back to article BT cheerfully admits snooping on customer LANs

BT reserves, and makes use of, the right to remotely detect all devices connected to LANs owned by its broadband customers – for their own good, of course. BT Broadband customers can expect to have their network checked any time the operator feels it needs to take a peek to help it provide the service, or when the safety of …


This topic is closed for new posts.
  1. Reg Sim


    "we don't believe that consent is necessary where the testing is necessary to the service that we are providing" - you think they might of learned?, no!, well I was never holding my breath.

    1. penguin slapper


      There were no consequences to them for Phorm - so they certainly did learn the lesson.

      In April 2011 the CPS decided not to prosecute as this would not be in the public interest, as neither Phorm or BT had acted in bad faith and any penalty imposed would be nominal.

  2. nichomach

    Don't have IP Addresses? Don't they, by George?

    I've installed a few high speed Devolo powerline kits and the adapters most certainly DID get IP addresses, indeed you could manage them via web browser, if you felt an overpowering urge to do so. I assume the boxes in question under discussion here are thos Comtrend kits that were supplied by BT a while back; I have no direct knowledge of whether these are IP addressable or not, but certainly some manufacturers' PLT kit is.

    1. Ben Tasker

      Yeah they do

      The Comtrend ones also grab an IP for the benefit of the Web Interface.

      I also found they are incredibly easy to DDoS without using any real bandwidth yourself (3-8 min downtime from 1 request). Generally a crappy bit of kit, but definitely IP addressable

    2. teacake

      @Don't they, by George?

      I think the specific point would be that they don't have public IP addresses and have no presence on the internet, so could only be addressed via asking the BT router to do it.

      1. Anonymous Coward

        Yo dawg

        I herd you like security, so I put an firewall-enable-router behind your firewall-enabled-router so you can hide from teh internets while you hide from your ISP

        1. Benedict

          me titles

          memebase is over there ----->


          the same

          Actually, this is exactly what I did.

      2. nichomach

        Upvoted, but

        if that's what the author meant, that's what the author should have said?

    3. Graham Wilson

      It's time we had an open-source coop ISP

      It's time we had an open-source coop ISP whose policy forbids such practices.

      That we haven't already probably means that there's too many vested interests to let it happen. It seems that every entity--from various spook agencies, governments, government departments to advertising companies all want a piece of the action.

      That's probably why we've never had one--a single closed proprietary company is not only easier to deal with but also it's easier to secretly coerce.

  3. Anonymous Coward

    BT's behavior

    BT's behavior differs from Apples, exactly how?

    1. Sir Runcible Spoon


      "BT's behavior differs from Apples, exactly how?"


    2. SuccessCase

      The answer is simple: recording customer identifying information

      Apple sharpen their database of cell tower and Wi-Fi hotspots through crowd sourcing location data and have confirmed they retain no customer identifying data (such as IMEI or any other unique to the person data). They contend they have not ever and never will use the report back mechanism to keep or retrieve a log where the costumer has been traveling. Plus the data sent back is publicly broadcast data and so cannot be said to compromise privacy (though the cache of data stored on the phone for the purpose of allowing rapid triangulation of the users current location was a problem for anyone who's phone fell into malicious hands - and Apple have said they have fixed this weakness now). BT, on the other hand, are proving they have taken data about their customer's network kit and must be storing it against the customer record for at least as long as it has taken them to get the letters out (though as some commenters have pointed out their examination and reporting on your network may go no further than checking if the questionable power line kit has made a DHCP request of the Home Hub router). So there is a clear difference and an important line BT have crossed. Personally my concerns about Apple pale into insignificance when compared with the personally identifying data all ISP's and the mobile carriers retain. For ISP's a log of every network request (e.g. Including the actual http URL requests you make) and for mobile carriers, the same plus a detailed log of everywhere you have travelled, which can be cross referenced with the http requests made whilst on the move. And all that regardless of which checkboxes you may have ticked. Scary stuff.

  4. Pascal Monett Silver badge

    "we don't believe that consent is necessary"

    Welcome to the new corporate excuse.

    I hope a judge sets them right quickly.

    1. Anonymous John

      Not a new excuse.

      Remember Phorm?

  5. Frederic Bloggs

    Juicy new attack vector?

    And by admitting that the facility exists to scan networks behind "the firewall" (which everyone has carefully setup - right?) in one's router, you can bet that there are several blackhats now actively searching for a method to exploit it.

    Will people never learn?

    1. Tony-A


      Consider the possibility that the black hats have known all along and now the knowledge is not confined to just the black hats.

  6. Jonathon Green

    Title? We don' need no steenkin' title...

    "PLT devices don't have IP addresses..."

    You sure about this? I'm pretty sure my (BT supplied) Commtrend units have a web configuration interface accessed via an IP address...



  7. Anonymous Coward


    Next up of course will be the targetted advertising for life insurance cover, courtesy of Phorm PLC.

  8. MJI Silver badge

    Had the letter as well

    The new adaptors had already been sold as well after waiting a month.

    BT Vision box is on a ethernet lead to the hub

  9. fLaMePrOoF


    And we're supposed to believe that BT won't use this capability to gather commercial statistics from their customer base?

    After all, they do have previous phorm in this area...

    1. Asgard
      Big Brother

      @"After all, they do have previous phorm in this area"

      This kind of phorm spying is definitely increasing and its not just BT. I was shocked by the recent super injunction Barbra Streisand effect story, when one company stated that 12% of viewers of Twitter were new to viewing Twitter. So how did they do that, (were they helped by ISPs), but however they did it, it means they know who has viewed twitter (and what story) and that is more of this Phorm style spying.

      1. Ian McNee

        Simples: at any one time roughly 12% of the population are twats...

        ...and therefore at some point there is a very good chance that they will begin to use Twitter.

        Not that *THEY* aren't watching you...


  10. Sir Runcible Spoon


    Assuming at least some of these customers have changed their admin password - this kind of implies that they have a back-door in to the BT homehubs, yes? If that's the case then anyone using a BT homehub on another providers network is also vulnerable.

    I'd like to know for sure exactly how they obtained access to the local device in order to scan the LAN. I don't see how they would be able to do this if the customer had an adsl router/modem from another provider, but lack of detailed information doesn't mean they can't - those boys at Martlesham shouldn't be underestimated.

    1. Anonymous Coward
      Big Brother

      BT Home Hub

      I feel that this latest revelation confirms I was right to refrain from using the BT Home Hub they sent me a few years ago. I simply didn't trust BT. Even back then there was the worrying "feature" of the Home Hubs being automatically, remotely updateable by BT.

      I wouldn't be surprised if the next version of the BT Home Hub comes with a free telescreen.

      Come to think of it, is that what BT Vision is intended for? All they've got to do is include a free webcam for an exciting new videophone service...

    2. BristolBachelor Gold badge

      Provided ADSL kit

      I have an ADSL router provided by my ADSL provider (non UK). I changed the Admin password pretty quickly too (user: Admin, Pass:Admin !!) as well as setting up DDNS. Unfotunately it lasted less than a week, when the Admin password was reset and DDNS turned off.

      There is a setting in the router to disable the operator back-door, but obviously that option is greyed out....

      Personally I'd prefer to use my own, but since they won't tell you any settings for it, you can't get it to connect to their network.

      1. The First Dave


        So put your own router in between their router and your network - problem solved.

        1. BristolBachelor Gold badge

          @The First Dave

          "So put your own router in between their router and your network - problem solved."

          Unfortunately not. My problem isn't that they might snoop on me. My problem is that I have incoming services, and when they reset the router, it removes the settings for port forwarding (& DDNS which is needed for each time they change the IP address).

          I'm waiting for the Hylas broadband sat to become operational and see what my costs of SAT broadband would be...

      2. Ross 7

        Re: Provided ADSL kit

        BristolBatchelor - "There is a setting in the router to disable the operator back-door, but obviously that option is greyed out...."

        Depends how stupid the firmware writer has been. If they are particularly bad (and it's rather common) just use a half decent browser or a proxy that lets you modify inbound and outbound requests on the fly. Enable the option, submit it :)

      3. Anonymous Coward

        same thing goes on

        same sort thing goes on over here in blighty.

        I am on Be broadband, (in my opinion the best broadband provider I have ever had the pleasure to do business with) and with there own supplied router (a Thompson speedtouch,) it has its own back door enabled for the customer services team to access the router. they don't say they will scan your internal LAN or ask for your agreement too. but as the router remains their property I suppose they have the right to access it remotely. For the novice user I can see how this can be a really helpful feature when customer services can remotely re-configure the router to get them on line again but for me it was an unacceptable security risk.

        I plugged in my own router, and had a few problems configuring it, it took a little bit of goggling to find the required settings but it didn't take too long to get up and running for snooping ISP free surfing.

        the only problems are that if I have any connectivity issues until I plug in the speedtouch they will not go any further. that said, In the three years i have been with them now, I have not had one minute of loss of service, never had any problems with speed drops.. I run a web/email server myself, the missus and the daughter all use the connection and never have a problem over heavy use !!

        1. Anonymous Coward
          Thumb Up


          '....and with their own supplied router [...] has its own back door enabled for the customer services team to access the router.'

          Just to fill in a/c's blanks:

          * Be tell you it is there.

          * Be give you detailed instructions on how to turn it off.

          That said, you should probably use you own router anyway. Not for security concerns; it is just that the speedtouch is a humongous pile of shite.....

      4. A J Stiles


        In the UK, this would be illegal -- and it may also be illegal where you live. It comes under the heading of "criminal damage".

        Fortunately, you *can* repair it. Get the firmware for the "generic" version of your router from the manufacturer's website. Backup the configuration first (both ways -- save it and print out the web-based configurator pages), re-flash the firmware, restore the configuration you saved earlier and then disable all remote management now the option is there.

        1. Anonymous Coward

          bE box....

          "Get the firmware for the "generic" version of your router from the manufacturer's website."

          The problem with this is that when the ISP source the routers and have the custom firmware installed at the factory, they tend to give the router a different version number that is unique to the ISP. When you try to install the generic firmware it fails the version check.

          I spent a week or so trying to "jailbreak" the BE supplied router (just for giggles) and decided it was not worth the hassle and carried on using my own toys.

    3. Anonymous Coward


      I used to work BT Subsiduary Cellnet and had the joy of heading to Martlesham Heath, It is a fantastic place and the boffins there are certinly worthy of much, much praise.

      I do recal, back in the late 90's they were working on a working prototype of some 3D glasses, mounted to a Ericsson [now Sony Ericsson] branded Psion 5MX to remote diagnostics in tunnels. Hands free engineering down holes. And that was only what they would she the 'grunts' like me!!

      1. Stuart Gepp

        I used to work there

        What's the difference between BT Martlesham Heath and Jurassic Park?

        One is a futuristic theme park filled with dinosaurs and the other one is a film.

    4. Anonymous Coward
      Anonymous Coward

      A guess

      There's a setting for Remote Access buried within the hub. Not at home to check whether activating it is a one-time thing or if it times out, but may be related to that.

      I'll certainly be setting a port scan running later (long as the neighbours let me use their wireless!)

      I'm in a wind-up mood today so I've emailed BT to ask whether they mind me trying to access their Vision on Demand for free as it's 'necessary testing' to decide whether I want to pay for a film or not. Hoping the guy on the other end has a sense of humour or I'll be getting a knock on the door

    5. Peter Gathercole Silver badge

      No it doesn't

      PLT devices have discovery protocols (by what looks like a periodic broadcast) so they can see each other. Chances are they also use uPNP and are probably visible to the HomeHub. That's the beauty^H^H^H^H^H^H danger of uPNP.

      Even if they do not use uPNP, BT can probably make a reasonable guess about whether such devices are on the net by sampling the packets on the net, and looking at the first six octets of the MAC address that identified the vendor of the device.

