Dumping The Admin Password Of The BT Home Hub

So BT added a new security feature on the latest version of the BT Home Hub firmware (6.2.6.E at time of writing) which changes the default admin password from admin to the serial number of the router. From BT Support and Advice site:

Firmware 6.2.6.E introduces the following improvements: Change default Hub Manager access password from 'admin' to your unique Hub serial number"

When I first noticed this new feature I thought it was quite cool and definitely a good move from BT. This is why:

• It would make CSRF attacks launched by third-party sites much more difficult since the attacker wouldn't be able to predict the admin password of the Home Hub in the exploit code. An exception to this is the attacker combining a CSRF with a authentication bypass bug. In such case, knowing the admin password wouldn't be required. Another exception would be a CSRF attack which originates from the Home Hub itself via persistent XSS on a page on which the admin must be authenticated to view (i.e.: logs page). In such case, the admin password would NOT be required in the CSRF exploit code.
• Performing a password cracking attack would be less likely to be successful

As you can see, changing the default admin password to a value which is specific to each Home Hub would make password guessing/cracking attacks much harder. At least, this is usually the case. Well, it turns out that you can get the serial number of the Home Hub by simply sending a Multi Directory Access Protocol (MDAP) multicast request in the network where BT Home Hub is located. Yes, you must already be part of the LAN where the Home Hub is present, either via ethernet or via Wi-Fi. However, at GNUCITIZEN, we have demonstrated trivial ways to predict the WEP encryption key of the Home Hub if you know what you are doing. In summary, there are two ways to break into a BT Home Hub Wi-Fi network:

• arp replays injection plus weak IVs cracking. This attack is typically launched using airodump-ng + aireplay-ng + aircrack-ng (I highly recommend using Backtrack 2 plus the Alfa USB AWUS036S Wi-Fi adaptor for this attack)
• Predict the Home Hub's default WEP key by bruteforcing a list of potential candidates which are derived from the SSID (the SSID can be obtained by anyone of course)

The following is what a MDAP ANT-SEARCH request looks like. Such request would be sent to the multicast IP address 224.0.0.103 and port 3235 (UDP):

ANT-SEARCH MDAP/1.1
46

Which causes the BT Home Hub to respond with its serial number (`ANT-ID` parameter) among other information. i.e.:

REPLY-ANT-SEARCH MDAP/1.1
ANT-ID:0633EHPSL
ANT-NAME:SpeedTouch BTHH
ANT-MAC:00-14-7F-AA-BB-CC
ANT-HOSTSETUP:auto
TO-HOST:192.168.1.70:2317
TP-VERSION:2.0.0
MDAP-VERSION:1.2
43

The only difference between the ANT-ID parameter and the serial number of the Home Hub is that the serial number is prefixed with 'CP'. So in this example, the corresponding serial number - which is the default admin password - would be `CP0633EHPSL` (see the screenshot for more information)

Obviously, this is not a vulnerability within the MDAP protocol, but rather a design flaw introduced by BT with the new unique admin password feature. The assumption behind this insecure implementation is that the serial number can only be obtained by the legitimate owner of the router. As we have seen, this is _not_ the case! Nevertheless, there are some security issues inherited with the MDAP protocol which I will cover in a new post.

The following Python script dumps MDAP multicast requests:

[/files/2008/05/mdap-dump.py_.txt](/files/2008/05/mdap-dump.py_.txt)

And the following one sends the MDAP ANT-SEARCH requests which causes the Home Hub to return its serial number:

[/files/2008/05/mdap-send-ant-search.py_.txt](/files/2008/05/mdap-send-ant-search.py_.txt)

You have to run `mdap-send-ant-search.py` while `mdap-dump.py` is still running. i.e.:

pagvac@gnucitizen$ python mdap-dump.py& python mdap-send-ant-search.py

For some reason the scripts don't work under Python for Windows or even Python for Cygwin. It should work on GNU/Linux (I tried it on Backtrack 2).

Finally, I just wanted to thank Mark Livesey for brainstorming ideas with me which led me to explore the MDAP protocol further.

