Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: Attention BT HomeHub Users  (Read 20351 times)

guest

  • Guest
Attention BT HomeHub Users
« on: April 15, 2008, 04:01:48 PM »

The BT HomeHub in common with many ISP-supplied routers comes with the wireless security preconfigured. By that I mean there is a SSID and a WEP/WPA Key preconfigured in the router before it is shipped. There will usually be a sticker on the router with something like this on it :

Default SSID = BTHomeHub-8DF3
Default WEP/WPA Key = 06f48a28eb

Now neither the SSID or Key are chosen randomly or sequentially so the next router in the sequence wouldn't necessarily be BTHomeHub-8DF4 but it could be. Basically the ISPs use some sort of predictable algorithm to generate the Key and the SSID, both of which should hopefully be unique.

The only sensible way to generate the key is really from the router's serial number and that's what they generally do.

Now here's the bombshell.

The way that BT implemented this has a glaring vulnerability.

This means that you can take a default SSID like BTHomeHub-8DF3 and derive a list of possible keys from the SSID and a knowledge of the serial number structure (eg CP0647EH6DM(BF)). In the case of the BTHomeHub there would be 80 possible keys which would take very little time to try.

This is so important it is worth shouting :

IF YOU USE THE DEFAULT SSID/KEY IT MAKES NO DIFFERENCE WHETHER YOU USE WEP OR WPA! YOU ARE VULNERABLE

This isn't unique to BT - Orange in Spain use ST585v6 routers preconfigured to use WPA. A tool exists which will narrow the choice of keys down to two!

What should you do?

Simply change the SSID and WEP/WPA key to something else.

If you are using WEP then try using WPA instead as WEP is not secure.

More reading - http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/
« Last Edit: April 15, 2008, 04:04:23 PM by rizla »
Logged

soms

  • Reg Member
  • ***
  • Posts: 537
Re: Attention BT HomeHub Users
« Reply #1 on: April 16, 2008, 01:18:48 PM »

Very interesting reading. Thanks for the heads up Rizla.

I downloaded the stkeys archive but it seems to contain program source code in the C langauge. Without going off topic, do you know anything about how I could compline the program to use it? I have downloaded Netbeans IDE C/C++ but am having trouble understanding it and also adding in a compiler which oddly is not included.
Logged

Floydoid

  • Addicted Kitizen
  • *****
  • Posts: 9635
  • Prog Rock Fan
Re: Attention BT HomeHub Users
« Reply #2 on: April 16, 2008, 01:23:10 PM »

Logged
"We're going to need a bigger swear jar."

soms

  • Reg Member
  • ***
  • Posts: 537
Re: Attention BT HomeHub Users
« Reply #3 on: April 16, 2008, 01:39:51 PM »

Soms, is this page of any use?

http://www.thefreecountry.com/compilers/cpp.shtml

Cheers Floydoid, looks hopeful. Will see what I can find ;)
Logged

Floydoid

  • Addicted Kitizen
  • *****
  • Posts: 9635
  • Prog Rock Fan
Re: Attention BT HomeHub Users
« Reply #4 on: April 16, 2008, 01:42:43 PM »

It looks like a site dedicated to C programming... but don't ask me, I did a level 2 NVQ in C+ back in '95 and don't remember much at all.

(I believe we were using good old 286 machines at the time.)
Logged
"We're going to need a bigger swear jar."

guest

  • Guest
Re: Attention BT HomeHub Users
« Reply #5 on: April 16, 2008, 04:05:57 PM »

In the stkeys.c file it actually tells you how to do this ;)

You'll need GCC for whatever platform you have - http://gcc.gnu.org/

Then compile the source :

gcc -fomit-frame-pointer -O3 -funroll-all-loops stkeys.c sha1.c -ostkeys

Then run it according to the instructions in stkeys.c
Logged

guest

  • Guest
Re: Attention BT HomeHub Users
« Reply #6 on: April 24, 2008, 10:01:29 AM »

TBB have now picked up on this - better late than never eh? :P
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Attention BT HomeHub Users
« Reply #7 on: April 24, 2008, 10:32:39 AM »

whoops I said the other day I was going to sticky a copy in the Hardware section - sorry forgot  :-[
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

guest

  • Guest
Re: Attention BT HomeHub Users
« Reply #8 on: April 24, 2008, 10:44:58 AM »