      My PLTs are Intellon based, and come with a (Windows) utility that allows you to set the encryption key. Not only does the utility find the devices, but also can tell you how fast they are operating, so there must also be some other magic under the covers. I have a Linux utility in source, so I'll have a look at how it works.

      Still, I have a Linux based firewall (really, separate from any of the comms kit - Smoothwall as you ask) between my ADSL router and the rest of my network (yes, yes, I know that there is a risk that the PLT escapes onto the wider electricity network, but that's why I set my own key), but it means that my ISP cannot probe my network.

      1. Sir Runcible Spoon


        "by sampling the packets on the net, and looking at the first six octets of the MAC address"

        The MAC address doesn't leave the local link, so it* won't be visible in packets leaving the router towards the ISP**

        *They _will_ see the MAC address of the routers external interface of course, but not anything on the inside of the router.

        **unless you are running IPv6 and the MAC addresses is incorporated into the IPv6 address - and this still isn't the MAC address, it's an IPv6 address.

        MAC addresses are only visible within the broadcast domain it sits in (unless someone is has set up a transparent bridge or snooping interface)

        1. Peter Gathercole Silver badge

          @Sir Runcible Spoon

          But the BT HomeHub router is on the local network, and so a judicious bit of logging code in the router allows such things to be captured. Remember, a router may do much more than routing, especially if you (or in this case BT) has control of the firmware. I'm sorry for the icon, but I'm not the one being stupid here.

  11. Mark 65

    Which is why

    It's best to bring your own toys to the party - most of the ISP supplied hardware is shit, restricted, or both.

  12. Mike Hunt 1
    Black Helicopters

    BT - They're watching.....

    We ditched our BT Hub as, despite having the wireless switched off, was still offering itself to the ether for BT wireless customers.

    Then, to just remind us of their omni-presence, they injected a message into our system to appear on any browsers, reminding us that there was an outstanding bill that needed paying on our account.

    Thanks BT - anything else you need to tell us?

    If you can read this then it got through their filtering / censorship systems !!

    1. Anonymous Coward

      steaming great elephant ....

      Would this be the 'Pay us by direct debit or we bugger up your connection every three months' screen?

      The one they serve up ONCE to any device trying to get to the net (and in my case has been served to non computing devices)

      The one where they have helpfully blocked ALLL the options to get rid of bar a button that has been known to take hours to work?

      The one BT business deny exists?

  13. The Guv

    Purely speculation and quite poor journalism.

    BT take action to ensure customers are ok.

    BT send out replacement kit (nice move).

    BT check to see if new kit is used.

    BT write to some customers urging them to use new kit (I know this as I got a letter).

    El Reg posts speculative/negative story.

    Given that the Hubs have a remote management control system to deal with firmware updates etc - then BT would have a list of customers to check. It wouldn't make sense to scour the entire customer base - just those in the BT Vision customer base which at the time they sent out the old adapters was around the 200-300k level.

    I dare say if BT wanted to make checks they could but if it got out that they were snooping then the PR would be very bad. I think they learned their lesson after the hit they took for Phorm.

    When I read this I just thought it smacked of an easy target rather than someone investigating what was sent/what BT's policy is.

    1. Fuh Quit
      Thumb Down

      BT should allow the customer to reserve the right

      to electrocute themselves.

      Get orf my network!

      Actually, last time I had DSL, I double-NATted. It's the only way to fly!

      1. Anonymous Coward

        that should be...

        Ger orf my LAAAN

    2. Anonymous Coward

      Re: Purely speculation and quite poor journalism

      Agreed. And now expect the flood of downvotes from the tinfoil hat brigade...

      Lets not credit BT with too much ability here. I have a BT Hub, and I am using the new Powerline adapters, and yet I got the letter saying I'm not! So their amazing snooping system doesn't actually work, if it exists at all.

  14. the idiotuk

    Virgin Media too!

    To my surprise after upgrading to the 100mb service and having a few initial problems, they did a remote scan of my network. They told me the speed of the lan port of my pc and the speed of the wireless connection. I had just changed the router password so assumed it was secure from probing. I was so surprised I let this go at the time. Maybe I'll follow this up with them now.

    1. Anonymous Coward
      Anonymous Coward

      A long while ago...

      ...I was trying to send an email to somneone on an Australian ISP. The AU ISP unfortunately had signed up to some spam-prevention measure that had blocked Blue Yonder (now Virgin Media) because of the prevalence of open SMTP proxies on their network. So, I sent an email to Blue Yonder rather cheekily asking "so do I get a support ticket for this?"

      Oh hell yes I did. Priority one. Over 500,000 customers affected apparently. BY then set a machine to constantly scan everyone on popular SMTP proxy ports, with the upshot being that if you were running an open SMTP or web proxy you got booted off until you phoned them up and begged them to have your connection back. I would guess this is an ehanced form of the same thing?

      AC because I don't want to be besieged by irate geeks.

      1. Anomalous Cowherd Silver badge


        Enhanced form? Hell no, I wish more ISPs would do what Blue Yonder did, and I've no problem with someone remote port scanning my home network - black hats do it all the time.

        This one is different however - it's not a remote port scan (initiable by anyone) but somehow they've hopped over the router and scanned the internal network. That implies a back door, and *that* is a bad thing.

    2. The Fuzzy Wotnot

      One reason I will not upgrade from the 10MB on VM

      If you upgrade above 10MB you have to take their nasty little new locked box of tricks, modem cum router. I am happy with their modem at the front and my kit from there on in, two hacked Linksys routers running DD-WRT firmware. I know what's coming and going from my pipe thank you VM.

  15. Harry

    Windows Update

    "BT describes the process as being similar to that offered by Microsoft with Windows Update"

    Not very similar at all. Windows update is a recommended but *optional* facility. Microsoft cannot (or at least, does not) check or update windows components unless the user has *asked* for the service.

    1. M Gale


      ...Except for WGA, which as I understand it has been snuck onto people's computers under the guise of a "security update" at least once.

