which was flawless too!

  8. Anonymous Coward
    Anonymous Coward

    RE: Meh! (w00t another first post!)

    "Iirc, you require a land line for VoIP to work? Or are you using some form of experimental broadband delivery service we don't know about that doesn't require a standard land line?"

    Erm if your lucky to be in a cable area then you can get just the internet with out a phone line and you can do VoIP :)

    unless your on ADSL then you need your phone line :(

  9. Graham Wood
    Stop

    @AC

    The whole point of this vulnerability is that you can lie through caller ID, and make someone think the call is from their bank/credit card/etc NOT "anonymous". If people receive a call that their phone tells them was from 999, and someone at the other end of the line said they were the police, most people would believe it.

    A lot of banks DO call you and expect you to give over details simply because they ask for them. One call I've had went:

    <RING>

    Me: Hello?

    Them: Hi, this is <my bank>, we need to talk to you about your account but need you to answer some security questions first. Can you please tell me your password?

    Me: No. How do I know you are my bank?

    Them: This is <my bank>, we need to talk to you about your account.

    Me: Fine - prove to me that you are my bank.

    Them: We can't do that until you've proved that you are <my name>.

    Me: Then we have a problem. You called me, therefore you need to prove to me who you are.

    Them: But we can't until you answer some security questions.

    I have managed to get around this for one series of calls with my bank - when I spoke to them the first time, we agreed a piece of information that they /would/ tell me before anything else to prove they had the record onscreen. However, that's the exception rather than the rule. Another department were happy to tell me what extension they were, and told me to call via any "official" number that I liked.

    The best has to be the person that offered to give me their direct line - as if only my bank has direct dial phone numbers....

  10. Andy Worth

    Re:I can't believe how stupid some people are!!

    If you can't believe that, you can't have been reading the register for very long :)

    Unfortunately the BT ads are aimed at technotards, so the majority of their userbase probably don't know anything past the fact they have an antivirus on their PC and assume this keeps them safe from any kind of attack. Believe me I've heard enough people say almost exactly that, using a variation of words but to the same effect.

  11. Paul Gordon
    Black Helicopters

    Blatantly Twats

    "Iirc, you require a land line for VoIP to work? Or are you using some form of experimental broadband delivery service we don't know about that doesn't require a standard land line?"

    Erm, cable broadband anyone? I'm on Skype and have no landline, but I digress....

    Not had any experience of the Home Hub, but my parents are signed up with BT for basic broadband. With the amount of crap that their software puts on a PC it's unsurprising that vulnerabilities arise. Needless to say I've scourged their laptop of everything with the remotest resemblance of BT.

    Trust no ISP software!

  12. Anonymous Coward
    Boffin

    @Brooklyn

    "you require a land line for VoIP to work?" - No

    I know several people who use a wireless internet connection, and I mean 5GHz from a broadcast tower, then people up to 10 miles away have equipment installed on their roof. It's not cheap but when your phone line would be too long for ADSL, or if you want 10M symmetric in a rural location, it's the best solution.

    Add to that the several people I know who share a broadband connection with their neighbours (for free), no you don't need a land line.

    Oh yeah, don't forget the 'broadband' offerings from the mobile phone companies.

  13. Karl Lattimer

    Simple solution...

    never give your credentials out to anyone who calls you... I have had a number of arguments with my bank (natwest) over them calling me, and asking me to "confirm" my birthdate, address, and ACCOUNT DETAILS! I don't have caller ID, I don't have it linked up to a database of genuine callers. Anyone, even my bank asking me details like that will get shouted at... I had an argument for nearly an hour with some mindless tart who couldn't understand that calling me up and asking me for my details was insecure.

  14. Jeff Fox
    Unhappy

    Great, so not only is it useless for gaming

    it's also useless for security. I've got one of these and virtually every evening when I run Team Fortress 2, it resets the router. The more I hear about the hub, the less I like it.

  15. Anonymous Coward
    Linux

    Calm down

    Checked on my 6.2.6.E firmware and the hack doesn't work,

    and the hub upgraded itself automagically too.

    In detail clicking the link with poc, does ask for password to login to the BTHomeHub but it does't ring.

  16. TeeCee Gold badge
    Happy

    Land line.

    I think I can trump this. I'm on *ADSL* and haven't got a land line. Obviously I have the piece of copper wire and it's connected to a DSLAM somewhere, but it's got no number, won't allow outgoing voice calls and doesn't even present a dial tone.

    All to do with an incompetant telco who sold me a voice / ADSL package and then found that I hadn't provided certain ID info that their voice side wanted, who cut me off(!) Their internet side have no such qualms and are happy to continue serving me.

    I don't care. I'm not paying for the voice line service (they've cancelled the debits) and I use SIP VOIP for my calls (out and in) anyway. Quite convenient with the very reliable and solid VOIP router that they so thoughtfully provided for free. Hoist by their own petard, so to speak.

    Once in a while they notice this odd state of affairs and try to get me to take the voice service. This usually ends in tears when I tell them I'll be delighted, as long as it doesn't cost any more than I'm paying now - i.e. nothing..........

