BT home router wide open to hijackers If you rely on BT for high-speed internet or VoIP, there's a good chance a pair of UK-based researchers know how to enable a backdoor in your router that leaves you wide open to eavesdropping, caller spoofing and other nasty attacks. The vulnerability resides in the BT Home Hub, one of the UK's most popular home routers, …
By default they use WEP protection, and I'll bet 99.9% of them are still set to WEP.
Somehow I mistrusted my Home hub, it's always sat in the box whilst I use my previous router.
But the Internet here is 100% useless anyway, with AOL it constantly drops out from 1.1Mbps, and with BT it runs stable at a mind bending 300kbps. And it costs £60 for an engineer to turn up and declare everything to be fine.
Perhaps they're keeping the fact in mind that Nintendo's console doesn't support WPA, and they're just avoiding the headache. Worse still? No DS update to allow for WPA support, and probably never will be.
Sure, Nintendo might be stupid to not provide an upgrade, but I'll take a region-free handheld over a region-locked one any day.
Maybe not the DS, but the Wii supports WPA and does the job very well also. Forgive me if I am wrong, but I believe that WPA was bought in with the advent of 802.11G, and as the DS is only 802.11B capable, that WPA authentication could not be built in because of this (only reason I mention this is that I have several 802.11B adaptors here that do not support WPA either regardless of driver revisions or firmware updates due to hardware limitations - the answer given by the manufacturers when asked if WPA will ever be enabled within them). Obviously these have all been upgraded to faster adaptors now so no problems here.
If it is abything like the good ol' BT voyager routers then this is the least of their worries..... The BT voyager router where changing the default settings password through the web interface doesn't affect the default password for the Telnet/SSH interface... All those routers with a randomised 10 character alphanumeric web-interface password and the u/pw of "admin/admin" for SSH. Shocking
Forgive me if I'm also wrong, but isn't WPA hardware independent? Ie, it depends on the software/firmware of devices? Also this comes as a surprise given I've had 802.11b cards running a WPA/AES/PEAP-EAP-TLS stack on them...
Also, that Paris Hilton icon is haawwwt. I'm pitching a tent already.
Also, if that's not what the green icon is, wtf is it?
BT has repeatedly tried to get me to take their home hub and sign-up for 18 months. They want me to throw away my firewall/router to replace it with something totally insecure - and the blurb mentioned some 'security device later'. I think this stinks from a major provider - and I think El Reg should take this up with them.
By far teh worest router I have seen is the netgear router Sky provide, with the admin user name and password printed helpful on the router, broacasting the SSID as every other Sky router and with both WPA and WEP diabled let alone locked to mac address.. It is provide wided up to the world.
ISP's really should get their acts together here, they provide a route, and even go to the length of sending an engineer to install, but dont bother spending, what 15minutes explaining the security options to teh user, but instead leaves the router wide open to the world, with a common password.
I think they have a duty of care, there is usual a clause in the contract that says the user has to take all reasonable security precurations, and yet the router is supply with the security rating of a choclate fire guard.
The router should be supplied in its must secure form, WPA enablled (with a random key not the same one on every router), random SSID which isint being broadcast.
Then it is teh choice of teh user if they wise to open the router up.
Just gone onto Sky broadband and the firstthing I did with it is to change the admin name and password. Then changed the security settings, backed up the config file and copied all the IP settings onto my other netgear router. I'm again properly firewalled, secure and don't broadcast my SSID.
A few simple precaution is all that is needed.
On another note, when configuring my daughter's laptop, I discovered that one of our neighbours had a totally open network and she was getting a connection on that one. When will people learn to protect what is theirs?