  16. Lee Dowling Silver badge


    Working somewhere that uses BT Business Broadband, I don't think we're at risk. The BT router went into "long-term storage" the second it arrived, for offering crap like free wifi to anyone who walks past, free pass to the BT engineers, etc. and yet no capability to simply forward all packets including DHCP.

    We had replacement modems on order before the boxes even arrived. Like to see them sniff past the modem that connects only to a Linux gateway that does actually, proper, firewalling, NAT and filtering.

    But this is just yet-another-reason not to trust BT equipment. What next? They team up with software companies to snoop your hard drive to see if you're infringing their licenses - all totally "legit" of course. Even speaking as someone whose job involves licensing compliance, that's just totally out of scope of the supply of a broadband line. My MAC addresses are personal, private information and uniquely identify particular items of kit that you have no business knowing. Try that on my networks and see how the lawsuit from my workplace reassures you. You forget that for every user that HAD the device, a thousand users who DIDN'T still had their networks snooped for it. That's not on, no matter how passive or well-intentioned the attempt was.

  17. Anonymous Coward

    TLDR: BT implies OFCOM works for them and the ICO is impotent.

    So no worry about pesky things like prosecutions.

    Nothing to see here.

  18. Deckchair


    Any 'backdoor' would only need to be a reporting agent they could query in the firmware. I doubt any serious IT organisation would have a system where they would have to actively connect to each router and query its device table.

    1. Anonymous Coward


      I know for a fact O2 do have backdoor accounts into their routers.

      If you google you can find the hidden username and password to get onto the O2 provided routers. This does not show in the web interface, and is not removable from there. I've confirmed this works with the one they supplied me. I managed to get ssh (or perhaps telnet, i forget) working to the device and removed that account. A few days later the router mysteriously reset itself to default settings, including the backdoor account.

      1. Anonymous Coward
        Thumb Up

        same with be...

        same network/routers as be....

        to steal someone else's comment, Bring your own toys to the party.

        When I was moving to BE, I bought a router from my old ISP to replace my ageing netgear kit as they offered discounted kit for existing customers. the BE box didn't even make it out the box !

        1. Demosthenese

          me 3

          My O2 router has never been taken out of the box. Suspicious lot aren't we.

      2. dssf

        FBI/CIA/MI-5/Mi-6/Marketing, et al?

        How much would you be willing to bet that this benefits MI-5 and MI-6? For years, I've been wondering just HOW the UK kept announcing the interception or foiling of a terrorist plot. Once in a while, even in the USA, there are announcements of foiled attempts at terrror.

        So, I imagine that a number of terrorists or drugs dealers or tax cheats, or whomevers never disconnected their Ethernet from the ISP device when working on files and simultaneously NOT surfing. I bet that (well, maybe $1 bet) MI-5/MI-6 and other unnamed organs either got these backdoors inserted, or they technically know how to abuse diagnostic tools ports. But, for such a door to reset means that SOMEbody has decided that users are not allowed to disable snooping. Apparently, SOMEbody deems that the risk fo blackhats, whitehats, and criminals is trivial compared to the national security mandate to be able to pierce someone else's firewall and wantonly, at-will trespass.

        This kind of attitude which -- I suspect exists in many tech-savvy governments -- is why when I once owned (paid monthly for) a home, before the drywall came up, I installed my own CAT 5 wiring. Since i knew where I wanted the hub, and where I would mainly work from in the home, I had the wire from downstairs connecting from the ISP route upstairs to my own 1 or 2 routers/switches so that I could disconnect the OUTSIDE while keeping my switched/firewalled computers still visible to each other. I also shunned (and still shun) Wi-Fi between my machines, even bluetooth. I only have a bluetooth mouse, but keyboard. Partly it is to avoid dealing with recycling dead batteries, and to guard against having possibly snoopy neighbors. I am not verse in power and signal travel, so it is possible my wired keyboard has poor shielding and leaks more than a bluetooth device might these days. When I sold the house, i informed the tech-savvy buyers of the exact wiring and routes i took and where spare drops could be placed. They loved it. I even gave them pictures of the house as it progressed in construction from dirt lot to finished home.

        Get yourself some bastion firewalls. Don't rely ONLY on the firewall of the computer you're using. Get a DEDICATED firewall.

        What bugs me is that my cell carrier is offering a wifi-only high speed, credit-card-sized mobile broadband modem that has no abilitiy to connect to my laptop via wire/usb. I don't want to spend time dealing with a firewall aimed at keeping others from trying to hack my wireless card if I am out and about in public. I don't yet know how manageable the device is or whether I have firewall features to control. Worries like this are, though, useful: I now surf vastly less in the past few months than I dd prior to paying more attention to these privacy threats and breaches.

        Too bad the ISPs and marketing forces value breaches over security. Their greed to know all feeds right into the hands of various government agencies and even to blackhats and script kiddies. So, it would be fitting if lots of people just got SCARED and simply curtailed their surfing so they could reduce risk to their machines... wait, won't happen. They're them, and I'm me... I don't NEED the net as much as THEY do. But, millions of people who become annoyed like I did could be a problem if we simply consume so much less broadband that we eventually dispose of it. As to those who cannot dispose of it altogether, we can change our CONSUMPTION habits to deprive any A$$holes who already planted jacks into our machines. I don't enable wireless from my machine, and I don't connect it unless something tantalizing is easier to view there than on my handheld.

        I WISH more consumers would WAKE THE HELL UP!

  19. ZimboKraut

    Firewall after router

    I have never trusted the plain router firewalls, and therefor have always added an additional firewall after the router.

    call me paranoid, but it seems, that my gutfeeling was right.

    OK, I don't use BT directly and I have cable redundancy, never the less, my experience shows, that you can never trust a provider supplied device, as they have proven over and over again, that you cannot trust them.

    Anyone who does, either doesn't seem to worry about their privacy (which is their right), or just doesn't have a clue.

    specially in todays day'n age where it is quite common to have a little home NAS or the likes (well actually even that should request credentials)

    Best regards from Finland

  20. Stuart Castle Silver badge

    I fail to see..

