BT Home Hub security in spot light again
Thursday 29 May 2008 14:02:09 by Andrew Ferguson
GNUCitizen has discovered another hole in the security of the BT Home Hub that allows anyone with LAN access to get hold of the administrator password.
Previously it has been reported that there was a way to determine the default WEP security key on the Home Hub, and the best course of action was to alter your wireless network from WEP to the WPA encryption. In theory if using WPA and a strong key getting access over the wireless network to discover the administrator password should not be possible, but for the many who cannot switch to WPA (e.g. they own older hardware that only supports WEP, or have tried and failed to get it to work) this latest hole means people could access the routers administrator interface and hijack the routers settings.
The Home Hub was recently made more secure in firmware version 6.2.6.E by giving each one a unique administrator password, which was the routers serial number, but GNUCitizen is able to demontrate how by sending a request to a specific multicast IP address you can obtain this password.
While this problem highlights the Home Hub people with other devices are once again reminded about the need to secure their wireless networks.
While there are no reports of mass attacks affecting Home Hub users yet, that does not mean that we know for sure that someone in the UK is not using this method to piggyback on peoples broadband connections.
Digg this
Add to del.icio.usComments
oops wrong thread...
Pfffft the home hub really is a complete and utter crock of...... (stopped for family viewing reasons)
Enough said.
I dissagree with the last paragraph of the report. I had severe problems in the last couple of days just trying to stay online. Because the hub locks up if the connection goes down the only way to reboot is to turn it off and on and then restart ones pc. We have a home network of 2 so we know it wasnt the pcs. 6 times in the space of an evening and nothing wrong today tells me that BT have a lot of connectivity issues still to resolve for their bb customers.I agree with Carpetburns comment too :-s Not impressed with bt broadband at all.
I have to disagree with CARPETBURN. The issue here is one of security and BT have recommended from the outset that the best way is to opt for WPA, rather than WEP, and to change the key and ID from the default. As one of the early users of the BT Home Hub, I did this and have never had security-related Hub problems at all.
Thinkbroadband has storys about Homehub issues security and non security related dating back to last year (and probably beyond)... I find it rather flippant of any company to just demand users of there technology follow their instructions rather than fix the core issues of settings either with revised hardware or if possible a firmware update... BT are the biggest comms provider in the UK AFAIK, it is a complete joke they supply hardware that is full of holes, locks up and has other weird faults. Its not like they havent got the cash to develop the router they choose to supply.
If users could see the same data as ISPs it would be a great idea. At the moment we rely on ISPs to feed back the information honestly - in my experience they rarely do, or at least not until the solution is found - or not bother at all.