BT hamstrings Home Hub hackers

BT has filled a security hole in its Home Hub service which could allow hackers to take control of the internet router. The company has bypassed the problem by removing the Remote Assistance feature that allows BT admin staff to take control of the device. "As part of BT's commitment to protect its customers against internet security threats, the 'Remote Assistance' feature within the BT Home Hub Manager software is being deactivated," an official BT statement said.

"The removal of this feature, which is not required for normal operation of the Hub, does not impair any BT Total Broadband services and will not affect other PC-based remote access applications or remote upgrades." Home Hub users clicking on a specially crafted link could have allowed a malicious user to bypass the administrator password procedure.

View: the full story
News source: vnunet

Report a problem with article
Previous Story

Cops pull TV-links, claim facilitation of infringement

Next Story

Apple Profits Surge 67%

8 Comments

Commenting is disabled on this article.

Hi,


From the BT HH FAQ:

If you have set up the DMZ / 'Assign public IP address to Hub' feature in the Games & Application Sharing section of the Hub Manager, your Home Hub will not be automatically upgraded. To receive an upgrade, disable the feature and leave your Hub switched on. The feature can be re-enabled after the Home Hub has been upgraded.

I wonder how many will miss this and fail to get the update?

Kind Regards

Simon

If you're using DMZ / public IP on the hub, you're most likely running some server through the connection (like mail, web, ftp, etc.). So the "advice" is to turn it off, thereby knackering connections to the server until the hub is upgraded.
How do you know when the hub has been upgraded so you can turn it on again (and potentially receive mail / serve pages, etc.).? Hands up all those who would willingly switch off access for an indefinite time and periodically query the hub for (presumably) an updated version number on the software.

"The removal of this feature, which is not required for normal operation of the Hub, does not impair any BT Total Broadband services and will not affect other PC-based remote access applications or remote upgrades."

So there's still an attack vector (very, very few require remote access in to their PC; those that do wouldn't use Home hub anyway, or hack it to allow the relevant ports and protocols). Better that it just doesn't get allowed by default and should there be any tech difficulties the "qualified" tech support can run through a simple procedure with the customer to enable it, apply some update, and then disable it again. Even the original Linksys insecure-as-hell firmware didn't have Remote Access set on out of the box.

I for one do not allow remote access to my routers, not even myself, under ANY circumstances. Warranty be damned, if someone can get into my network / compromise my router as a result of this "feature", it gets disabled.

It is worth noting that if you had sensibly changed the admin password or disabled the wireless interface on the home hub, the recent firmware update will have restored these, and probably other settings to default.

BT Home Hub customers have agreed to terms and conditions that make it very clear that BT cannot be help responsible for firmware updates made without the assistance of a qualified BT technical support engineer. By doing so they will automatically invalidate their warranty. Customers who feel a firmware upgrade is necessary should call 0845 600 7030.

Lt-DavidW said,
BT Home Hub customers have agreed to terms and conditions that make it very clear that BT cannot be help responsible for firmware updates made without the assistance of a qualified BT technical support engineer. By doing so they will automatically invalidate their warranty. Customers who feel a firmware upgrade is necessary should call 0845 600 7030.

The firmware or software update is downloaded and installed automatically on these units, and requires no user intervention.

jimmy_jazz said,

The firmware or software update is downloaded and installed automatically on these units, and requires no user intervention.


It does but the Home Hub is rubbish.

jimmy_jazz said,

The firmware or software update is downloaded and installed automatically on these units, and requires no user intervention.

Are you sure that a full hardware reset in necessary to apply the updates? I would have thought a power cycle was enough. If the Home Hub resets to factory defaults on each update, then surely there would be chaos. I can just imagine the amount of non-technical customers left with wireless that does not work because their wireless key has changed/been removed. Surely that's not correct.