...but only if the firmware is updated by manufacturers. I've an iPaq 5550, with B-WiFi, and HP issued an upgrade about 2 years down the line from purchase to enable WPA - which it does fine. The difference between this and most consumer devices is it's a high-end business-oriented PDA and HP's customer base in that area have a bit more clout than someone buying the stuff that PC World sell to Joe Public. Cheaper stuff tends not to be upgradable if the firmware is burnt into ROM rather than flash RAM
It was a fairly hefty ROM image, needing three Softpaq updates to raise the radio firmware to the necessary level before the OS could be patched - get the order wrong and it won't even work on WEP. It's a bit like upgrading a Mobile 5 PDA or smartphone to Mobile 6, which is also possible, but so is the likelyhood of 'bricking' the thing if the steps are not followed precisely. Not the sort of thing most people would consider, and also not the sort of thing Nintendo would like most people to do - they don't want a flood of warranty returns on bricked DS's because the official patch failed...
So, the DS could use B and WPA if Nintendo so wish - may need a different ROM image (not sure if it's home-flashable) - but there's nothing to stop a B device using higher encryption than WEP. Of course, it takes more out of the CPU to run the higher authentication, so the device would slow down - maybe B-WEP on a DS is the best compromise that doesn't impact gameplay?
Here's a solution though - hook up a cheap B access point to the DMZ of the faster G or pre-N router - then let the firewalls sort out authorised traffic between the home network and the less secure DS. Not got a DMZ?
As for the HomeHub, it runs a modified Linux OS - have these guys suggested a hack to fix the hole? There's all sorts of stuff it can do that BT don't officially sanction (print-serving, use USB disks to provide NAS, etc). The user base should have enough sway with BT to press for changes to fix all the holes - there are over a million of them out there.
One reason why I look for linux routers ONLY with root access for ME is so that I can modify and change the software myself, change the root password if I need to and so on.
Problem is that even for the tech-heads who DO know what to do, the manufacturers are still in the "Closed Source" mindset where they believe THEY own the device after you've bought it and are just magnanimously letting you use it.
PS this story has nothing to do with the wireless side. It's when you visit a web page, the script there connects to your router and runs stuff that (without requiring a password) can open up your machine completely, which allows it to take any passwords it wants, INCLUDING the WPA key (unless, maybe, if you use RADIUS, but they still get to see every packet sent).
A non-tech neighbour recently got Sky broadband, their Netgear DG834 was (imo) reasonably secure, with a non-default SSID and non-default key printed on the router and a handy reference card. The router's admin password is the same as every other Sky router's, but so what, and so what if the SSID and key is printed on the router and on a handy reference card, if you've got physical access to the router/LAN, there's scope for lots of exploits.
There aren't so many WLANs these days with SSID of LINKSYS or BELKIN or ... and zero security, but there are still some.
Disabling SSID broadcast is often suggested but imo pointless. It's about as sensible as taking the house number off your front door so you don't get broken into. People can see your house even when it's got no number, people can find an SSID even when it's not being broadcast.
Don't know what sky router you got but my one came with a random SSID (well it mentions sky in it but the rest of it is random) and by default WPA enabled with a random password (Unless they use the same algorithm as Eircom but it looks random). Yes the SSID is broadcast and the key is printed on the router but then if they have the level of access someone could just as easily plug a cable into it...
I quite like the BT router. I mean, apart from its tendency to fall over when you put anything more intensive than a single html request through it, the annoying habit it has to completely lock up when you try and use wireless and its periodic absolute loss of any ability to resolve new DNS requests it's quite nice. Shiny. If I could keep the fancy graphical user interface they've put on top of iptables and dump the rest I'd be very happy indeed.
Here's BT's word for word reply to my support request on this. Of particular delight is the sentence "As it is already been secure, there will not be a necessary to obtain a patch to address this vulnerability."
Dear xxxx,
Thank you for your e-mail dated 9th October 2007, your e-mail has been logged under the reference number xxxx.
I am writing further to the concerns which you have raised about the security vulnerability with the BT Home Hub. You wish to know where to obtain a patch to address this vulnerability.
