Comments on: Dumping the admin password of the BT Home Hub

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Sun, 08 Jun 2008 09:36:40 +0000

@joe: the Python scripts we provided only seem to work in Linux (we tested them on backtrack 2 but should also work on bt3).

If you just want to get the Hub’s serial number prior to authenticating without using the MDAP protocol, then simply check ‘OU’ field of the SSL certificate as mentioned by Aaron on http://www.gnucitizen.org/blog.....-hub-pt-2/

You should be able to examine the Hub’s SSL certificate by accessing: https://api.home/ or https://192.168.1.254

By: Robbie

Robbie — Fri, 06 Jun 2008 11:28:10 +0000

just looking for some reason the home hub im testing has 6.2.6H firmware . It’s a new hub so i presume it must be 1.5 and its had fon opted in. any one else messed with this firmware?

By: Robbie

Robbie — Fri, 06 Jun 2008 10:25:45 +0000

for those on windows an easy way id say is to download http://static.btopenworld.com/.....y_626E.zip

when it asks you for a username and password you can see next to the box with the serial number next to it

http://i30.tinypic.com/35l82a9.jpg

and voila you have the password for the hub

By: joe

joe — Fri, 30 May 2008 20:39:16 +0000

I’m running bthomehub-bb59 firmware version 6.2.6.E. where do i get the programs from to get it to work. will this work on windows xp or backtrack 3

By: Stephen

Stephen — Tue, 27 May 2008 16:14:25 +0000

To confirm from my post near the top - yes I’m on 6.2.6.E on a v1.5

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Tue, 27 May 2008 12:22:12 +0000

After having observed BT’s reaction to several Home Hub vulnerabilities published in the past, it’s easy to notice BT’s PR template. It kind of goes like this:

“We do not believe any of our customers have been affected by this attack.”

“Such security research describes a theoretical attack.”

In reality this translates to:

“We are not aware of any attack performed in a _mass fashion_ which uses such vulnerabilities. Of course this doesn’t mean such vulnerabilities have not been exploited in the wild. We know that most likely they *have* been exploited as they are practical. However, we don’t want mainstream users (i.e: non-technical) to know this.”

“We want the public to think that such attack is not possible in real life, so they do not realize how bad the current state of the security of the Home Hub really is.”

By: Dumping the admin password of the BT Home Hub (pt 2) | GNUCITIZEN

Dumping the admin password of the BT Home Hub (pt 2) | GNUCITIZEN — Tue, 27 May 2008 09:12:01 +0000

[...] of the BT Home Hub (pt 2) published: May 27th, 2008 This is just a quick update regarding our previous post which details how to extract the default admin password for the latest firmware of the BT Home Hub [...]

By: pdp

pdp — Tue, 27 May 2008 08:45:34 +0000

BT’s statement is just ridiculous. Check this out:

BT disputed the claim, saying the risk was “theoretical” and that hackers would have to “win the computer cracking equivalent of the National Lottery” to succeed.

Right…. Cracking 40BIT WEP is exactly like winning the National Lottery.

By: djteller

djteller — Tue, 27 May 2008 08:12:48 +0000

This is indeed ridiculous, but it’s nice to see that BT are aware, too bad the implementation was bad.

I think that Home router vendors should disable deviced until proper installation when the device is purchased.

Using a simple wizard the user will change his/her password to something other than ‘admin’ and that’s it.

By: Mark Livesey

Mark Livesey — Mon, 26 May 2008 20:58:37 +0000

Sorry, very true, the key to open the door so to speak.

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Mon, 26 May 2008 20:08:06 +0000

@^o^: yes, you’re right. the vulnerability was found by analyzing traffic.

By: Mark Livesey

Mark Livesey — Mon, 26 May 2008 19:56:02 +0000

This is ridiculous. It says about the software easily available for “bad guys” but not about it being easily available from BT themselves. Oh, and V1.5 is safer apparently.

By: pdp

pdp — Mon, 26 May 2008 18:26:29 +0000

it is a NCC’s marketing stunt (payed ad)! :)

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Mon, 26 May 2008 18:17:08 +0000

this is ridiculous, all the vulnerability research publicly-released affecting the BT Home Hub has been published on http://www.gnucitizen.org . The only Home Hub research published on other sources is related to _unlocking_ the Hub, rather than _breaking into it_.

I can only hope that NCC did mention us in the original press release but the final Daily Telegraph article filtered our name out.

Summary of vulnerability research published for the BT Home Hub here: http://en.wikipedia.org/wiki/B.....y_concerns

By: pdp

pdp — Mon, 26 May 2008 14:46:21 +0000

obviously this is a marketing stunt initiated by the NCC group, omitting the voice of the real researchers as usual… and of course BT is just plain silly and their anti-crisis team does not know what they are doing. very amateur for BT I must say.

By: pdp

pdp — Mon, 26 May 2008 14:37:19 +0000

are you talking about this one?

By: Daily Telegraph

Daily Telegraph — Mon, 26 May 2008 13:27:22 +0000

Your BT home hub pwning made the front page of today’s Daily telegraph in the uk.

By: ^o^

^o^ — Sat, 24 May 2008 00:42:31 +0000

Amazing, may i ask how did you find this vulnerability? was it by sniffing?

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Fri, 23 May 2008 19:19:41 +0000

@mohclips: copied and pasted from this post:

“Yes, you must already be part of the LAN where the Home Hub is present, either via ethernet or via Wi-Fi. However, at GNUCITIZEN, we have demonstrated trivial ways to predict the WEP encryption key of the Home Hub if you know what you are doing. In summary, there are two ways to break into a BT Home Hub Wi-Fi network: [snip]“

By: mohclips

mohclips — Thu, 22 May 2008 20:41:06 +0000

I take it this is a wired attacked rather than a wireless one?