Posted: 09th Oct, 2007 By: MarkJ
UPDATE: BT has responded to state that they are investigating the claims and have also issued a new firmware update to improve security in a number of areas. It is not known whether this router update patches any of the vulnerabilities exposed below.Customers of BT's Total Broadband service may be concerned to hear that researchers have exposed a vulnerability in the operators
Home Hub router, which could allow an attacker to manipulate the connection.
The exploit potential was first revealed and detailed on the
GNUCITIZEN website, which includes a rough video demonstration:
So what can we do? Well, we can fully own the router remotely. At the moment we have three demo exploits which do the following:
* enable backdoor in order to control the router remotely
* disable wireless completely (can only be re-enabled if the user is technically capable)
* steal the WEP/WPA key
Of course there are other attacks you could launch! We can hijack any action with full admin privileges or steal any info returned by a routers page. This means evilness of the exploits are only limited by the attackers imagination. Other examples of evil attacks include evesdropping
VoIP conversations (change sip config primproxyaddr statement in config file), stealing
VoIP credentials, exposing internal hosts on the DMZ, change the DNS settings for stealing online banking credentials, disable auto updates (change cwmp.ini section in config file), etc.
The group has reportedly contacted BT and Thomson to inform them of the vulnerabilities, yet isn't holding out much hope of a response after the last problem they exposed went without reply. It's believed the exploit will work on all Thomson/Alcatel Speedtouch 7G routers.
The situation is similar to one that cropped up with BeThere's Thomson/Alcatel's Speedtouch 780 routers earlier in the year, except in that situation the attacker needed to have the routers password. Some users never seem to change the default password and they were left exposed.
We hope that the added publicity makes BT more aware of the problem this time and able to respond.