Dumping The Admin Password Of The BT Home Hub

So BT added a new security feature on the latest version of the BT Home Hub firmware (6.2.6.E at time of writing) which changes the default admin password from admin to the serial number of the router. From BT Support and Advice site:

Firmware 6.2.6.E introduces the following improvements: Change default Hub Manager access password from 'admin' to your unique Hub serial number"

When I first noticed this new feature I thought it was quite cool and definitely a good move from BT. This is why:

As you can see, changing the default admin password to a value which is specific to each Home Hub would make password guessing/cracking attacks much harder. At least, this is usually the case. Well, it turns out that you can get the serial number of the Home Hub by simply sending a Multi Directory Access Protocol (MDAP) multicast request in the network where BT Home Hub is located. Yes, you must already be part of the LAN where the Home Hub is present, either via ethernet or via Wi-Fi. However, at GNUCITIZEN, we have demonstrated trivial ways to predict the WEP encryption key of the Home Hub if you know what you are doing. In summary, there are two ways to break into a BT Home Hub Wi-Fi network:

The following is what a MDAP ANT-SEARCH request looks like. Such request would be sent to the multicast IP address and port 3235 (UDP):


Which causes the BT Home Hub to respond with its serial number (`ANT-ID` parameter) among other information. i.e.:


The only difference between the ANT-ID parameter and the serial number of the Home Hub is that the serial number is prefixed with 'CP'. So in this example, the corresponding serial number - which is the default admin password - would be `CP0633EHPSL` (see the screenshot for more information)

Obviously, this is not a vulnerability within the MDAP protocol, but rather a design flaw introduced by BT with the new unique admin password feature. The assumption behind this insecure implementation is that the serial number can only be obtained by the legitimate owner of the router. As we have seen, this is _not_ the case! Nevertheless, there are some security issues inherited with the MDAP protocol which I will cover in a new post.

The following Python script dumps MDAP multicast requests:


And the following one sends the MDAP ANT-SEARCH requests which causes the Home Hub to return its serial number:


You have to run `mdap-send-ant-search.py` while `mdap-dump.py` is still running. i.e.:

[email protected]$ python mdap-dump.py& python mdap-send-ant-search.py

For some reason the scripts don't work under Python for Windows or even Python for Cygwin. It should work on GNU/Linux (I tried it on Backtrack 2).

Finally, I just wanted to thank Mark Livesey for brainstorming ideas with me which led me to explore the MDAP protocol further.