Archived Comments

Mark Livesey

Cheers mate. Is the MDAP proprietary Thomson like CLI? Could this protocol lead to a UDP attack? Anyway, it gets harder with each firmware revision so at least BT 2 million plus HomeHub users are eventually getting a secure product.

Stephen

Good work guys at finding another hole in the BT Home Sieve. I can confirm this works from the LAN on my BTHH v15.

Adrian 'pagvac' Pastor

@Mark: yes, MDAP is a Thomson proprietary protocol. I will talk more about it in a upcoming post. Getting harder? At this moment all BT Home Hubs can be turned into zombie routers via relaxed UPnP port-forwarding functionalities. All you need is to get a Home Hub user visit your evil page. Furthermore, there are about 3 million BT Home Hub Wi-Fi networks that can be broken into trivially. @Stephen: thanks a lot for testing this attack. We can now confirm that it works on the latest firmware for both the BT Home Hub v1 and v1.5. I'm assuming that you're running firmware version 6.2.6.E?

mohclips

I take it this is a wired attacked rather than a wireless one?

Adrian 'pagvac' Pastor

@mohclips: copied and pasted from this post: "Yes, you must already be part of the LAN where the Home Hub is present, either via ethernet or via Wi-Fi. However, at GNUCITIZEN, we have demonstrated trivial ways to predict the WEP encryption key of the Home Hub if you know what you are doing. In summary, there are two ways to break into a BT Home Hub Wi-Fi network: [snip]"

^o^

Amazing, may i ask how did you find this vulnerability? was it by sniffing?

Daily Telegraph

Your BT home hub pwning made the front page of today's Daily telegraph in the uk.

pdp

are you talking about this one?

pdp

obviously this is a marketing stunt initiated by the NCC group, omitting the voice of the real researchers as usual... and of course BT is just plain silly and their anti-crisis team does not know what they are doing. very amateur for BT I must say.

Adrian 'pagvac' Pastor

this is ridiculous, all the vulnerability research publicly-released affecting the BT Home Hub has been published on www.gnucitizen.org . The only Home Hub research published on other sources is related to _unlocking_ the Hub, rather than _breaking into it_. I can only hope that NCC did mention us in the original press release but the final Daily Telegraph article filtered our name out. Summary of vulnerability research published for the BT Home Hub here: http://en.wikipedia.org/wiki/BT_Home_Hub#Security_concerns

pdp

it is a NCC's marketing stunt (payed ad)! :)

Mark Livesey

This is ridiculous. It says about the software easily available for "bad guys" but not about it being easily available from BT themselves. Oh, and V1.5 is safer apparently.

Adrian 'pagvac' Pastor

@^o^: yes, you're right. the vulnerability was found by analyzing traffic.

Mark Livesey

Sorry, very true, the key to open the door so to speak.

djteller

This is indeed ridiculous, but it's nice to see that BT are aware, too bad the implementation was bad. I think that Home router vendors should disable deviced until proper installation when the device is purchased. Using a simple wizard the user will change his/her password to something other than 'admin' and that's it.

pdp

BT's statement is just ridiculous. Check this out:

BT disputed the claim, saying the risk was "theoretical" and that hackers would have to "win the computer cracking equivalent of the National Lottery" to succeed.

Right.... Cracking 40BIT WEP is exactly like winning the National Lottery.

Adrian 'pagvac' Pastor

After having observed BT's reaction to several Home Hub vulnerabilities published in the past, it's easy to notice BT's PR template. It kind of goes like this:

We do not believe any of our customers have been affected by this attack.

Such security research describes a theoretical attack.

In reality this translates to:

We are not aware of any attack performed in a _mass fashion_ which uses such vulnerabilities. Of course this doesn't mean such vulnerabilities have not been exploited in the wild. We know that most likely they *have* been exploited as they are practical. However, we don't want mainstream users (i.e: non-technical) to know this.

We want the public to think that such attack is not possible in real life, so they do not realize how bad the current state of the security of the Home Hub really is.

