Home
 » ISP News » 
Sponsored

BT Wi-Fi Extenders Can Expose Your Wireless Network Password

Wednesday, September 21st, 2016 (9:18 am) - Score 1,471
bt_wifi_extender_300

The network security gurus at Pen Test Partners have warned owners of BT’s Wi-Fi Extender 300 (Broadband Extender 300 Kit) adapters to update its firmware after they uncovered a string of vulnerabilities that could result in your home WiFi network password being leaked.

The 300 series WiFi extenders are single band (2.4GHz) 802.11n spec devices that offer a headline maximum wireless network speed of 300Mbps (150Mbps in 20MHz mode and 300Mbps in 40MHz mode) and as such they’ve largely been superseded by the dual-band 600 and faster series. Never the less you can still buy them for only £19.99 a pop.

However anybody who has brought one of the 300 series adapters should be aware that hackers can exploit a number of vulnerabilities in the device in order to steal your WPA passphrase (wireless network password).

According to PTP, the adapters are open to a Cross-Site Request Forgery (CSRF) attack in their web interface and other Cross-Site Scripting (XSS) vulnerabilities that can be combined. “Authentication bypass is not good. Together with the XSS and some poor UI design, this means I can steal your Wi-Fi password. (XSS allows us to bypass Same Origin Policy),” said PTP.

PTP Advice for the vendor:

PDP wrote a very good series of articles, a great many years ago, on the early Home Hubs – [BT] made a lot of the same mistakes again. The people writing and QAing this software need to have a better understanding of security issues. Some checking of third party products would seem to be in order, before they are released to the general public.

PTP first became aware of the problems when they purchased an adapted in mid-July 2016 and to BT’s credit the operator was able to patch all of the issues and release a new firmware (v1.1.8) before the end of August 2016, which can be Downloaded Here.

PTP also says it’s best to log in, change the password and not use the “remember me” function in either Wi-Fi device or the “remember password” function in the browser.

A Spokesperson for BT said (The Register):

“We are grateful to Pen Test Partners for alerting us to this issue. We have been working to address this potential weakness and issued an update which corrected the problem in August 2016. We are not aware of any cases where customers have suffered any issues. Customers should ensure they download the firmware update from the BT website.”

BT has chosen to list the firmware changes for v1.1.8 as “Bug fixes“, although perhaps “Security fixes” would have been better in order to encourage end-users to update. The actual process of updating should be fairly simple and involves using the largely automated BT Device Configuration Tool (software).

Delicious
Add to Diigo
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he is also the founder of ISPreview since 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
0 Responses

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Promotion
Cheapest Superfast ISPs
  • Hyperoptic £18.00 (*22.00)
    Avg. Speed 30Mbps, Unlimited
    Gift: Code: CHRISTMAS18
  • TalkTalk £22.50
    Avg. Speed 36Mbps, Unlimited
    Gift: None
  • Direct Save Telecom £22.95 (*29.95)
    Avg. Speed 35Mbps, Unlimited (FUP)
    Gift: None
  • Vodafone £23.00 (*25.00)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £23.50 (*34.98)
    Avg. Speed 36Mbps, Unlimited
    Gift: £60 Cashback
Prices inc. Line Rental | View All
Poll
*Javascript must be ON to vote*
The Top 20 Category Tags
  1. BT (2289)
  2. FTTP (1752)
  3. FTTC (1518)
  4. Broadband Delivery UK (1488)
  5. Openreach (1232)
  6. Politics (1224)
  7. Business (1092)
  8. Statistics (963)
  9. Mobile Broadband (885)
  10. Fibre Optic (880)
  11. FTTH (816)
  12. Ofcom Regulation (809)
  13. Wireless Internet (806)
  14. 4G (768)
  15. Virgin Media (742)
  16. Sky Broadband (546)
  17. TalkTalk (525)
  18. EE (507)
  19. Vodafone (396)
  20. Security (371)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules