BT Home Hub "spits out password to hackers"
By Barry Collins
Posted on 28 May 2008 at 10:32
An "ethical hacking outfit" claims to have found a new security hole in BT's Home Hub router.
The Hub has been the subject of a number of recent security flaws, which culminated in the company changing the default password on the routers from "admin" to the unique serial number of the device, in order to prevent hackers from gaining access to the device.
However, the GNUCitizen blog claims it's possible to make the Home Hub spit out that unique serial number to would-be attackers.
"It turns out that you can get the serial number of the Home Hub by simply sending a Multi Directory Access Protocol (MDAP) multicast request in the network where BT Home Hub is located," the blog claims.
"Yes, you must already be part of the LAN where the Home Hub is present, either via ethernet or via Wi-Fi. However, at GNUCitizen, we have demonstrated trivial ways to predict the WEP encryption key of the Home Hub if you know what you are doing."
GNUCitizen points the finger of blame squarely at BT. "Obviously, this is not a vulnerability within the MDAP protocol, but rather a design flaw introduced by BT with the new unique admin password feature," it claims.
"The assumption behind this insecure implementation is that the serial number can only be obtained by the legitimate owner of the router. As we have seen, this is not the case!"
BT Home Hub users can obviously avoid the problem by creating their own password and changing the Hub's default security from the widely-cracked WEP to the more secure WPA. BT provides instructions on how to do this here.
Last October, BT was forced to remove a Remote Assistance feature from the Hub, after GNUCitizen found that it could lead to hackers taking complete ownership of the device.
BT was unavailable for comment at the time of publication.
Is your business a social business? For helpful info and tips visit our hub.
- Windows 8.2: release date, features and free cloud version
- iPad sales stall as owners "too happy to upgrade"
- iPhone 6 features, specs and UK release date: when does the iPhone 6 launch?
- iWatch UK release date, specs and price rumours: when is the iWatch coming to the UK?
- Killing the Surface Mini hit revenues, Microsoft reveals
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- Windows Easy Transfer – not so "easy" in Windows 8.1
- Formula 1: what a difference virtualisation makes
- Office of the future: comfy chairs and tablets everywhere
- I went to Glastonbury and the only thing that got high was my smartphone
- Meet the robots helping teach children
- PaperLater: would you pay to print the internet?
- Amazon vs Kobo: how much to make the ebook switch?
- Phishing emails: how I nearly got caught out
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to write your company's IT security policy
- Raspberry Pi and Wolfram: a must-have for every child
- Could you get by with Office Web Apps?