BT investigates major security flaw in Home Hub

 

Gallery

By Simon Aughton

Posted on 10 Oct 2007 at 11:09

BT has opened an investigation into an alleged vulnerability in its Home Hub router, which apparently allows hackers to disable wireless access and steal the WEP or WPA security encryption key.

The flaw was reported by hackers' blog GNUCitizen, which claims that it is able to take complete ownership of the device by enabling a backdoor.

"We can hijack any action with full admin privileges or steal any info returned by a router's page," says Adrian Pastor, who discovered the flaw.

"This means the evilness of the exploits are only limited by the attacker's imagination. Other examples of evil attacks include eavesdropping VoIP conversations, stealing VoIP credentials, exposing internal hosts on the DMZ, changing the DNS settings for stealing online banking credentials, disabling auto updates, etc."

According to Pastor, to enable the exploit all that a potential hacker needs to do is persuade a user to visit a malicious website. He says that the hacker doesn't even need the admin password as an authentication bypass bug has been discovered.

Pastor claims that GNUCitizen has decided to publish the vulnerability because of previous experience with BT.

"Last year, I found a way to dump the BT Voyager 2091's config file without credentials," he explains. "Even though I forwarded them my findings they never responded at all."

BT says in a statement that it is "actively investigating the alleged vulnerability", adding that it is currently delivering a firmware update that addresses security in a number of areas.

The BT Home Hub is a custom version of the Thomson/Alcatel Speedtouch 7G router. Security Focus notes that this router has been reported vulnerable to cross-site scripting and similar attacks but "is reportedly not affected by the primary authentication-bypass issue affecting the BT Home Hub".