Posted: 28th May, 2008 By: MarkJ
The "
ethical" hacking website,
GNUCitizen, has found a new way around improvements to the security of BTs 'Home Hub' broadband ADSL routers (firmware 6.2.6.E). It's understood that the operator had changed the default admin password from 'admin' to the serial number of the router itself, though this too may now be at risk:
As you can see, changing the default admin password to a value which is specific to each Home Hub would make password guessing/cracking attacks much harder. At least, this is usually the case. Well, it turns out that you can get the serial number of the Home Hub by simply sending a Multi Directory Access Protocol (MDAP) multicast request in the network where BT Home Hub is located.
Yes, you must already be part of the LAN where the Home Hub is present, either via Ethernet or via
Wi-Fi. However, at GNUCITIZEN, we have demonstrated trivial ways to predict the WEP encryption key of the Home Hub if you know what you are doing. In summary, there are two ways to break into a BT Home Hub
Wi-Fi network:
- arp replays injection plus weak IVs cracking. This attack is typically launched using airodump-ng + aireplay-ng + aircrack-ng (I highly recommend using Backtrack 2 plus the Alfa USB AWUS036S Wi-Fi adaptor for this attack)
- Predict the Home Hubs default WEP key by bruteforcing a list of potential candidates which are derived from the SSID (the SSID can be obtained by anyone of course)
Paul Vlissidis, a technical director for I.T. consultancy NCC Group, has already criticised the security of BT's Home Hub in Mondays news (
here).