Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[zcutlip]

Good news today.  I am able to crash one of the applications from asbokid's firmware dump and can control the CPU's instruction pointer (PC register in the embedded picture).  Currently I'm doing this in qemu, and have a fair amount of work in order to turn it into a working exploit, but this is an important step.



Zach

[SecTSys]

wow ok - this sounds promising.

[btsimonh]

I know I haven't.  It's tricky since the device updates itself[1] from the mothership automatically and in the background.
Zach

[1] Or are updates pushed to it via TR-069 CPE management? Hard to say at this point.  I've messed around a bit with emulating BT infrastructure and proxying HTTP requests between BT[2] and the device to analyze the conversation, but I haven't gotten far into that just yet.

[2] A fun trick since I'm not in the UK and don't have BT service. ;-)

One thing I have done last year is to run the V3B in it's fibre mode - here it talks ppp over IP to the second fibre router.
A V2B running OpenWRT can be the ppp server, and so can intercept all traffic on the IP link.
I read here http://punj-technology.blogspot.co.uk/2012/04/bt-homehub-v-3-open-ports-161-and-4567.html that there was an update to the firmware in sept 2012, so if anyone has a non-updated unit, they may get one shot at seeing the URL it goes to for the update.  In this arrangement, I'd assume it's TR-069 interface is innoperative, so it TR-069 is involved in the update, it's likely not to work .

s

[zcutlip]

Hello,

It's been a while since I last posted, so I wanted to update everyone who is following this thread with what's been going on recently.

I should introduce myself more formally.  My name is Zachary Cutlip.  I work for a boutique computer security firm in the US called Tactical Network Solutions[1].  We specialize in vulnerability research and advanced exploitation targeting embedded devices such as WiFi routers and other network gear.  If you've heard of the Reaver WPS exploitation tool[2], that's us.  TNS has been super cool about allowing me to pursue this HomeHub 3.0 research as a sort of freelance project.

A couple of weeks ago I had a significant breakthrough by being able to crash one of the applications on the HH3b in a way that I believe to be exploitable.  Much to my surprise, this caught the attention of British Telecom, whose head of security contacted me directly at my work email address.  This is surprising because at TNS we've never before been contacted by a vendor regarding our research on their products.

In contacting us, BT is asking for priority access to my research (specifically the application crash I'm able to produce) prior to our releasing details publicly.  I think this reflects well on BT; to be frank, many vendors don't have much regard for their customers' security.  Clearly BT is apart from the norm in this way.

Currently we are trying to work out an arrangement with BT that will be equitable for them and for us.  We hope to provide BT with priority access to our research, and then to release public details some time later.  We think this seems fair.

For now, I won't be posting much here, if at all.  It would be inappropriate to disclose details publicly, before we've figured things out with BT.

In the mean time, be sure to follow us on Twitter (@tacnetsol, @zcutlip) and check out our website.

Happy hacking,
Zach

[1] http://www.tacnetsol.com
[2] http://hakshop.myshopify.com/products/reaver-pro

[burakkucat]

Very interesting news, Zach. Thank you for taking the time to post this update.

As for reaver, yes I know it -- but not intimately well. 

[dmcdonnell]

@Zach,

kudos to you for your efforts and your candor and to BT for their awareness of the situation.

BT claim to have 5 million broadband subscribers so there are a lot of BT Home Hub V3b devices out there. The UK telecoms market is open and vibrant. Subscribers change suppliers in response to market conditions, yet the BTHHV3B can only be used as the main modem/router with BT as the ISP. It cannot be configured, for example, as a secondary wireless access point with ethernet access to a main hub or as a wireless bridge.

As such, these devices are essentially junk when BT subscribers move to another ISP. You can only use it with BT, in a very limited way, and if you move from BT what do you do with it? Chuck it in the trash - more landfill is just what we need. While this device is listed on the BT website at a price of £99, is it any wonder they are available on ebay for a few quid.

There are many parts of the planet where schools, and the like, would love to have these devices running OpenWRT.

