Call Jacking - Phreaking the BT Home Hub

Mon, 21 Jan 2008 02:46:53 GMT
by pagvac

OK, this is a bit of a funny attack - although it could also be used for criminal purposes! After playing with the BT Home Hub for a while (again!), pdp and I discovered that attackers can steal/hijack VoIP calls. Let me explain ...

In summary, if the victim visits our evil proof-of-concept webpage, his/her browser sends a HTTP request to the BT Home Hub's web interface. After this, the Home Hub starts a VoIP/telephone connection to the recipient's phone number specified in the exploit page. This is what the attack looks like: the victim's VoIP telephone starts ringing and shows an external call message on the LCD screen along with the recipient's phone number. However, what's interesting is that from the point of view of the victim, it looks like he/she is receiving a phone call from the number shown on the screen, but in fact he/she is calling that number! "Sweet, simple and effective, just the way we like it at GNUCITIZEN!"

POST http://api.home/cgi/b/_voip_/stats//?ce=1&be=0&l0=-1&l1=-1&name=

0=30&1=**00390669893461**

Now, this attack will work even if the default admin password has been changed on the BT Home Hub. Reason for this is that the exploit relies on an authentication bypass vulnerability that we have reported a while ago and hasn't still been fixed by BT! In our original report, we mentioned that the HTTP authentication mechanism can by bypassed by using double slashes in the target URL. Actually, the authentication can also be bypassed with many other characters, but I'll leave this to the reader to discover.

The following are some attack scenarios in which this vulnerability could be used for:

  • annoyance or prank purposes
  • advanced phishing attacks in which the victims gets a phone call from "Trusted Bank" after clicking on a link included in the phishing email. The fact that the attacker calls the victim's phone number would help him/her gain the victim's trust. HINT: "Phishers usually don't know your phone number!"
  • toll fraud attacks in which the victim calls one of those very expensive number that allow the bad guys to make good bucks by simply starting the conversation

I don't want to repeat myself, but please remember that from the victim point of view it looks like he is receiving a phone call but in fact he is making/paying for the phone call!

And finally the boring (but needed) testing details: tested on BT Home Hub firmware 6.2.6.B. Only customers using the BT Broadband Talk service are affected by this attack. Other firmware versions are likely to be affected as well, but we have not tested them.

Archived Comments

PopePope
hi, interesting post. btw, isn't the phone # in the poc from the vatican?
pdppdp
one way to protect against this type of attack is to be extra conscious about the type of calls you receive/make from your BT VoIP unit. It might be a good idea to consider using extensions such as NoScript if you are a Firefox user.
Adrian PastorAdrian Pastor
I'd like to repeat that although this attack is new, it's based on vulnerabilities we reported to BT several months ago (auth bypass and CSRF especifically). Such vulnerabilities should have been fixed by now. Instead, it appears that BT simply disabled remote assistance on the Home Hub after our first research was published back in October: http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub
Therefore, there is nothing new to report to BT at this point. If BT had fixed all the Home Hub vulnerabilities we reported in the past, this call jacking attack would NOT be possible.
Therefore I consider BT's statement on http://www.networkworld.com/news/2008/012108-group-points-to-voip-flaw.html?page=2: Pastor's public disclosure of the flaw on the blog is highly irresponsible very inappropriate.
hackathologyhackathology
interesting post. But is 00390669893461 the voip phone number or the LAN line? How did you derive into that number?
phil_mcrackenphil_mcracken
If I blackholed the DNS for api.home on my local machine (and others on the network) in the HOSTS file, surely that would render this attack useless?
TimTim
BT have claimed this attack doesn't work with the firmware they have rolled out at the moment.
Ben TaskerBen Tasker
Either BT have now fixed it, or not all BT Home Hubs are vulnerable. Mine simply asks for the username and password, and then asks again when I hit cancel. The phone never rings afterwards, I do have BT BroadBand Talk and a BT Home Hub running Version 6.2.6.E
pdppdp
The rollout of the BT Home Hub firmware version 6.2.6.E started on 12 December 2007. It can take several weeks before all BT Home Hubs are upgraded to a new version of the firmware, so please be patient. BT Support & Advice
Adrian PastorAdrian Pastor
@hackathology - 00390669893461 is an international phone number located in the country whose code is 39 (vatican city in this case): http://www.countrycallingcodes.com/Reverse-Lookup.php?calling-code=39 @Tim - they prob. fixed it. We tested it on 6.2.6.B, which was the most udpated firmware we could get at time of testing without being part of FON. I believe that signing up for FON makes your Home Hub upgrade to a newer firmware? Correct me if I'm wrong. as pdp pointed out, firmware version 6.2.6.E can take several weeks to upgrade and it appears that many users are having problems receiving the new firmware.
goundoulfgoundoulf
The only way to prevent this with ISP gateways is... projects like http://www.neufbox4.org which aims at creating an alternative and entirely open firmware for the gateway ISPs usually break the GPL by using free software and not redistributing, and their gateways rely on security by obscurity. The customer is then dependent on the firmware upgrade from the ISP following the discovery of a vulnerability, and some times it can take ages before it is corrected. When the community is in charge of an alternative firmware, vulnerabilities are spotted earlier and corrected faster.
David KierznowskiDavid Kierznowski
Adrian's laugh is always comical :)
hackathologyhackathology
thanks Adrian.
AveeAvee
This is pretty useful for autodialing stuff from my laptop. Thanks!
Adrian PastorAdrian Pastor
@David - I guess there is something contagious about my laugh? hehehe @hackathology - you're welcome dude! @Avee - actually it'd be quite simple to setup a tool that allows you to dial phone numbers from your laptop with a simple HTML.
Adrian PastorAdrian Pastor
It looks like other home hub users who are also running firmware 6.2.6.B have confirmed our VoIP call jacking hack: http://www.digitalspy.co.uk/forums/showthread.php?t=735655&highlight=6.2.6.B
Test-GuruTest-Guru
I cannot believe this is true!