Please note that BT Home Hub has many advanced features. The BT Home Hub has been designed for all current and future BT Total Broadband services - including high-speed Internet access, cheap broadband phone calls, wireless Internet, BT Fusion and more - all from one box. Key benefits include:
• Security: An enhanced security package to keep you, your computer, and your family safe and secure
• Wireless: Advanced features to free you from restrictive wires and help you connect to multiple PCs, printers, and games consoles
• Gaming: Features to help you match your skills against the best gamers in the world
• Remote updating: Get access to new products and services as they are launched
• BT Broadband Talk: Make the most of great value calling plans, low cost calls over your PC, and video calls
Please be informed that wireless routers use various security technologies to prevent unauthorised users connecting to the Internet over your wireless network. The BT Home Hub or BT Voyager Wireless routers, Voyager 2091 for example, are preset with WEP wireless security and are protected by a key known as a wireless network key. WEP security offers protection against unwanted connections on a typical home/small office network. As it is already been secure, there will not be a necessary to obtain a patch to address this vulnerability. Your patience and understanding is highly appreciated. Please visit the following link for more information about secured wireless connection:
http://btybb.custhelp.com/cgi-bin/btybb.cfg/php/enduser/cci/bty_adp.php?p_sid=tJyptKNi&p_faqid=7490
If you need any further assistance with your BT Total Broadband service, please visit our website http://www.bt.com/broadband/help for solutions to most technical questions and to contact us in future.
Thank you for using BT Total Broadband.
xxxx
BT Total Broadband Support Team
Having your router broadcast the SSID is in fact no security threat. It's just as insecure if it hides it, and worse you have a lot of problems to boot as the likes of Windows has headaches if you hide the SSID even if you tell it what it is.
Hiding SSID is one of the classic security myths of wireless net and breaks the intended design of the system. Likely half the complaints to tech support lines are because people have read myths like this.
MAC address locking is also not invulnerable. Takes a simple packet sniff and then just spoof the MAC.
My dad was in the first wave of Sky broadband and they gave him a router with WPA running and the key for it printed on the box... non-default SSID and no admin password in site... in fact we've been unable to find anywhere the login and password for the router. What is the default login for a Sky router?
Fantastic! BT using cut'n'paste marketing material for their responses... Oh no! A ravenous bugblatter beast of Traal! Where's my towel? http://www.urbandictionary.com/define.php?term=Ravenous+Bugblatter+Beast+of+Traal
I've checked the BT Broadband Forums and got this thread on the matter...
http://www.beta.bt.com/bta/forums/thread.jspa?threadID=376&tstart=0
Now, in the earlier version of that thread, Sandy Woolsgrove (who writes in other threads as if a BT Help employee) had said that BT were "checking the validity of this claim" - but it looks like the thread has been edited to remove this response...
That thread is about the FON firmware roll-out (amongst other stuff) - I wonder if the router can be compromised for all users by someone on the 'public' side accessing whatever website contains the hack? The blurb says the two channels are kept totally separate, but they all go down the same bb line. If so, it's not purely down to the HomeHub owner being careful...
That BT response is shocking. They've clearly just looked through their list of automated responses and picked one without bothering to check what the issue really is.
@Kenny Millar
Ummm you do realise that almost *any* site can be compromised and made to feed exploits, whether directly or via their ad service? You don't need to visit www.gethaxxed.com.
And yes, the argument that Sky printing the WPA info on the router itself is insecure overlooks the fact that if a ne'er do well is in my house looking at my router the least of my concerns is how secure my wireless connection is!
Previously all wireless laptops set to WPA. This is OK with BT Voyager series. Using BT HomeHub I found they crash out, irregularly and unpredicatably, when WPA is enabled in BTHomeHub, so using BT's equipment "HomeHub" I had to reset to WEP to enable continuous use of my Dell Laptops. [No useful help from BT help-folk on this problem when reported, indeed a misunderstanding like 'what is WPA?' I am thinking of going back to old Voyager router or do folks have a better recommendation when using BT as an ISP?
I enjoy being right about poor security. All the talk about encryption doesn't really matter. Download a copy of BackTrack from exploit.org and with some intelligence/time you can break WPA. Not very surprising that a week or so after BT decides to 'share' your wifi there is a leak about a backdoor. Surprise, surprise.
