BT Home Flub: Pwnin the BT Home Hub (3)
Here are the news: it seems that BT is restricting/crippling the remote assistance feature as a result of the vulnerabilities we reported. I personally found the following statement interesting:
A BT spokesman said service will be unaffected by disabling the feature, since support can still access the Home Hub using the separate Remote Access feature.
Something tells me that this “separate Remote Access feature” will also be open to abuse if not locked down properly. Furthermore, some of the vulnerabilities we found (which we forwarded to BT) can still be exploited even if the Remote Assistance featured is removed.
For those who missed it, Dave Hughes, BT’s director of wireless broadband, labeled the Home Hub vulnerabilities we discovered as theoretical last Wednesday on a BBC Radio 4 show. Nothing could be further from the truth. I can only hope that Mr Hughes, simply wasn’t informed correctly by BT, as opposed to spreading missinformation for the sole purpose of protecting BT’s public image. Instead, it would have been more appropriate (in my humble opinion) to admit there are SERIOUS security issues with the BT Home Hub, and explain that BT is working on fixing the PRACTICAL issues. I hope that BT appreciates that we are not providing exploit code until we confirm that the issues have been fixed, for the purpose of protecting BT customers. If the issues were really theoretical we would have published the full details already.
Hopefully, this is not a half-baked fix. Our test BT Home Hub should be upgraded to the new firmware 6.2.6.B soon which we will test with the new FON service. The question is: will the new firmware be still affected by some of the vulnerabilities we found? If not, have new vulnerabilities been introduced with the new firmware? Look out for new information coming up on GNUCITIZEN regarding our results after testing the new firmware!
comments
Hi,
From the 6.2.6.C update FAQ:
How many users will not realise that their hub will never be updated because they have the ‘Assign public IP address to Hub’ feature enabled?
Kind Regards
Simon
Hey Simon!
That’s a VERY interesting point. Funny enough, my Home Hub’s firmware hasn’t been automatically updated yet (been waiting for a couple of daysalready). Perhaps this is because I’ve customized the config file way too much?
I have purposely taken all my stealthing out by a full reset and I am still waiting after 2 weeks. BT say it can take up to another 6 weeks. and refuse to let me have a forced upgrade site address like they had with 6.2.2.6 Our little homehub forum is still trying to work out whether 6.2.6.C is a fix for the disastrous B version that reboots continually, or if B is for FON and C is for non-FON.
by the way, Remote Assistance is disabled on my 6.2.2.6 in the first 30 minutes after a reset by an automatic mini-update, so the largest security hole is plugged without waiting for the upgrade which seems to be more about FON.
Once my firmware is updated to the latest version I’ll research if there is another way to get remote access through exploitation. There must be another way.
I mean, the router natively supports remote services. All these changes appear to be done on BT ’s “flavour” of the router as opossed to Thomson’s.
Just so you know one reason for 6.2.6.C is to help fix the NAT from constantly changing to closed or moderate even when its set to be open. This helps with online gaming e.g. Xbox live. Not sure what else it fixes though :)