    I fail to see how it is any of BT's business exactly what their customers provide their own home networks through, be it Powerline, Ethenet cable, Wireless or even two cans and a bit of string..

  21. Mad Mike

    Download Away

    This is absolute gold dust to people. BT have effectively stated they can access your BT Home Hub (at minimum) to the extent that they can scan your (supposedly) secure LAN. So, download away anything you want. If someone accuses you of say, copyright theft, you simply say wasn't me and point the finger at BT support. They deny it and claim to have evidence it's you. Well, they would wouldn't they!! They are also in a position to subvert the logs etc. as well. So, BT can now never prove anything about what happens on your internet connection...........

    Seems like an open invitation to me. All those protecting their innocence after Operation Ore (and without incriminating evidence on their PCs) and using BT connections should start a case now methinks.

    1. dssf

      Download Away, Or Bait and Poison Away?

      Why not procure and deposit onto your OWN, segregated LAN a bunch of nasty virii, worms, and trojans that ONLY sit on THOSE machines. NEVER, of course, put them on your actual production machines or laptops, and keep them isolated from your other machines. Just leave them there as rat traps. They can be non-toxic sticky traps, or they might be corrosive, toxic traps. ANY A&HOLE who inisists on probing and lifting things from your LAN, from wires or air on YOUR side of the DEMARC/CPE (Customer Premises Equipment) DESERVES to be suffering a trashed machine or apparatus used in lifting from your property. Criminal or innocent, you never know who is trying to probe, plant into, or steal from your LAN, so since you are obligated to yourself to keep your gear clean, punish those (whomEVER they are) who are making you have to do all that extra work.

      i don't know if/whether it's legal, or just, but it can bring some personal feeling of JUSTICE.

  22. Steve Loughran

    How secure is the router login?

    One interesting question here: do all the routers have the same username & login, or different ones. If so, what is the password? That could be quite serious. If not the same, how is it generated after a firmware update and hard reset? It would have to be something predictable.

    1. airwaffle

      ...Or use your own router....

      My 'rents unfortunately use BT so have a wireless router sitting behind the BT supplied router for the simple reason I have never trusted BT and their 'remote access' to their supplied router.

      Scan / hack the second router at your peril BT because that's Computer Misuse!

  23. karl 15
    Big Brother


    Bloody NWO

  24. probedb

    How would this work?

    My dad got a letter and hasn't had them plugged in since he first got them years ago. Since then he's even changed routers. A MAC scan isn't going to help as they've never been plugged into the new router.

    I very much doubt this is how they knew to send the letters. They'll just know who had them when they sent them out surely?

  25. Anonymous Coward
    Paris Hilton

    E.T. ?

    Why are we all assuming then can inbound scan the network. Wouldn't it be more plausible that the kit was periodically phoning home to a base server at BT?

    Still dodgy, but less so than have a backdoor for inbound "scans" ...

  26. adnim

    Is this

    legal? Not that legality has had any bearing on their behaviour in the past.

    Bypassing a customer firewall to detect hardware on the LAN?

    If I attempted this on a commercial bank networking infrastructure, do you think the judge would dismiss the case because I was doing it "for the good" of the bank?

  27. Desktop Mobile
    Big Brother


    I use O2 & had an issue with the router syncing but no actual internet. Whilst talking to the helpful level 2 engineer I asked him why my wi-fi had just changed from channel 1 to 7 and he said he changed it as 7 was a better channel. I was gob-smacked!

    Having said that SKY freely admitted to being able to browse inside my router albeit I noticed I had to allow the router to respond to ping first.

    1. Anonymous Coward

      slightly worrying

      i find it slightly worrying that the engineer described channel 7 as a "better" channel. How can he possibly know that without scanning the local area for other wireless kit and detecting what channel they are all on?

  28. Anonymous Coward
    Anonymous Coward

    BT router

    I dumped their Thomson router and bought one of my own anyway, so they'd find themselves unable to connect to the open port they use on their own hubs.

    In fairness, had their supplied hub not given us 3 years of dropped connections and other woes, I'd probably still be letting them in.

  29. Anonymous Coward
    Big Brother

    Easy to detect

    They'd just need to park within a half mile of the BT Vision customer's house and 'tune in' on a radio to tell which version of their dreaded Comtrends is in use. Their signature screech is easy to hear over a wide frequency range and a wide area. Get any domestic portable with a shortwave band on it and try it.

  30. Anonymous Coward
    Anonymous Coward


    They are probably using TR69/CWMP to manage the homehub/router remotely.

    The BT routers will be checking in with the T69 server to determine if there are any management actions pending.

    So they don't login to the router as such but rather the router phones home and asks if there's anything BT want it to go and do/report on

    1. The Other Steve

      Indeed, and here is some more information on that

      "A soon to be released version of the PowerGrid DH-10PF Ethernet Adapter will also enable one of the main requirements of IPTV operators: a TR-069-compliant powerline adapter. These devices will allow operators to remotely manage every node installed in the network, perform firmware upgrades and access logged data among many other features. "Our service provider customers want to manage every node in the home network without modifying the home gateway or broadband router in any way. Every change made to a gateway or router could delay a deployment by several months, especially if the equipment has to be re-certified.", Harold Fitch stated. "

      (That's from 2008)

      And it was the DH-10P and DH-10PF models that were recalled. So at some point, these units have phoned into a Comtrend auto config server on BT's network, as described here :

      So it isn't necesarily the hub that's peeking into your LAN, but the comtrend PLT's that are phoning out.

      Then again, as the above poster says, most likely the hub is also TR069 compliant.

      Something that isn't mentioned in the wikipedia article on TR069 ( ), but is mentioned in the linked Comtrend document is the following :

      "At any time, CT-ACS can request that a CPE initiate a connection to the CT-ACS using the Connection Request notification mechanism. By using the Connection Request, Comtrend ACS can ask the CPE to reboot or restore CPE settings to the factory defaults. Comtrend ACS can also send Grouping Connection Requests to all of the CPEs that belong to a certain CPE Group."

      This is how BT update your HH firmware for example.

      Can it do other stuff ? Oh hell yeah.

