BT Wi-Fi Extenders Can Expose Your Wireless Network Password

The network security gurus at Pen Test Partners have warned owners of BT’s Wi-Fi Extender 300 (Broadband Extender 300 Kit) adapters to update its firmware after they uncovered a string of vulnerabilities that could result in your home WiFi network password being leaked.

The 300 series WiFi extenders are single band (2.4GHz) 802.11n spec devices that offer a headline maximum wireless network speed of 300Mbps (150Mbps in 20MHz mode and 300Mbps in 40MHz mode) and as such they’ve largely been superseded by the dual-band 600 and faster series. Never the less you can still buy them for only £19.99 a pop.

However anybody who has brought one of the 300 series adapters should be aware that hackers can exploit a number of vulnerabilities in the device in order to steal your WPA passphrase (wireless network password).

According to PTP, the adapters are open to a Cross-Site Request Forgery (CSRF) attack in their web interface and other Cross-Site Scripting (XSS) vulnerabilities that can be combined. “Authentication bypass is not good. Together with the XSS and some poor UI design, this means I can steal your Wi-Fi password. (XSS allows us to bypass Same Origin Policy),” said PTP.

PTP Advice for the vendor:

PDP wrote a very good series of articles, a great many years ago, on the early Home Hubs – [BT] made a lot of the same mistakes again. The people writing and QAing this software need to have a better understanding of security issues. Some checking of third party products would seem to be in order, before they are released to the general public.

PTP first became aware of the problems when they purchased an adapted in mid-July 2016 and to BT’s credit the operator was able to patch all of the issues and release a new firmware (v1.1.8) before the end of August 2016, which can be Downloaded Here.

PTP also says it’s best to log in, change the password and not use the “remember me” function in either Wi-Fi device or the “remember password” function in the browser.

A Spokesperson for BT said (The Register):

“We are grateful to Pen Test Partners for alerting us to this issue. We have been working to address this potential weakness and issued an update which corrected the problem in August 2016. We are not aware of any cases where customers have suffered any issues. Customers should ensure they download the firmware update from the BT website.”

BT has chosen to list the firmware changes for v1.1.8 as “Bug fixes“, although perhaps “Security fixes” would have been better in order to encourage end-users to update. The actual process of updating should be fairly simple and involves using the largely automated BT Device Configuration Tool (software).