Did you? I forgot too in that case :lol:
Logged

Azzaka

  • Reg Member
  • ***
  • Posts: 572
  • SysAdmin
    • A Designers Work in Progress
Re: Attention BT HomeHub Users
« Reply #9 on: April 24, 2008, 11:15:26 AM »

The new v7's do not have this vulnerability, however I don't know if the BT Home Hub will be upgraded to incorporate the new version.
Logged
I Sync', I Auth', therefore I am.
Online

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Attention BT HomeHub Users
« Reply #10 on: April 24, 2008, 11:34:13 AM »

>> Did you? I forgot too in that case

Yep - Just before we also talked about BTs new boss's challenge to OFCOM (which I also forgot to post till today)  :-[
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

guest

  • Guest
Re: Attention BT HomeHub Users
« Reply #11 on: April 24, 2008, 03:39:47 PM »

The new v7's do not have this vulnerability, however I don't know if the BT Home Hub will be upgraded to incorporate the new version.

Just to make this clear to everyone that this isn't some sort of security problem inherent to a brand/version of router; this is a security problem with the way that the key and SSID have been generated. I rather suspect we'll find that the "Secure Easy Setup" button on Linksys kit operates in a similar way.

On reflection, using a key generated from something as easily predictable as a serial number is stunningly dumb. It is hard to believe that vulnerabilities such as these haven't already been widely exploited as its so trivially easy to do :(
Logged

J.Man

  • Reg Member
  • ***
  • Posts: 148
  • When PC's couldnt get any worse there came Vista
Re: Attention BT HomeHub Users
« Reply #12 on: April 28, 2008, 08:39:02 PM »

Hey Rizla im sorry it isnt too easy to change the password as if you do your HomeHub will revert back to the default pass and therefore dragging you back into the issue you pointed out but all I can honestly say is that if you do try to change the password dont make it obvious like say you support arsenal and your birthday is 12th of August for instance making your password something to do with those 2 could be pretty dimwitted. Another piece of advice is either downgrade to firmware 6.1.1.2 E i think it is or upgrade to 6.2.2.6 C
Logged

guest

  • Guest
Re: Attention BT HomeHub Users
« Reply #13 on: April 30, 2008, 09:19:08 AM »

That sounds a bit odd. I changed the SSID and key on our neighbours connection and that went OK.

The key isn't really the major problem, its the fact that the broadcast SSID and serial numbers can be used to yield that key with little difficulty.

Changing the SSID will minimise the risk but it won't eliminate it as you could still generate all possible keys for the router just from knowledge of the serial number structure. While there will be a LOT of keys to test it does mean that no encryption algorithm is safe if the printed key is used.
Logged

majika

  • Just arrived
  • *
  • Posts: 1
Re: Attention BT HomeHub Users
« Reply #14 on: August 17, 2013, 10:44:08 AM »

Quote
Changing the SSID will minimise the risk but it won't eliminate it as you could still generate all possible keys for the router just from knowledge of the serial number structure.

True
Quote
While there will be a LOT of keys to test it does mean that no encryption algorithm is safe if the printed key is used.
Agreed..

Also, just thinking back to simple brute-force based attacks its now kind of even easier to get into a Wireless network just like using Rainbow tables - pre generated Combinations - to break Windows SAM account files (or whatever) this kind of shows an example of what could be achieved.

Also with the distributed nature of cloud computing you are able to put to use the mass amount of CPU processing power to "crack" any kind of password/encryption protections:

A) If you have the inclination to do so.
B) Know what you are doing
C) Already have the basis of a protection scheme undermined by the CPE suppliers inefficient efforts to protect SSID by generating vulnerable keys

Regardless of even changing the SSID name or even the Protection keys or by changing the Encryption method (or all three)
To a certain extent most things can get cracked.. Only real protection from a determined attacker (like your nasty neighbour) is to change keys / protection schemes as often as practically possible.

Quote
In the stkeys.c file it actually tells you how to do this ;)
It's really no surprise really that issues such as this are so common.  just look at the file name stkeys.c  Ever heard about obfuscation  ??



Logged
Pages: [1] 2
 

anything