      " For example, it can ask the CPE to ping an IP address or hostname and report the result of the ping test."

      And so on.

      So fuck yes, it's an issue, fuck yes, BT could be doing anything in your network that the the TR-069/CWMP setup allows them to do, and fuck yeah, we should be concerned.

      However, this is a general issue regarding TR-069 management, not just specifically BT. Although they are asshats.

      Any device that uses TR-069/CWMP does not belong to you unless you can switch it off. Any network you install such a device on, well, join the dots.


      PS. Note particularly in the above quote "Our service provider customers want to manage every node in the home network without modifying the home gateway or broadband router in any way"

      So just swapping out the hub is not going to solve the problem that your PLTs are ratting on you. I have never yet plugged my PLTs in. But I most certainly will be doing so now, into a machine with a network analyser running on it.

      Oh, and this could all be wrong, could be some other mechanism. Glad to hear from anyone who knows better.

  31. Phil Thompson

    Maybe they're using the PC not the router

    Lots of BT Broadband users blindly load the bloated CD of "desktop help", "remote support" and other tools onto their PCs - anyone checked the capabilities of that ? Getting it to update itself and phone home with results of a scan for powerline device MAC address or perhaps the client software for managing said devices is also installed and used in some way ?

    1. Refugee from Windows

      Avoided this

      Having sorted the setup for a friend, I had no need to install their software as it's not been necessary and I'm aware just what this can do to a system. Since changing the router, it's only had the odd dropout, and the instances of getting a free pint have dropped. Of course, remote access is disabled.

  32. Loyal Commenter Silver badge

    Not on BT, but TalkTalk

    However, I don't really trust them either, so the setup goes:

    Phone line -> ADSL modem/router -> CAT5 cable -> Wireless router

    The ADSL modem hands out an IP address to the wireless router, and the wireless router acts as a gateway, assigning IP numbers to any devices attaching to it, along with having the settings to only allow admin access from within the LAN, with things like telnet disabled. Long hard-to-guess passwords are set on both the modem and router. The ADSL modem/router supplied by the ISP sits in a box occupied by various pieces of obsolete tech that I haven't got around to taking apart for my own amusement yet.

  33. Lloyd

    Yeah, but who's going to stop them?

    The ICO? Good one, hahahahahahahahahahahahhaha.

  34. Gordon861

    Tried BT Router

    I messed with the free BT Router when I first got it due to it giving me a free second phone line. Got bored with that as I don't need two landlines and a mobile so stuck a decent third party router on there instead.

  35. Jim 59

    Port 161

    On the latest Home Hub, version 3, port 161 is always open and uncloseable. BT won't say why. Their inability to come up with an explanation is more troubling than the actual open port IMO:

    The main reason I am still on HH 1. Wonder what version was used in this instance.

    1. Sir Runcible Spoon


      ports 161 & 162 (udp usually) are used for SNMP traps/polling.

      SNMP can be used for anything from reporting certain MIBS (identifiers/parameters if you like) right up to full control of the device (including taking copies of the config and even reconfiguring it).

      It should not be open to the internet. It can be password protected, but as this is a BT hub we're talking about it's likely to be a generic one. This is a very big hole and not something I was previously aware of. Thanks for pointing it out.

      Get rid. Soonest.

      1. Jim 59


        I know what ports 161,162 are used for. Is well discussed in the indicated URL. No, my point was BT's reluctance to explain themselves and my concommitant relictance to get a HH3.

        Anybody on BT broadband out there - what would you recommend as a drop in replacement for the home hub ? All my PCs are Linux.

        1. Sir Runcible Spoon


          My bad, I didn't look at the URL.

          Personally I use Zyxel modems, but now I'm starting to seriously consider a Cisco 1841 with ADSL card. I'm getting fed up of not being able to interrogate my home network to the same degree that I can my work networks - my wife thinks I must be crap at my job when the home network has problems :)

          I also have a hand-off router/firewall to service my wi-fi requirements, the only connection my external router has to the internal network is a single wire. Assuming anyone gets access to the external router somehow they still have another hurdle to overcome, and it's steeper.

  36. umacf24
    Black Helicopters

    For Paranoid Nutters Only

    If you are the sort of tinfoil-hat loony who actually cares about this sort of thing, you should have a hardware firewall between your network and the BT-managed home hub.

    Like I do.

  37. Gert Selkobi
    Thumb Up

    Trust nobody

    Same as others have said, additional firewall in the mix. Virgin AmazingHub -> OpenBSD pf firewall -> WAP -> IPSec.

    Job's a good 'un.

  38. Anonymous Coward

    WHo's in control?

    Yep these nasty devices can even be programmed remotely (built-in back door) (and I suspect not just BT devices) so the user does not have the ultimate control other than to dump them. In theory, if required by 'the authorities', the notches could be changed so that all of the shortwave, VHF including DAB or FM could be rendered unreadable, making everyone dependent on rubbish spewed out by mainstream media TV. This could mean that radio hams would not be able to communicate independently or provide some immediate emergency cover, if such were needed.

    Could PLT mean total media control by interference? These devices are just another piece of kit which equates to another vulnerability for the user to be very wary of.

  39. Anonymous Coward


    If your ISP can remotely maintain the router they supplied, then it's obviously a potential back door into your LAN.

    To get around this just stick a second router behind it, running OpenWRT if you're really paranoid. If you use WiFi, put it on the second router for obvious reasons. Don't forget to VPN the WiFi connections - Your neighbours will certainly be devoting a lot of time to examining your spreadsheets, powerpoints, and other files of interest.

    Analysis of your bitstream will still give your ISP, and TFOLAO if it's a desperately slow week, a reasonable picture of what's behind the second router, excepting devices that don't interact with the Internet, so you should use one of those VPN/Tor anonymiser services - Some routers can be set up to always create a VPNed PPTP link to your chosen service, and rotate your IP and apparent location on a regular basis. Finally, you should get morbidly obese, grow a full beard, buy an iPhone (4 in white, of course), and sigh at it ostentatiously in Italian cafés whilst sweating like a barrel of pigs, to foil honey traps.

