back to article BT's Wi-Fi Extender works great – at extending your password to hackers

BT is urging folks to patch the firmware in its Wi-Fi Extender following the discovery of multiple security flaws. Security researchers at Pen Test Partners discovered vulnerabilities with the consumer-grade kit, including cross-site scripting and the ability to change a password without knowing it. Pen Test Partners found it …

  1. Anonymous Coward Silver badge

    So where's the advice to change the passwords? I mean any website that has a similar bug would have to tell their users to change logon passwords even with no evidence of actual compromise (of individual accounts). I don't see how this is different.

    Oh yeah, changing WiFi passwords is beyond the capabilities of most BT consumers :-(

    1. Anonymous Coward
      Anonymous Coward

      What's the risk that requires a password change?

      It's the WiFi password, not the admin password. In isolation that's a useless piece of data because the hacker won't know where you live. You'd have to stand in a lot of gardens or break into a lot of houses before being able to actually use the stolen password and even then it would only work if the router is set to allow all connections.

      1. Robert Carnegie Silver badge

        What if the attacker does know where you live? My neighbours all know where I live.

        If the password is changed then I can't use the Wi-Fi myself, but another mode of attack, apparently, will obtain my passphrase. Then they can use my Wi-Fi without paying. If I had this particular product, which maybe I don't.

      2. Anonymous IV

        > ...the hacker won't know where you live...

        Really?

        A surprising number of the SSIDs round where I live are of the form "23 Railway Cuttings" or "Joe and Josie Bloggs". Even an unintelligent hacker might take these as significant clues as to the location of the routers...

        1. Anonymous Coward
          Anonymous Coward

          And as to the town or county you live in - how about that?

          Read the article, this isn't a local exploit, it's WAN side.

        2. Anonymous Coward
          Anonymous Coward

          "A surprising number of the SSIDs round where I live are of the form "23 Railway Cuttings" or "Joe and Josie Bloggs". Even an unintelligent hacker might take these as significant clues as to the location of the routers..."

          A hacker sitting in the Ukraine hosting the malformed website that triggers this exploit would need to have quite a wide circle of friends to know who Joe and Josie Bloggs are. Even if he did know who they are, this exploit gives away the WiFi password, not the SSID. All the hacker knows is IP address and WiFi password.

          Getting a positive hit is going to take some time if active use of the exploit means walking slowly down every road in Britain, stopping when your phone picks up a BT router signal and trying out all of your stolen passwords in case one of them applies to that router.

      3. Anonymous Coward
        Anonymous Coward

        Yes But

        BT has the most powerful WIFI according to their adverts, so with a helicopter (and someone hanging off it) or a drone, their most powerful signal will go for miles!!

        Seriously this has been take up by SKY & Virgin with the ASA, but to no avail AFAIK, so Joe Public will blindly buy BT's stuff.

        Perhaps it will all change next month when the OFCOM rules come in?

        Wheeeee Flying Pig

    2. Roland6 Silver badge

      >So where's the advice to change the passwords?

      If you can login with your old password you can be sure hackers, using this exploit, don't know it. If your password doesn't work, it is because you have been hacked and the only solution is a full factory reset...

      1. Anonymous Coward
        Anonymous Coward

        "If you can login with your old password you can be sure hackers, using this exploit, don't know it. "

        No, all that you know is that any hacker who knows your WiFi password hasn't changed it yet. They could only do that by also gaining the admin password.

        That's not really a problem though because without knowing where you live and getting close enough to receive a usable signal they're unable to do anything about it. If someone has your WiFi password their chance of using it is 1 in tens of millions, with each chance requiring a change of physical location.

        Remember it's only the WiFi password, not the admin password - there's no way to change the router settings - including the WPA passphrase - without the latter.

  2. You aint sin me, roit

    Why didn't they spend some time testing the product before releasing it?

    It's almost as if they will release any old shite and wait for it to be hacked rather than test it properly first.

    1. richardcox13

      Re: Why didn't they spend some time testing the product before releasing it?

      > test it properly first

      Please define "properly" for this purpose.Without that definition you fall into the trap of trying to prove a negative.

      1. Missing Semicolon Silver badge
        Happy

        Re: Why didn't they spend some time testing the product before releasing it?

        Well, for example, shipping it round to Pen Test Partners, and saying "oi! break that!"

    2. Anonymous Coward
      Anonymous Coward

      Re: Why didn't they spend some time testing the product before releasing it?

      Because it costs money, and customers are irrelevant to most big companies.

      1. Roland6 Silver badge

        Re: Why didn't they spend some time testing the product before releasing it?

        Aside: I wonder if there has been a small rush of PEN testers going out and buying BT Wi-Fi extenders with Firmware version: V1.1.5, just so that they can properly explore the vulnerability.

  3. Anonymous Coward
    Big Brother

    BT thanked Pen Test Partners for flagging software weaknesses

    "Security researchers .. discovered vulnerabilities .. including cross-site scripting and the ability to change a password without knowing it."

    Yet another backdoor discovered by third party researchers. This keeps happening too often to be accidental. I figure most all manufacturers of networking kit include such as a condition of staying in business.

    1. Anonymous Coward
      Anonymous Coward

      Re: BT thanked Pen Test Partners for flagging software weaknesses

      All software and hardware is Beta, and the consumer is the unpaid Beta Tester.

      This is the way of the world.

    2. Anonymous Coward
      Anonymous Coward

      Re: BT thanked Pen Test Partners for flagging software weaknesses

      Hanlon's Razor

      Consider also that all it takes to break any security system is time.

      Products have to be released to the market to realise value for the manufacturer. Tech moves quickly - if you don't release your latest, whizziest WiFi doodah in the next six months you'll never recoup what it cost to develop and make and may as well never release it.

      Do the public want affordable kit that may have some flaws, or do they want nothing at all? That, in essence, is the binary choice that any manufacturer of this kit has to make.

    3. Vic

      Re: BT thanked Pen Test Partners for flagging software weaknesses

      This keeps happening too often to be accidental. I figure most all manufacturers of networking kit include such as a condition of staying in business.

      I very much doubt that. We'd have had whistle-blowers if it were true - this isn't highly paid work with awesome staff loyalty.

      What you have is lashed-together kit based on a reference design that's rushed out the door with minimal and ineffective testing. And we're not going to see a change in that without at least one of the following happening :-

      • Companies take a significant penalty for releassing shoddy kit. Such penalties should apply personally to the management that allowed it out
      • The industry needs to stop thinking of testing as an inferior task to developing new code; if you do the job correctly, it is your testers that prove you've written the right code, and these should be your best engineers, not your worst ones

      Oooh look! What's that up in the sky? Big pink thing, curly tail, goes "oink".

      Vic.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like