BT Home Hub: Wireless Security Vulnerabilities Discovered

BT Home Hub: Wireless Security Vulnerabilities DiscoveredThose with a BT Home Hub — and there’s a lot of them, as it’s currently the most popular DSL router in the UK — might be sleeping a little less soundly tonight following the claims of an ethical hacking group, GNUCitizen, to have found a way to past its Wireless security.

Rather than getting all hardcore and going into details of how it came about, we’ll give you the overview.

How it came about
A little while back Kevin Devine, an independent security researcher, reverse engineering the default WEP/WPA key algorithm used by some Thomson Speedtouch routers that are built into BT’s Home Hub.

To make sure the average citizen has some level of protection to their wireless, BT’s Home Hub uses default WEP/WPA keys.

BT clearly recognised that having the non-techs setting their WEP/WPA keys would be a disaster, as it involves typing in a long string of hex numbers – a pretty messy business at the best of times.

Using default keys gave protection, but avoided endless support calls from confused customers.

The wireless security keys are not the same for each Home Hub — a welcome move that you’ve got to lift your hat to BT about — each Home Hub has its own automatically-assigned default set of keys.

Sadly it appears that these keys have an algorithm that is used to generate the keys – and that this algorithm uses the units serial number of generate it.

As GNUCitizen explain it, “a hashed version of the router’s serial number is generated which is then used to derive both, the default SSID and the default encryption key.” Hashing just means the application of some maths to the serial number and the SSID is the ‘name’ the wireless router calls itself by.

Tools written
GNUCitizen has written a set of tools to help them named BTHHkeygen and BTHHbf. Wisely they’ve decided not to publish them — they normally publish all other research — for fear that they might be abused.

Impact?
If all of this is correct BT, could have a massive job on their hands in getting their customers to change their WEP/WPA keys.

It could be seen as pretty remis if BT know about this, but fail to alert their broadband customers. If this group of hackers has written tools, it means others could do the same.

We’ve contacted BT who will be sending us a statementas at publishing it hasn’t arrived.

Article
GNUCitizen

8 thoughts on “BT Home Hub: Wireless Security Vulnerabilities Discovered”

  1. @Dave: NO, the “hacker” doesn’t need to know the serial number. All that is needed to carry out this attack is the SSID of the BT Home Hub WiFi network.

    Needless to say, the SSID (network name) can be obtained by anyone who is close to the target Home Hub.

  2. hi guys, i really need help and dont know where else to go.

    before we start i better tell you i have the bthomehub, (wireless, although i use ethernet cable) the same one in the picture above and have had it for roughly a year and a half. i have never taken any security precutions because i was stupid enough to think BT being the massive company they are, would have it covered.
    ok. my situation is that i am being taken to court by a big law firm representing an xbox360 game developer, they say i have illigally downloaded a xbox360 game and they want alot of money from me that i just dont have. at first i was suspescious but found out they are legit. i contacted bt and ask for a complete history of my own downloading activity, and to my shock and horror apperntly i have downloaded well over 1TB of xbox games, pc games, films, programs, music etc, since i joined bt.

    i know myself that i havnt downloaded anything illigally, (especially xbox 360 games because i dont have a xbox 360 nor do i have the knowledge how to play copied games)
    i live on my own, in a block of flats and no one else has access to my home pc. i have looked all over the internet for the answer to my question but can only find how unsecure the homehub is, i cant find what people can do by hacking the homehub.
    i know that because it has been a long period of time that this downloading has been happening it has to have been someone close enough to my wireless connection.
    so my question is, is it possible that one of my neighbours has hijacked my wireless ip address and have been using it since i have joined up with bt and have been using it to do what they want. and also if you know, would bt be able to find out if someone has done this.

    any response would be GREATLY appriciated, if the answer is a simple no then i dont have a clue how this has happened and they have me by the balls.

    ps. sorry about the spelling.

  3. Jamie,

    I myself have accessed over 12 BThubs and can tell you exactly what can be done.

    Users connected via wireless connection can access the web and download any material they require. They can also access your hub itself and change the configuration settings password. Your WEP Key can also be changed to WPA with the hacker possesing the password.

    Hope this is of help to you

Comments are closed.