    You can't be too careful...

  40. Anteaus

    IPv6, anyone?

    Potentially much more of an issue when all internal devices have discrete public IP addresses. In that case it will be possible to track which IP address is putting-out a particular class of packet. And, a lot more besides. It may even lead to a scenario where certain ISPs limit the number or type of devices you are allowed to use on your internal LAN.

    Because of the automatic router discovery, I imagine it will also be much more difficult to prevent devices which have no right or business in connecting to the Internet from doing so.

    1. dssf

      Remember the time when the ISP limited the number of machines on a customer's LAN?

      They issued the disc which installed the connectivity software. I think that the software must've talked to each computer on the LAN, and some sort of limiter code would deprive the "extra" computers.

      I refused to install that SHIT on my machines. I argued with them over the phone that it was none of the Z*&)*())#@ business how many machins were ON MY LAN, behind the CPE, behind MY FIREWALL that was between me and them.

      Sadly, these companies hire stupid, lackey, or unintelligent people who toe the party line and refuse to offer ANY support. Sometimes, even they will refuse to simply ping your router (which they supplied) to help you verify whether or not the packet fails are inside your LAN when you suspect nothing's getting out. Sometimes, they're likely dropping your packets (intentionally or due to local area failure, such as excuse told to me "Oh, someone ran off the highway and the car crashed into a relay box..." ), and it becomes infuriatingly enraging when they INSIST on bullshit scripted stuff:

      ISP: Okay, now I need you to reboot your computer...

      Me: Say WHAT? I'm running Linux. I don't NEED to reboot to get my NIC to work.

      ISP: Oh, we don't support Linux

      Me: You don't NEED to - you just need to supply provision my/your router so MY router can talk to YOUR router.

      ISP: Well, I need to diagnose your machine...

      Me: YOU'RE NOT **GETTING INTO MY MACHINE**. You'll see traffic from your router when I get connectivity. All 8 of my machines could at one point individually see the Internet..

      ISP: We don't support 8 machines...

      Me: You DON'T NEED TO; I'm not simultaneously surfing with all 8.

      ISP: Well, I cannot troubleshoot computers except windows or Mac OS....

      Me: So, basically, you're screwing Linux users when you know they refuse to play with windows...

      And on and on andn on

  41. The Alpha Klutz

    not the only ISP?

    As I recall, my ISP, BE, with whom I am quite happy, do configure their supplied routers such that they can "dial in" and perform "tests". As I recall, there was even a flaw in the software that was exposed on this very site.

    I am not bothered because I use my own router. I even went as far as to choose the firmware it runs and in doing so I believe that I have accepted responsibility for any vulnerabilities in it. Well it's only fair.

    Of course, a BT customer who is not technically savvy has no way to know what BT is capable of doing through their router and there is certainly a case to be made for ISPs to be open about their policies with regards to remote administration of the supplied routers.

  42. Charlie 3

    I disagree with almost everyone!

    BT home broadband is a fully managed service. This means that I thoroughly expect them to detect and patch vulnerabilities in my BT supplied hardware. It is very clear that they have remote management capabilities to patch the firmware, so why are we attacking them for warning customers who are using dangerous BT supplied hardware using what is almost certainly a passive scan (the managed home hub is a DHCP server and a switch so it knows what's connected without any additional snooping).

    1. Jim 59


      Why would BT, in their shining innocence, be reluctant to answer customer questions ? If a big company is furtive, it is nearly always bad for you. If they were doing it for your benefit they would trumpet it from the rooftops.

    2. SoftFox

      Re: I disagree with almost everyone!

      But do you seriously expect it to stop at that ? This is BT remember who saw nothing illegal in Phorm until advised otherwise

      Its situations such as these that constantly erode privacy etc. The actual initial 'feature' is usually some innocent sounding benefit, then the next feature is added, then the next etc

      Mission Creep (in military terms) is the problem

  43. Anonymous Coward

    So BT has full access to my HomeHub?!

    The BT HomeHub's web console is supposedly protected by an Admin password which only I know (accessible internally only via, and this provides access to configure MY internal network which connect to it (via wireless or RJ45).

    What the hell are BT doing connecting to the Hub to checkout MY network?! More importantly, HOW are BT doing this.

    The internal connections to the Hub are my business - they are fuck all to do with BT.

    If I want to connect an IP addressable potato to my network, that's my business. BT can fuck right off!

    Any illusion of security on the HomeHub has been shattered, when BT can console onto it and read MY MAC addresses, MY IP leases, & scan MY network for attached devices - it's is a disgrace and an invasion of privacy.

  44. ezo

    Not pretending I know how this works but...

    Seeing as how the vision box runs some sloppy M$ carp and actively interacts with the vision platform perhaps the data comes from this device rather than the hub directly ?

    Ok back to slagging BT please.

  45. T J

    Your own router?

    You can't use your own router? Or does BT have some stupid clause insisting on using theirs?

    1. Sir Runcible Spoon


      Of course you can use your own router. Until the Phorm disaster that's exactly what I did - used a Zyxel.

      Just make sure you make a note of your username/password and channel details and you can set the link up with any ADSL router/modem.

  46. Head
    Thumb Down


    You know, if this happened ANYWHERE else in the world, the ISP would get class actioned within 5 seconds flat?

    Not because people are out to make easy money (well, some would be...) but because an ISP has no right what so ever to get past my router. What I do on my network is up to ME.

    And to keep things relevant in the UK, would this not be labeled 'hacking' by any chance?

  47. Steve Evans


    Having just got a Home Hub 3 last week, I can only envy the "victims" of this intrusion. The wall-wart of my HH3 threw so much RF down the ring mains that my previously reliable Zyxel powerline adapters refused to communicate!

    Unplug the HH3 power adapter and suddenly they can handshake and work again.

    Luckily 12v 1amp power adapters are pretty common in my house, so the BT supplied one was quickly consigned to the bin.

    1. Anonymous Coward
      Big Brother

      . . . . .powerline adapters refused to communicate . . . . .

