BT Home Hub Still full of Holes
British Hacker group GNUCITIZEN, and in particular Adrian 'pagvac' Pastor, have been focussing on the BT (British Telecom) Home Hub, an ADSL modem capable of acting as a wireless access point and interfacing with DECT compliant telephone handsets (the standard used in most cordless handsets) as well as supporting VoIP. In their past research, GNUCITIZEN identified several methods to compromise various features of the BT Home Hub, including the complete take over of the device by a remote attacker, provided that the local user could be convinced to visit a malicious website.
Some of the modifications made by BT to address the concerns raised by GNUCITIZEN included changing the default password of the Home Hub to the serial number of the device. On initial observation, this gives each device a unique root password that should be non-guessable by a remote attacker, neutralising the techniques otherwise used to compromise the system.
Recent work, however, has shown that this serial number is recoverable, and thus the control of the device. To achieve this feat, a local network request is made using Multi Directory Access Protocol (MDAP) which then results in the device responding with its ID number, which can then be pre-prended with 'CP' to give the serial number and the default password for the device.
Limiting the impact of the discovery is the requirement for the attacker to be on the same LAN as the router, either through a wired or wireless connection. Given that the wireless connection is only secured with WEP, it isn't going to take long for a casual wardriver to break into a targeted device. Alternatively, techniques described by other researchers, to allow probing of local LAN resources remotely could be blended to give the remote attacker all the information they need without actually having to be present on the LAN.
While this is a real concern, Adrian points out that there are still critical UPnP port forwarding vulnerabilities that leave the Home Hub just as vulnerable. Given the numerous capabilities of the device and what it is designed to be used for, anything that could allow a remote attacker to capture all Internet and telephony traffic passing through the device is going to have serious consequences.
If BT, the company that purchased noted security company CounterPane (including Bruce Schneier) can have critical security errors in their consumer level devices, it doesn't bode well for the many other ISPs that provide slightly modified devices to their own customers, even if they are nothing like the Home Hub in appearance or capability. As with any other network or computing device, the safest approach to take is to always assume that it is or can be compromised and be aware of what information is being sent through or stored on it.
27 May 2008
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.