In summary, if the victim visits our evil proof-of-concept webpage, his/her browser sends a HTTP request to the BT Home Hub’s web interface. After this, the Home Hub starts a VoIP/telephone connection to the recipient’s phone number specified in the exploit page.

This is what the attack looks like: the victim’s VoIP telephone starts ringing and shows an external call message on the LCD screen along with the recipient’s phone number. However, what’s interesting is that from the point of view of the victim, it looks like he/she is receiving a phone call from the number shown on the screen, but in fact he/she is calling that number!

Now, this attack will work even if the default admin password has been changed on the BT Home Hub. Reason for this is that the exploit relies on an authentication bypass vulnerability that we have reported a while ago and hasn’t still been fixed by BT! In our original report, we mentioned that the HTTP authentication mechanism can by bypassed by using double slashes in the target URL. Actually, the authentication can also be bypassed with many other characters, but I’ll leave this to the reader to discover.