Posted: 22nd Jan, 2008 By: MarkJ
UPDATE: BT has denied that its customers are affected by the vulnerability, at least not so long as they're on the latest firmware 6.2.6.E. However it can take time for the new updates to be rolled out.The "
ethical" hacking website,
GNUCitizen, has uncovered yet another (
first one) vulnerability in BT Total Broadband's "
Home Hub" ADSL routers, which could allow hackers to steal or hi-jack Voice-over-IP (
VoIP) calls:
In summary, if the victim visits our evil proof-of-concept webpage, his/her browser sends a HTTP request to the BT Home Hubs web interface. After this, the Home Hub starts a
VoIP/telephone connection to the recipients phone number specified in the exploit page.
This is what the attack looks like: the victims
VoIP telephone starts ringing and shows an external call message on the LCD screen along with the recipients phone number. However, whats interesting is that from the point of view of the victim, it looks like he/she is receiving a phone call from the number shown on the screen, but in fact he/she is calling that number!
Now, this attack will work even if the default admin password has been changed on the BT Home Hub. Reason for this is that the exploit relies on an authentication bypass vulnerability that we have reported a while ago and hasnt still been fixed by BT! In our original report, we mentioned that the HTTP authentication mechanism can by bypassed by using double slashes in the target URL. Actually, the authentication can also be bypassed with many other characters, but Ill leave this to the reader to discover.
It's noted that only customers using the BT Broadband Talk service are affected by this attack, which was tested on Home Hub's using the 6.2.6.B firmware. BT originally disabled the routers Remote Assistance features to close a previously exploit, yet this does not prevent
VoIP call hi-jacking. BT is investigating the problem.