  17. Andy Turner

    Proving that it's the bank on the phone

    Can anyone see any holes in this method?

    When 'the bank' phones, allow them to ask you a security question and then give them a wrong answer. If they're your bank they'll know it's wrong and tell you. If they're a scammer, they'll write it down and not know it's wrong. Obviously the question can't be something which they could have got from the phone book or from your bins.

  18. Adam Foxton

    @Brooklyn

    I used to use VOIP without a landline phone connection- Telewest 10Meg cable internet rather than normal ADSL.

    Also, I've used VOIP over 3G/HSDPA and so on.

    Come to think of it, I've never used VOIP over a landline phone connection

  19. This post has been deleted by its author

  20. goundoulf

    The only way to prevent this with ISP gateways is...

    projects like http://www.neufbox4.org which aims at creating an alternative and entirely open firmware for the gateway

    ISPs usually break the GPL by using free software and not redistributing, and their gateways rely on security by obscurity.

    The customer is then dependent on the firmware upgrade from the ISP following the discovery of a vulnerability, and some times it can take ages before it is corrected.

    When the community is in charge of an alternative firmware, vulnerabilities are spotted earlier and corrected faster.

  21. Dave Cumming

    Only the stupid need be scared...

    Firstly you can easily ask your bank to prove who they are, I've done it before and they'll quite happily provide details just as they'd expect you to.

    Secondly the VOIP number is a completely different number to your landline so unless for some very odd reason you gave your bank that number they wouldn't know it to call it. In fact nobody as yet knows our number as giving someone else our VOIP number doesn't benefit us does it so why would we?

    So if that phone rings, its either GOD, Commissioner Gordon or a spam call, either way they get told to go away.

    also the BT hub works just fine for gaming, well it does with the XBox 360, one of the previous firmwares caused restarts for a few weeks but once onto version E its been rock solid.

  22. Anonymous Coward
    Anonymous Coward

    @goundoulf

    http://www.neufbox4.org = security by obscurity !!! It's in French.

  23. Khyle Westmoreland

    @ Dave Cumming

    Well I don't know about you but I get a nice geographical number from my VoIP provider; free of charge when you sign up too. So yes, my bank would have no problem calling me. :)

  24. Mark Manderson
    Thumb Down

    spooky

    I read the article and opened Bthome hub manager........to be greeted with entering the serial number of the box and to set a new password.

    Is it me or is this awfully co-incidental...........could swear I was in the web ui yesterday or sunday with no prompts like this lol

    Bt reports no such flaw and I check firmware to see it updated itself............spooky!

  25. Mike

    @Mark

    Don't worry Mark, BT are getting everyone to do this in order to increase security - they thought it was a bit easy to be hacked if they all kept the default username admin/password admin combo.

    Great fun for the tech helpdesk when they log in and the customer doesn't know what password they set up.......

  26. Dave Cumming

    @Khyle Westmoreland

    And thats a good thing why?

    If I want my bank to call me on my voip phone I give them the number so what difference does it make if its a standard number or not?

    If someone has to look up your number its a pretty safe bet that you aren't already dealing with them in which case its spam, so frankly, I'm quite happy to keep our non-standard number as it gets ZERO spam.

  27. Ken Hagan Gold badge

    @Mike

    "Great fun for the tech helpdesk when they log in and the customer doesn't know what password they set up..."

    ...which is why they should probably also suggest that you write the password down on a piece of paper and sellotape it to the router.

    For those of us who don't get burgled often, the risk of writing down a *decent* password is swamped by the increased security that a *decent* password gives. I'm always amazed that "make it hard and write it down" isn't part of IT culture these days. Prior to the internet, it was probably true that the attacker was somebody who had physical access to the machine but lacked the time and energy to get around even a mediocre password (and had enough to lose they mostly they weren't tempted). Nowadays, the average attacker lives on a different continent and has programmed their PC to trawl 24/7 for anything-they-can-penetrate. This is a completely different kind of risk and Best Practice for passwords ought to have changed.

  28. allister ferguson

    It looks like it is fixed now.....

    from the GNUcitizen .org web site...

    The rollout of the BT Home Hub firmware version 6.2.6.E started on 12 December 2007. It can take several weeks before all BT Home Hubs are upgraded to a new version of the firmware, so please be patient. BT Support & Advice

    So is this very old news?

  29. Anonymous Coward
    Unhappy

    BT's "update" statement missleading?

    even the gnucitizen guys mentioned that they tested the exploit on firmware version 6.2.6.B which is still running on *many* home hubs at this moment, including mine :( .

    6.2.6.B disabled remote assistance, but never fixed the auth bypass or csrf published back in october by the gnucitizens.

    some home hubs are also running 6.2.6.C which is not vulnerable to this attack. also a very small number of home hubs have been chosen by BT as guinea pigs to upgrade to 6.2.6.D and see if it's stable enough to upgrade the rest of home hubs.

    the point of this research is that it shows a new attack based on an old vulnerabilities which are still present on many home hubs at this moment.

This topic is closed for new posts.

Other stories you might like