      Well there's a prime example - it's only because other devices plugged into the mains comply with EMC regulations that powerline devices work - the whole idea of these regulations is that EM energy is kept to a minimum on mains wiring.

      No powerline devices pass the EN55022 standard which currently applies to the devices which by their very nature do inject EM energy onto mains wiring as they requires to do so to operate - sheer madness. In any event mains wiring was never intended for carrying EM energy .

      Consider this, the HPA consider it necessary to advise people not to sit next to walls with mains cable in them in view of the 50Hz EM field that radiates from the cables. This is without any other injected EM energy that may be radiating from the cables.

      Now have a look at

      '10 Modern Methods of Mind Control' particularly nos. 8 an 9 (


      'US Patent 6506148 – Nervous system manipulation by electromagnetic fields from monitors' (

      might be of interest also.

      The main magnetic field you should be aware of is your own body's as it is of importance to your health and well-being, Some people are more 'sensitive' than others but it affects each one of us to some degree or other

      Now that you know that not only remote scanning takes place but remote controlling, please do not let that spoil your 'High tech' lifestyle - just join the dots and be informed. This is not tin-hat territory this is self-awareness and self protection territory.

      Be careful out there. . .

  48. Tony Paulazzo

    Dear daily mail

    If'n you trust any corporate black hat you are a fool. Ain't no fool like an old fool. The fear of being watched is ...

    Sound of black helicopters fading gently into the night.

  49. Anonymous Coward
    Anonymous Coward

    "we don't believe that consent is necessary"

    Been there, done that, changed service providers. They never learn, do they?

  50. TheBully
    Big Brother

    BT Home Hub

    I have an old white BT home hub at home (only used as ADSL router) which has started to worry me since it now has sprouted a second IP address and a port scan shows that said IP is listening on Port 1723 which I find no mention of on the web based interface. Might swap it with something more generic.

  51. Anonymous Coward
    Thumb Up

    My favourite BT scheme the one they're (secretly?) trialing where they monitor any access you may be making to illegal download sites and, if a download is detected, intercept and redirect you to a preferred supplier where you can make a legal purchase of the illicit media.

    Fantastic service, sign me up!

  52. Matthew 3

    Implied consent?

    If all BT Broadband users were to write to BT clearly saying that they do not want or need their ADSL operator to use this facility surely it would change their position markedly?

    If you also mention that any implied consent is withdrawn with immediate effect then my (admittedly limited) legal knowledge suggests that they would have no possible defence.

    I think it could make for some very interesting future legal cases.

  53. Anonymous Coward

    Bt means.......

    Bunch of Tossers

  54. Dick Emery
    Thumb Down


    @ anyone using the crappy Homehub. It's the first thing I replaced when my father got Infinity.

  55. Anonymous Coward 99

    Bored now, move along

    I have had both models and NEVER plugged EITHER in. A quick check of the Comtrend website does say TR-069 is supported for the new model - so what it is being said is that the device HASN'T phoned home.

    In any case, we are talking about BT supplied equipment going through BT supplied equipment to say that a product recall has been correctly implemented by a BT customer. Would respondents be happier if the recall hadn't happened?

    If I have any issue, it is that they haven't matched up the bag I sent back for recyling - they could have known I was safe from there.

  56. Spanners Silver badge

    Tried BTInternet long ago

    Before I had a network at home, before broadband even, I used BT Internet for a while. I decided to stop using it when Zone Alarm blocked their servers from scanning my network every time I dialled up.

    They denied that they were doing it. I sent them log extracts.

    They denied it was them I pointed out the IP addresses on the extracts. Their own.

    They told me it was their mailservers trying to up date my email. I observed it wasn't mailservers doing it. I wasn't even running an email programme when I dialled up..

    They made even thinner excuses. I took my business elsewhere.

  57. Colin Millar

    What's all this second router crap?

    Do some people just like buying cable?

    If you have 1 trusted router and 1 untrusted router put the trusted router on your line and the untrusted router on ebay.

  58. Jean-Paul

    First thing I do...

    with any broadband provider is install my own router. Tried it twice in the past but the performance compared to my Fritz!Box is absolutely shocking, and now I've learned it has an additional benefit :-)

  59. Scarborough Dave

    All my BT Business Hubs

    Are still proudly in their shiny cellophane covered boxes!

    I asked for our BT business Broadband connections without ADSL modems ( I have a collection going back some years), however, the perplexed sales person at the other end said that I couldn't have the lines without the "free" BT Business hubs.

    So in the store box they went, just in case they ask for them back one day, or someone I know needs a replacement.

    I have never and would never use a proprietory ADSL modem, unless it had my own firewall behind it and NAT'ed; this is what I recommend to all my friends.

    I am though a little concerned about the implications with IPV6, might be an idea for the Reg to run an article on percieved IPV6 issues and concerns of fellow Reg forum members?

  60. Anonymous Coward

    O2 and automatic/remote firmware updates

    I can see a genuine reason for this stuff. Some^H^H^H^HMost lusers are clueless about settings/security/patches. But please don't run a firmware update during peak evening hours, in a manner that bricks the box when (not if, in my case) the line loses sync. It's a good job I had the necessary equipment to recover it, and my work phone to find the information.

  61. Anonymous Coward
    Anonymous Coward

    Don't choose BT

    For the majority, it's that simple.

  62. Anteaus


    Quite a few of these BT routers won't work with some Intel WiFi cards. Now, Intel is of course an obscure hardware manufacturer whose products few OEMs use, so that doesn't matter. Does it?

    As for IPv6, I just have the feeling that the major security issues have yet to be uncovered. Have already heard of an issue where Windows servers with fixed IPv6 addresses pull a second unauthorized address from any router they can see.

    A key concern is that with IPv6, ISPs could in principle go as far as to restrict the number of devices which can be connected to a BB router, or even to require that all devices are registered with them before they are granted Internet access. I don't say that will happen, but giving ISPs this capability perhaps isn't wise.

This topic is closed for new posts.

Other stories you might like