BT Home Hub “spits out password to hackers”

Barry Collins Read more October 7, 2009

An “ethical hacking outfit” claims to have found a new security hole in BT’s Home Hub router.

The Hub has been the subject of a number of recent security flaws, which culminated in the company changing the default password on the routers from “admin” to the unique serial number of the device, in order to prevent hackers from gaining access to the device.

However, the GNUCitizen blog claims it’s possible to make the Home Hub spit out that unique serial number to would-be attackers.

“It turns out that you can get the serial number of the Home Hub by simply sending a Multi Directory Access Protocol (MDAP) multicast request in the network where BT Home Hub is located,” the blog claims.

“Yes, you must already be part of the LAN where the Home Hub is present, either via ethernet or via Wi-Fi. However, at GNUCitizen, we have demonstrated trivial ways to predict the WEP encryption key of the Home Hub if you know what you are doing.”

GNUCitizen points the finger of blame squarely at BT. “Obviously, this is not a vulnerability within the MDAP protocol, but rather a design flaw introduced by BT with the new unique admin password feature,” it claims.

“The assumption behind this insecure implementation is that the serial number can only be obtained by the legitimate owner of the router. As we have seen, this is not the case!”

BT Home Hub users can obviously avoid the problem by creating their own password and changing the Hub’s default security from the widely-cracked WEP to the more secure WPA. BT provides instructions on how to do this here.

Last October, BT was forced to remove a Remote Assistance feature from the Hub, after GNUCitizen found that it could lead to hackers taking complete ownership of the device.

BT was unavailable for comment at the time of publication.