Dumping the admin password of the BT Home Hub

So BT added a new security feature on the latest version of the BT Home Hub firmware (6.2.6.E at time of writing) which changes the default admin password from admin to the serial number of the router. From BT Support and Advice site:

Firmware 6.2.6.E introduces the following improvements: Change default Hub Manager access password from ‘admin’ to your unique Hub serial number”

When I first noticed this new feature I thought it was quite cool and definitely a good move from BT. This is why:

It would make CSRF attacks launched by third-party sites much more difficult since the attacker wouldn’t be able to predict the admin password of the Home Hub in the exploit code. An exception to this is the attacker combining a CSRF with a authentication bypass bug. In such case, knowing the admin password wouldn’t be required. Another exception would be a CSRF attack which originates from the Home Hub itself via persistent XSS on a page on which the admin must be authenticated to view (i.e.: logs page). In such case, the admin password would NOT be required in the CSRF exploit code.
Performing a password cracking attack would be less likely to be successful

As you can see, changing the default admin password to a value which is specific to each Home Hub would make password guessing/cracking attacks much harder. At least, this is usually the case. Well, it turns out that you can get the serial number of the Home Hub by simply sending a Multi Directory Access Protocol (MDAP) multicast request in the network where BT Home Hub is located. Yes, you must already be part of the LAN where the Home Hub is present, either via ethernet or via Wi-Fi. However, at GNUCITIZEN, we have demonstrated trivial ways to predict the WEP encryption key of the Home Hub if you know what you are doing. In summary, there are two ways to break into a BT Home Hub Wi-Fi network:

arp replays injection plus weak IVs cracking. This attack is typically launched using airodump-ng + aireplay-ng + aircrack-ng (I highly recommend using Backtrack 2 plus the Alfa USB AWUS036S Wi-Fi adaptor for this attack)
Predict the Home Hub’s default WEP key by bruteforcing a list of potential candidates which are derived from the SSID (the SSID can be obtained by anyone of course)

The following is what a MDAP ANT-SEARCH request looks like. Such request would be sent to the multicast IP address 224.0.0.103 and port 3235 (UDP):

ANT-SEARCH MDAP/1.1
46

Which causes the BT Home Hub to respond with its serial number (ANT-ID parameter) among other information. i.e.:

REPLY-ANT-SEARCH MDAP/1.1
ANT-ID:0633EHPSL
ANT-NAME:SpeedTouch BTHH
ANT-MAC:00-14-7F-AA-BB-CC
ANT-HOSTSETUP:auto
TO-HOST:192.168.1.70:2317
TP-VERSION:2.0.0
MDAP-VERSION:1.2
43

The only difference between the ANT-ID parameter and the serial number of the Home Hub is that the serial number is prefixed with ‘CP’. So in this example, the corresponding serial number - which is the default admin password - would be CP0633EHPSL (see the screenshot for more information)

Obviously, this is not a vulnerability within the MDAP protocol, but rather a design flaw introduced by BT with the new unique admin password feature. The assumption behind this insecure implementation is that the serial number can only be obtained by the legitimate owner of the router. As we have seen, this is not the case! Nevertheless, there are some security issues inherited with the MDAP protocol which I will cover in a new post.

The following Python script dumps MDAP multicast requests:

http://www.gnucitizen.org/projects/dumping-the-admin-password-of-the-bt-home-hub/mdap-dump.py

And the following one sends the MDAP ANT-SEARCH requests which causes the Home Hub to return its serial number:

http://www.gnucitizen.org/projects/dumping-the-admin-password-of-the-bt-home-hub/mdap-send-ant-search.py

You have to run mdap-send-ant-search.py while mdap-dump.py is still running. i.e.:

pagvac@gnucitizen$ python mdap-dump.py& python mdap-send-ant-search.py

For some reason the scripts don’t work under Python for Windows or even Python for Cygwin. It should work on GNU/Linux (I tried it on Backtrack 2).

Finally, I just wanted to thank Mark Livesey for brainstorming ideas with me which led me to explore the MDAP protocol further.

comments

Mark Livesey responds:

Cheers mate. Is the MDAP proprietary Thomson like CLI? Could this protocol lead to a UDP attack? Anyway, it gets harder with each firmware revision so at least BT 2 million plus HomeHub users are eventually getting a secure product.

Stephen responds:

Good work guys at finding another hole in the BT Home Sieve. I can confirm this works from the LAN on my BTHH v15.

Adrian 'pagvac' Pastor responds:

@Mark: yes, MDAP is a Thomson proprietary protocol. I will talk more about it in a upcoming post.