Firstly the BT Homehub is insecure out of the box no matter what firmware is installed, 'normal users' will continue to keep it insecure.
It's 4 minutes from start to finish to break a normal HomeHub (I proved it to a journalist in work as a bet).
Even my really old Thomson (pre Alcatel) had the admin password set to the routers serial number.
As for spilling it's guts via a malicious web page, I'm not surprised, I notice it's BT taking the bashing and not Alcatel who no doubt provide the branded firmware.
With WPA I have had to step back down to WEP varients due to the performance hit, when more than 2 machines are connencted to the router (if I had wanted a modem I would have bought one)
Hiding the SSID, why do people bother any wardriving (I hate that term) software had had that covered for the last 3 years anyway.
You want something to happen, go to your local newspaper or TV company and demonstrate it for them. The tech press can bitch all they want, it's a niche market, that has no real muscle.
Get the great unwashed involved and it's a different matter, phone Watchdog and watch BT (& Alcatel) take some action pretty quickly.
This post has been deleted by its author
Quote :
Dear god, pretty much all these comments are people bitching about wifi security. Read the frikkin article and you might see it has all of nothing to do with wifi!
Yeah some of us noticed, the answer kick up a fuss with both BT & Alcatel and it will be fixed (hopefully sooner than later)
I assume that BT can push out an update to the routers rather than relying on the end user to do so (oops am I showing my stalinist tendencys), cos if we are relying on the end user then nothing will happen, even if BT/Alcatel provide a patch quickly.
The longer term issue (to me and others) is with how the feckers are set up in the 1st place.
.. however WiFi has been discussed extensively, so:
Hiding SSID is not pointless, but it is of course no obstacle to the determined. WEP is relatively insecure, to the determined. WPA is potentially breakable, by the determined. MAC authentication is not secure against a sufficiently determined attacker.
Hmm, spot a theme? That's right! A *determined* attacker can break security. This is news, why? It's hardly a specific WiFi issue and it doesn't mean you ought not to use security precautions. Script kiddies often don't even get past the "scanning for SSIDs with no encryption" stage when looking to break WiFi nets and MAC screening is pretty effective, as it takes a reasonably techincally capable attacker to figure out what MAC he needs to spoof and how to spoof it. Bottom line? It's always worth securing your network but you have to operate on the assumption that is insecure, just as with any other line of communication.
The Be Box comes with no admin password, highly secure - NOT.
The main point is until RIAA come knocking with their law suit 99.9999% at least of the "general public" wouldn't know if their bb connection is being compromised or not.
The "great unwashed" really shouldn't be allowed anywhere near PCs, at least not ones with an internet connection that isn't supported by someone who knows what they're doing. If you don't know how something works and the risks involved then you really get everything you deserve. Never mind blame everyone except yourself. That culture is why you can now almost jump off a cliff and sue someone for the cliff not being fit for purpose if you don't manage to kill yourself. The great unwashed and the internet is like letting a 3 year old loose in charge of the shuttle - haven't got a clue what that button does, but, it's big, it flashes and I'm sure it won't do anything bad ...
I've spent too many hours fixing machines of friends and family who screw them up by just pressing that big, flashing f-ing button. I now charge everyone £200 per hour plus travelling costs to fix their machine (including my mother). Telephone support is £150 per hour and emails cost £100 per email. People never start a conversation with "My computer's broken" anymore.
Pros:
o might help to not confuse Aunty Flo next door when she looks at her 'wireless neighbourhood'
o erm, none
Cons:
o some client devices cannot access a node without visible ssid beacons
o if wpa type security is set up then the visibility of ssid is moot
o it doesn't matter that a 'script kiddie' would be stopped by it because they would be much better stopped anyway with a strong wpa key
o it doesn't matter that a 'determined hacker' can still see the ssid because they are stopped anyway with a strong wpa key
o hiding ssid beacons does not prevent the ssid from easily being discovered as soon as a client device exchanges keys
o it gives people a false sense of security because their router informs them that they are 'hidden' or 'cloaked' - sounds cool doesn't it, gotta have some of that!
