Call Jacking: Phreaking the BT Home Hub
OK, this is a bit of a funny attack - although it could also be used for criminal purposes! After playing with the BT Home Hub for a while (again!), pdp and I discovered that attackers can steal/hijack VoIP calls. Let me explain …
In summary, if the victim visits our evil proof-of-concept webpage, his/her browser sends a HTTP request to the BT Home Hub’s web interface. After this, the Home Hub starts a VoIP/telephone connection to the recipient’s phone number specified in the exploit page. This is what the attack looks like: the victim’s VoIP telephone starts ringing and shows an external call message on the LCD screen along with the recipient’s phone number. However, what’s interesting is that from the point of view of the victim, it looks like he/she is receiving a phone call from the number shown on the screen, but in fact he/she is calling that number! Sweet, simple and effective, just the way we like it at GNUCITIZEN!
POST http://api.home/cgi/b/_voip_/stats//?ce=1&be=0&l0=-1&l1=-1&name=
0=30&1=00390669893461Now, this attack will work even if the default admin password has been changed on the BT Home Hub. Reason for this is that the exploit relies on an authentication bypass vulnerability that we have reported a while ago and hasn’t still been fixed by BT! In our original report, we mentioned that the HTTP authentication mechanism can by bypassed by using double slashes in the target URL. Actually, the authentication can also be bypassed with many other characters, but I’ll leave this to the reader to discover.
The following are some attack scenarios in which this vulnerability could be used for:
- annoyance or prank purposes
- advanced phishing attacks in which the victims gets a phone call from
Trusted Bank
after clicking on a link included in the phishing email. The fact that the attacker calls the victim’s phone number would help him/her gain the victim’s trust. HINT:Phishers usually don’t know your phone number!
- toll fraud attacks in which the victim calls one of those very expensive number that allow the bad guys to make good bucks by simply starting the conversation
I don’t want to repeat myself, but please remember that from the victim point of view it looks like he is receiving a phone call but in fact he is making/paying for the phone call!
And finally the boring (but needed) testing details: tested on BT Home Hub firmware 6.2.6.B. Only customers using the BT Broadband Talk service are affected by this attack. Other firmware versions are likely to be affected as well, but we have not tested them.
trackbacks
- Online fraud - please help/advise!!! - Page 4 - The Liverpool Way
- CBM Security Blog » Blog Archive » More problems for BT Home Hub - This time VOIP
- » Voip flaw in BT router or just an unpatched vulnerability? | IT News Digest | TechRepublic.com
- Voice over IP Calljacking « security matters
- Total surveillance made easy with VoIP phones | GNUCITIZEN
- Total surveillance made easy with VoIP phones » Inking’s Security Blog
- Call Jacking | VoipBloggen
- Holes in Embedded Devices: Authentication bypass (pt 2) | GNUCITIZEN
GNUCITIZEN is one of the most influential organizations of its kind, reaching thousands of users every day and having a strong relationship with numerous printed and web-based media outlets. Part of our mission is to let others succeed the same way GNUCITIZEN did. Therefore, if you have a research or an interesting information you would like to share, 
comments
hi, interesting post. btw, isn’t the phone # in the poc from the vatican?
I’d like to repeat that although this attack is new, it’s based on vulnerabilities we reported to BT several months ago (auth bypass and CSRF especifically). Such vulnerabilities should have been fixed by now. Instead, it appears that BT simply disabled remote assistance on the Home Hub after our first research was published back in October: http://www.gnucitizen.org/blog.....t-home-hub
Therefore I consider BT’s statement on http://www.networkworld.com/ne.....tml?page=2: very inappropriate.
interesting post. But is 00390669893461 the voip phone number or the LAN line? How did you derive into that number?
If I blackholed the DNS for api.home on my local machine (and others on the network) in the HOSTS file, surely that would render this attack useless?
BT have claimed this attack doesn’t work with the firmware they have rolled out at the moment.
Either BT have now fixed it, or not all BT Home Hubs are vulnerable. Mine simply asks for the username and password, and then asks again when I hit cancel.
The phone never rings afterwards, I do have BT BroadBand Talk and a BT Home Hub running Version 6.2.6.E
@hackathology - 00390669893461 is an international phone number located in the country whose code is 39 (vatican city in this case): http://www.countrycallingcodes.....ng-code=39
@Tim - they prob. fixed it. We tested it on 6.2.6.B, which was the most udpated firmware we could get at time of testing without being part of FON. I believe that signing up for FON makes your Home Hub upgrade to a newer firmware? Correct me if I’m wrong.
as pdp pointed out, firmware version 6.2.6.E can take several weeks to upgrade and it appears that many users are having problems receiving the new firmware.
The only way to prevent this with ISP gateways is…
projects like http://www.neufbox4.org which aims at creating an alternative and entirely open firmware for the gateway
ISPs usually break the GPL by using free software and not redistributing, and their gateways rely on security by obscurity.
The customer is then dependent on the firmware upgrade from the ISP following the discovery of a vulnerability, and some times it can take ages before it is corrected.
When the community is in charge of an alternative firmware, vulnerabilities are spotted earlier and corrected faster.
Adrian’s laugh is always comical :)
thanks Adrian.
This is pretty useful for autodialing stuff from my laptop. Thanks!
@David - I guess there is something contagious about my laugh? hehehe
@hackathology - you’re welcome dude!
@Avee - actually it’d be quite simple to setup a tool that allows you to dial phone numbers from your laptop with a simple HTML.
It looks like other home hub users who are also running firmware 6.2.6.B have confirmed our VoIP call jacking hack: http://www.digitalspy.co.uk/fo.....ht=6.2.6.B