Just my 2c.

[dmcdonnell]

Zach Cutlip succeeded in his efforts to hack the BT Home Hub 3B, see http://www.psidoc.com/showthread.php/823-Bt-home-hub-3-type-B?p=4714&viewfull=1#post4714

His video is here:

Well done, Zach, take a bow 

[zcutlip]

Well done, Zach, take a bow 

Thanks. :-)

However, as I posted earlier, I can't share the exploit or the details of the vulnerability until we've figured out how to proceed with BT.  I hope that's soon, but until I've actually delivered something that helps people unlock their routers, I haven't earned any praise.

[dmcdonnell]

@zach

I hope TNS will not be bullied by BT. I have a BT HH 3B here in Ireland. It makes a great paper weight but is completely useless otherwise.

You get full credit for succeeding in your endeavours, I look forward to the publication of the exploit. I should be very interested in the rational BT put forward when they ask that you not publish the details. It is difficult to see how the fact that the device can be unlocked/rooted threatens their customer base.

[JonnyFive]

Feel the same as DMcConnell, don't let BT stop you from eventually publishing. So many fair use reasons for end users to have proper access/use to hardware they own. For example I need to set static arp table entry so wake on LAN works from WAN - can't do that with hub 3b because I only have access to the restrictive web front end I shouldn't have to buy a new router for this.

[SecTSys]

hehehe - Nicely done, -

I can't share the exploit or the details of the vulnerability until we've figured out how to proceed with BT.

Doesn't the updated DMCA Laws allow people to hack and patch jailbreak and modify their equipment if it is for the purpose of securing equipment.

On those grounds alone you should be allowed to post the exploit...

   The information derived from the security testing is used primarily to promote the security of the owner or operator of a computer, computer system, or computer network; and
    The information derived from the security testing is used or maintained in a manner that does not facilitate copyright infringement or a violation of applicable law. (A new exemption in 2010.)

http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act

And if i may say now that an exploit has been found i think my network is a little more vulnerable and therefore wish to secure it so the information you have shall be used for the purpose of securing my network and therefore you have a legal right to publish said exploit.

[burakkucat]

Doesn't the updated DMCA Laws . . .

I fail to see what relevance any Uncle Sam legislation has on this English techno-cat! 

[SecTSys]

well TNS is in the US so technically it is subject to US law!!!

[snadge]

I wonder 'at what stage' its at with BT and ZACK , its very likely they will be asking him/TNS to share the info with them and then refrain from sharing it with the world or be sue'd for millions..or sumthin like that... until they can lock all current boxes via an update 

eveyone should go out and buy HHv3B from eBay now lol...before they are updated and locked out!  8)

[kitz]

I wonder 'at what stage' its at with BT and ZACK , its very likely they will be asking him/TNS to share the info with them and then refrain from sharing it with the world or be sue'd for millions..or sumthin like that... until they can lock all current boxes via an update 

eveyone should go out and buy HHv3B from eBay now lol...before they are updated and locked out!  8)

Im not sure what to make of this/BT.   Its already been mentioned that being able to recycle these boxes could be enviromentally friendly..  the number of routers that are binned due to a change of SP is ridiculous.     

Ive communitcated with BT/Broadcom in the past on their BT Voyager routers on a couple of things such as multicast and the BT staff were helpful and even provided me with info and commands that werent previously available. 

Yet its strongly rumoured that its BT who put pressure on Thomson to lock down the ST585 v7 and later releases of other ST firmwares to no longer be able to work with DMT, nor to be able to tweak SNRM and get certain useful stats out of the router.    It does seem to be their ethos these days to lock out so much useful data to people who have some understanding of whats going on, in order to prevent Joe Blogs from accidentally upsetting their connection and then go blubbing back to BT demanding a new router.

Whilst I can understand that there will always be the odd numpty doing something that they dont understand, the benefits from the communities such as this one, who use that information to be able to help their users, must surely cut down on their workload to their 1st line support.