It's akin to having a very strong vault door to protect against professional safe crackers, then hanging a curtain over it to fool average passers by into not realising it's there. If they know it's there it doesn't matter because they're not professional crackers, and if they're professional crackers they're not fooled by a curtain.
If a user can manage to gather together enough brain cells to turn off their SSID then they can turn on WEP. At that point hiding your SSID absolutely pointless (ot's not 2002 any more)
Actually one reason for not hiding your SSID is to allow people in the neighbourhood to see your base station and choose a suitably distant channel, rather than everyvody sitting in 11 and making a shitty connection even more shitty.
WPA and their ilk tend to be easy enough to break if you want to put the effort in (the usual poorly selected key), but I couldn't really be bothered.
Anyway the homehub is interesting as for once it's easer than attacking either the wireless network or the client machines.
Matthew Robinson : I suggest that you should read a little more before making such statements, it is perfectly possible to forge an ARP request for a WEP based network without seeing any traffic. Once again things have moved forward since 2002
From the GNUCitizen article, Adrian Pastor says this in one of the comments..."If you are a fan of Firefox extensions, NoScript filters cross-site POST requests from untrusted to trusted sites. This protection should avoid someone exploiting your router if properly configured."
This suggests that the vulnerability in the hub uses a vulnerability in the client machine to access either the SuperUser or remote assistance Tech user accounts. If a Firefox extension can prevent the hack from working, then it is another of those foibles in IE that creates the pathway via the client machine. Would it be stopped by altering the IE security settings to block access across domains?
The standard way of gaining SuperUser rights to the HomeHub involves requesting a Remote Assistance session, then opening another browser window using the details on the RA request page. This gives access to the router's ini file and all that it controls. (including the user lists, password hashes, VoIP channels, etc). An attacker wouldn't need to do much to gain control - just insert their own hash for the Tech user, for example, or add another SuperUser
Mind you, when I tried it, after a soft reset the HH firewall bombed out to 'block all' (with no other options available) and although the VoIP channel still worked, nothing else could get out of the home network - PCs could find the Hub, the Hub reported a valid connection to the Internet, but the two sides were kept apart. Which also means the firewall doesn't watch the VoIP connection.
BTW, with all the FON stuff rolling out, there may be a potential WiFi risk - not sure yet if it's possible to attack a HH w new firmware to enable the 'BT Openzone' public access side of things without the hub owner knowing. However, (to answer myself from earlier), if the firewall works like it did in my test then the private network *may* be kept safe if someone on the public side visits and exploit site, but the VoIP traffic might still be at risk.
In case anyone's interested... had another message from BT. Not entirely convinced, but then again - who am I to say, without trying this myself?
Dear xxxx,
Thank you for your e-mail dated 9th October 2007, your e-mail has been logged under the reference number xxxx.
I am writing further to your query concerning the security vulnerability with the BT Home Hub. I apologize for the inconvenience you have recently encountered with the security vulnerability of the hub.
Please note that BT has released a new version for the firmware of the BT Home Hub. The installation of the new firmware should resolve all the issues related to the security vulnerability of the BT Home Hub.
If you need any further assistance with your BT Total Broadband service, please visit our website http://www.bt.com/broadband/help for solutions to most technical questions and to contact us in future.
Thank you for using BT Total Broadband.
xxxx
BT Total Broadband Support Team.
Folk will move on from this thread pretty quickly as the story gets older I guess, but it's still of interest...
I've also been in touch with BT, although they still respond that they are investigating. Until they've had a chance to check this against the new FON-enabled firmware they can't really say for surer.
