BT has filled a security hole in its Home Hub service which could allow hackers to take control of the internet router. The company has bypassed the problem by removing the Remote Assistance feature that allows BT admin staff to take control of the device. "As part of BT’s commitment to protect its customers against internet security threats, the 'Remote Assistance' feature within the BT Home Hub Manager software is being deactivated," an official BT statement said.
"The removal of this feature, which is not required for normal operation of the Hub, does not impair any BT Total Broadband services and will not affect other PC-based remote access applications or remote upgrades." Home Hub users clicking on a specially crafted link could have allowed a malicious user to bypass the administrator password procedure.
View: the full story
News source: vnunet
"The removal of this feature, which is not required for normal operation of the Hub, does not impair any BT Total Broadband services and will not affect other PC-based remote access applications or remote upgrades." Home Hub users clicking on a specially crafted link could have allowed a malicious user to bypass the administrator password procedure.
View: the full story News source: vnunet
The firmware or software update is downloaded and installed automatically on these units, and requires no user intervention.
The firmware or software update is downloaded and installed automatically on these units, and requires no user intervention.
It does but the Home Hub is rubbish.
The firmware or software update is downloaded and installed automatically on these units, and requires no user intervention.
Are you sure that a full hardware reset in necessary to apply the updates? I would have thought a power cycle was enough. If the Home Hub resets to factory defaults on each update, then surely there would be chaos. I can just imagine the amount of non-technical customers left with wireless that does not work because their wireless key has changed/been removed. Surely that's not correct.
So there's still an attack vector (very, very few require remote access in to their PC; those that do wouldn't use Home hub anyway, or hack it to allow the relevant ports and protocols). Better that it just doesn't get allowed by default and should there be any tech difficulties the "qualified" tech support can run through a simple procedure with the customer to enable it, apply some update, and then disable it again. Even the original Linksys insecure-as-hell firmware didn't have Remote Access set on out of the box.
I for one do not allow remote access to my routers, not even myself, under ANY circumstances. Warranty be damned, if someone can get into my network / compromise my router as a result of this "feature", it gets disabled.
From the BT HH FAQ:
I wonder how many will miss this and fail to get the update?
Kind Regards
Simon
How do you know when the hub has been upgraded so you can turn it on again (and potentially receive mail / serve pages, etc.).? Hands up all those who would willingly switch off access for an indefinite time and periodically query the hub for (presumably) an updated version number on the software.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.