Stephen

To confirm from my post near the top - yes I'm on 6.2.6.E on a v1.5

joe

I'm running bthomehub-bb59 firmware version 6.2.6.E. where do i get the programs from to get it to work. will this work on windows xp or backtrack 3

Robbie

for those on windows an easy way id say is to download http://static.btopenworld.com/broadband/adhoc_pages/drivers/Windows_recovery_626E.zip when it asks you for a username and password you can see next to the box with the serial number next to it http://i30.tinypic.com/35l82a9.jpg and voila you have the password for the hub

Robbie

just looking for some reason the home hub im testing has 6.2.6H firmware . It's a new hub so i presume it must be 1.5 and its had fon opted in. any one else messed with this firmware?

Adrian 'pagvac' Pastor

@joe: the Python scripts we provided only seem to work in Linux (we tested them on backtrack 2 but should also work on bt3). If you just want to get the Hub's serial number prior to authenticating without using the MDAP protocol, then simply check 'OU' field of the SSL certificate as mentioned by Aaron on http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub-pt-2/ You should be able to examine the Hub's SSL certificate by accessing: https://api.home/ or https://192.168.1.254

Craig

I'm attempting to run this on backtrack 3. I've run the scripts as you have said yet I get no feedback in Konsole.

bt ~# cd /tmp
bt tmp # python mdap-dump.py &
[1] 6763
bt tmp # python mdap-send-ant-search.py
ANT-SEARCH MDAP/1.1
46
bt tmp #

That is all I get. I'm connect as follows: Windows XP machine (192.168.1.164) > VMWare Bridge > backtrack 3 (192.168.1.78). Does this mean the network is secure?

Craig

No matter, I have used aaron's way of finding the SN by viewing the SSL certificate.

john smith

It worked on python for windows for me. The standard 2.6 installer. I just ran the dump script by double-clicking. Then ran the fetch script by double-clicking. It took a couple of tries for the fetch but worked in the end. Of course, that password is only the admin password until the owner visits the hub's homepage, whereupon they are required to set a new one immediately.

Adrian 'pagvac' Pastor

@john smith: cool, nice to see it worked on Win for u. :)

thomas smith

I can still confirm that bt homehubs are very insecure. I went to the router page and noticed that it shows you everyone who has logged on to your network going by computer name and mac address. My computer name kind of gives me away, so i looked at this for getting the admin password. I can confirm the python scripts do work on windows using the method john smith said, but also confirm Robbies method works as well, and is a lot easier to do. You now have to go here to download the scripts: http://lab.gnucitizen.org/projects/bt-home-hub-s-n-dumper the software version is now 6.2.6H and even though i got the unique ID, I cant log on using it (with CP in front) someone said it prompts you to change it straight away now? I think im stuck or is there anything i can do to get it now?

Jakey

Just go here and click on "Schedule your BT Home Hub upgrade" and you see your serial: http://pbteu.bt.motive.com/ElectiveFWUpgradePortal/ Simple!

Nagi

Hi guys, I decided to stop using bthh. So I bought a drytek 2820n router. I was trying to get it to work but failed. At some stage of router installation it asks me for a username and password for WAN1, which, it says, I should had been given by my ISP - BT. Now, I don't know where to get this details from? Any advice most appreciated.

Ross

Using BT 3 I get the following (mdap-dump.py is running)

python mdap-send-ant-search.py
File "mdap-send-ant-search.py", line 1

Ross

Please Ignore my previous post. Works perfectly on Winxp and BT3.

Homeseer

This is security through obscurity at it's finest. Gotta love the lottery comment - perhaps if each attempt was the equivalent to purchasing a ticket, but since there's zero cost to attempt it's not exactly a robust analogy.

Ash

Jakey haha thats just excelent, how did you figer that out lol

point

Iused three methods so far nothing good I tryed with recovery get serial but then i enter it i got wrong serial number then i use gdi i get 12 numberer and guy dont know what router is so it gonna be long waiting. anu suggestions