If someone has the skills to try and crack your WEP/WPA keys then no amount of SSID hiding & MAC binding will help you. WPA needs a LONG key (think 20+ digits) to be safe against dictionary/brute force attacks. The home hub gives 10 hex digits of WEP by default! :-0
Also, the home hub IS a thompson speedtouch in a snazzy new box. It is, as its predecessors were, a crock of shit. Mine has dropped its connection about ten times in the last couple of days. I don't know if this is down to BT's frantic firmware upgrading or haxorz attempting (and maybe succeeding) in pwning me or just it's general shitness. Whatever the cause I'm not terribly bothered as I'm using another (better) router upstream of it.
Roger Heathcote.
PS: It's just crapped out again when I tried to post this LOL!
Hiding or at least changing the name of your SSID, at least makes it a little bit harder for someone trying to get in. I mean, if you ID a sky router, you've only then got to try admin:sky and you're in. Then again, it wouldn't take long to try all the default user:pass combos that the manufacturers use.
Fair comment Bracken, although most broadband users now have wi-fi, whether they have a laptop or not, so your average thief is not getting any significant intel.
"I know this hole has nothing to do with WiFI, but I felt it prudent to mention that the Home Hub uses WEP by default, i consider it another, even bigger hole."
Theoretically bigger, but in reality I doubt it's that much of an issue.
How many people actually have wardrivers going past their house or geeky neighbours with enough knowledge to crack a WEP WiFi connection? I bet it's a very tiny amount (probably the same as the percentage of linux users vs windows, given that it's generally linux tools used to crack it. Likely smaller than that as only a small percentage of linux users will be interested in hacking WiFi).
The hole in the article however entices your average, not too clued up technically, user (the vast majority), into a malicious site. I bet this is a far greater risk. Of course the same people are also at risk of viruses, trojans, malware and fraud scams, regardless of having BT equipment.
Found a hacking site using the college network that explained the BT Homehub hack. Basically they use a site to trick the router into turning on remote assistance somehow. There is a video of a guy exploiting the hack but they do not describe the website code.
Anyway after a bit of research I have discovered how to disable remote assistance on the BT HomeHub completely thus rendering the exploit impossible and securing your router from BT or whoever else.
Basically you cannot go wrong with this lockdown I am about to describe. Pass it on to anyone with the Hub;)
So step one: Download HubFirmwareRecovery_6226.zip from
http://static.btopenworld.com/broadband/adhoc_pages/drivers/HubFirmwareRecovery_6226.zip
or find it on google yourself! This will allow you to recover the hub with the latest firmware if you f&ck up! If you have to use this remember to make sure your PC is using a FIXED IP address and not a DCHP assigned one from the router before applying the firmware!!!
OK so basically we are going to use remote assistance once to save our config so we can make the changes that will disable remote admin for good but ALSO allow you full SuperUser rights in future so you can download your config every now and again to check if anything has changed or to restore it if you ever need to.
so use remote assistance to log in via the WAN IP and save your config...
when it is saved; open it in Notepad and find a section like the fragment below :
[ mlpuser.ini ]
add name=admin password=_CYP_blahblahblah role=SuperUser hash2=blahblahblah
add name=Basic password=_CYP_blahblahblahe role=BT_Basic_GUI_User hash2=blahahahahaha defuser=enabled
add name=tech password=_CYP_blahblahblah role=TechnicalSupport hash2=blahahahahahahaha
(Obviously yours wont be blahblahblahblah :>)
Notice that I have changed Administrator to SuperUser on the admin user giving the admin account full root access!!!
Also notice the absence of defremadmin=enabled from the tech user!!!
Make the changes and save the file.
Now upload the new config back into the router. Be patient!!!!!!
Reboot the router and login. You may have to try switching it off and back on again ;) (had to get that in somewhere)
Now when you go to advanced you can see all the backup and restore functions as well as the usual stuff.
Also when you try to setup remote assistance you will notice that it is disabled and thus stops the backdoor hack (I hope).
When BT upload new firmware to your Hub it will hopefully be fixed anyway but if not you can just repeat the process. Don't forget that if anything goes wrong you can easily put the hub back to defaults by reflashing with HubFirmwareRecovery_6226.zip and restoring your config using remote assistance. I have done this with no problems. Of course you will need to set the phone back up.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
