BT Home Flub - Pwnin the BT Home Hub
OK, let me get to the point. The BT Home Hub, which is probably the most popular home router in the UK, is susceptible to critical vulnerabilities.
BT's plan is to sneak one of these boxes into every UK home. Not only does the BT Home Hub support broadband but also VoIP (BT Broadband Talk), UMA mobile telephony (BT Fusion), and digital TV (BT Vision). Additionally BT will give users the option to use their BT Home Hub to join FON, a community-shared Wi-Fi. An unofficial source has reported us that there are 2+ million BT Home Hub users in the UK.
If you're thinking: "well I'm not based in the UK so this research doesn't concern me", then think again! The BT Home Hub is just a Thomson/Alcatel Speedtouch 7G router. Furthermore, the vulnerabilities we found are most likely present in other Speedtouch models due to code reuse (more on that later).
So what can we do? Well, we can fully own the router remotely. At the moment we have three demo exploits which do the following:
- enable backdoor in order to control the router remotely
- disable wireless completely (can only be re-enabled if the user is technically capable)
- steal the WEP/WPA key
Of course there other other attacks you could launch! We can hijack any action with full admin privileges or steal any info returned by a router's page. This means evilness of the exploits are only limited by the attacker's imagination. Other examples of evil attacks include evesdropping VoIP conversations (change 'sip config primproxyaddr' statement in config file), stealing VoIP credentials, exposing internal hosts on the DMZ, change the DNS settings for stealing online banking credentials, disable auto updates (change
cwmp.ini section in config file), etc ...
The only requirement for the router to be owned is that a victim user visits a (malicious) website. The good news is that our exploits do NOT require knowledge of the admin password! How can that be? Well, we rely on a authentication bypass bug we discovered!
Even though I've been the owner of a BT Home Hub for quite a while, I never bothered to try to find vulnerabilities in it. However, on the last dc4420 meeting, after I gave a talk on breaking into Axis cameras, some of the guys there inspired me to research the BT Home Hub. After poking with it for a while, pdp and I couldn't believe how vulnerable the web interface of the device was! I remember pdp sarcastically saying: "wow, it's really locked down man!", We discovered issues such as:
- authentication bypass (any admin action can be made without username/password!)
- system-wide CSRF
- several persistent XSS
- several non-persistent XSS
- privilege escalation
We're now in the process of contacting BT and Thomson. However, I don't have high hopes for BT. Last year, I found a way to dump the BT Voyager 2091's config file without credentials. Even though I forwarded them my findings they never responded at all.
Enjoy the demo video which was kindly prepared by pdp. We misspelled some words on the chat conversation, so please forgive us! In the video, the attacker social-engineers the victim to visit a malicious website. The malicious website in turn enables remote assistance on the victim's router with a password chosen by the attacker. After that, the attacker gains full privileges to the router remotely, and steals the config file and WEP key.