Getting harder? At this moment all BT Home Hubs can be turned into zombie routers via relaxed UPnP port-forwarding functionalities. All you need is to get a Home Hub user visit your evil page. Furthermore, there are about 3 million BT Home Hub Wi-Fi networks that can be broken into trivially.

@Stephen: thanks a lot for testing this attack. We can now confirm that it works on the latest firmware for both the BT Home Hub v1 and v1.5. I’m assuming that you’re running firmware version 6.2.6.E?

mohclips responds:

I take it this is a wired attacked rather than a wireless one?

@mohclips: copied and pasted from this post:

“Yes, you must already be part of the LAN where the Home Hub is present, either via ethernet or via Wi-Fi. However, at GNUCITIZEN, we have demonstrated trivial ways to predict the WEP encryption key of the Home Hub if you know what you are doing. In summary, there are two ways to break into a BT Home Hub Wi-Fi network: [snip]“

^o^ responds:

Amazing, may i ask how did you find this vulnerability? was it by sniffing?

Daily Telegraph responds:

Your BT home hub pwning made the front page of today’s Daily telegraph in the uk.

pdp responds:

are you talking about this one?

obviously this is a marketing stunt initiated by the NCC group, omitting the voice of the real researchers as usual… and of course BT is just plain silly and their anti-crisis team does not know what they are doing. very amateur for BT I must say.

this is ridiculous, all the vulnerability research publicly-released affecting the BT Home Hub has been published on http://www.gnucitizen.org . The only Home Hub research published on other sources is related to _unlocking_ the Hub, rather than _breaking into it_.

I can only hope that NCC did mention us in the original press release but the final Daily Telegraph article filtered our name out.

Summary of vulnerability research published for the BT Home Hub here: http://en.wikipedia.org/wiki/B.....y_concerns

it is a NCC’s marketing stunt (payed ad)! :)

This is ridiculous. It says about the software easily available for “bad guys” but not about it being easily available from BT themselves. Oh, and V1.5 is safer apparently.

@^o^: yes, you’re right. the vulnerability was found by analyzing traffic.

Sorry, very true, the key to open the door so to speak.

djteller responds:

This is indeed ridiculous, but it’s nice to see that BT are aware, too bad the implementation was bad.

I think that Home router vendors should disable deviced until proper installation when the device is purchased.

Using a simple wizard the user will change his/her password to something other than ‘admin’ and that’s it.

BT’s statement is just ridiculous. Check this out:

BT disputed the claim, saying the risk was “theoretical” and that hackers would have to “win the computer cracking equivalent of the National Lottery” to succeed.

Right…. Cracking 40BIT WEP is exactly like winning the National Lottery.

After having observed BT’s reaction to several Home Hub vulnerabilities published in the past, it’s easy to notice BT’s PR template. It kind of goes like this:

“We do not believe any of our customers have been affected by this attack.”

“Such security research describes a theoretical attack.”

In reality this translates to:

“We are not aware of any attack performed in a _mass fashion_ which uses such vulnerabilities. Of course this doesn’t mean such vulnerabilities have not been exploited in the wild. We know that most likely they *have* been exploited as they are practical. However, we don’t want mainstream users (i.e: non-technical) to know this.”

“We want the public to think that such attack is not possible in real life, so they do not realize how bad the current state of the security of the Home Hub really is.”

To confirm from my post near the top - yes I’m on 6.2.6.E on a v1.5

joe responds:

I’m running bthomehub-bb59 firmware version 6.2.6.E. where do i get the programs from to get it to work. will this work on windows xp or backtrack 3

Robbie responds:

for those on windows an easy way id say is to download http://static.btopenworld.com/.....y_626E.zip

when it asks you for a username and password you can see next to the box with the serial number next to it

http://i30.tinypic.com/35l82a9.jpg

and voila you have the password for the hub

just looking for some reason the home hub im testing has 6.2.6H firmware . It’s a new hub so i presume it must be 1.5 and its had fon opted in. any one else messed with this firmware?

@joe: the Python scripts we provided only seem to work in Linux (we tested them on backtrack 2 but should also work on bt3).

If you just want to get the Hub’s serial number prior to authenticating without using the MDAP protocol, then simply check ‘OU’ field of the SSL certificate as mentioned by Aaron on http://www.gnucitizen.org/blog.....-hub-pt-2/

You should be able to examine the Hub’s SSL certificate by accessing: https://api.home/ or https://192.168.1.254

GNUCITIZEN

navigation

Dumping the admin password of the BT Home Hub

comments

trackbacks

respond