UPDATED: The BT Home Hub's serial number - which is the default admin password - can also be found on UPnP description XML files. Note that no password is required to access such files, as they're used for UPnP (authentication-less) operations. Note: UPnP is enabled by default on the BT Home Hub. More information can be found on: http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub-pt-2/ On Wed, May 21, 2008 at 10:43 PM, Adrian Pastor <ap@xxxxxxxxxxxxxx> wrote: > http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub/ > > We're back with more security attacks against the BT Home Hub (most > popular wireless DSL router in the UK)! > > BT added a new security feature on the latest version [1] of the BT > Home Hub firmware (6.2.6.E at time of writing) which changes the > default admin password from 'admin' to the serial number of the > router. From BT Support and Advice [2] site: > > "Firmware 6.2.6.E introduces the following improvements: Change > default Hub Manager access password from 'admin' to your unique Hub > serial number" > > Well, it turns out that you can get the serial number of the Home Hub > by simply sending a Multi Directory Access Protocol (MDAP) multicast > request in the network where BT Home Hub is located. Yes, you must > already be part of the LAN where the Home Hub is present, either via > ethernet or via Wi-Fi. However, at GNUCITIZEN, we have demonstrated > [3] trivial ways to predict the WEP encryption key of the Home Hub if > you know what you are doing. > > In summary, there are two ways to break into a BT Home Hub Wi-Fi network: > > - arp replays injection plus weak IVs cracking. This attack is > typically launched using airodump-ng + aireplay-ng + aircrack-ng (I > highly recommend using Backtrack 2 plus the Alfa USB AWUS036S Wi-Fi > adaptor for this attack) > - Predict the Home Hub's default WEP key by bruteforcing a list of > potential candidates which are derived from the SSID (the SSID can be > obtained by anyone of course) > > As promised in CONFidence [4], we're releasing the full details > including PoC scripts: > http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub/ > > In summary, there are currently about 3 million BT Home Hub routers in > the UK whose default WEP key AND admin password can be easily > predicted. > > > ABOUT GNUCITIZEN > > GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think > Tank, which primarily deals with all aspects of the art of hacking. > Our work has been featured in established magazines and information > portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and > many others. The members of the GNUCITIZEN group are well known and > well established experts in the Information Security, Black Public > Relations (PR) Industries and Hacker Circles with widely recognized > experience in the government and corporate sectors and the open source > community. > > > REFERENCES > > [1] "What is the latest version of BT Home Hub firmware?" > http://snipurl.com/29w9o > > [2] "What changes are included in the latest BT Home Hub firmware?" > http://snipurl.com/29oo4 > > [3] "Default key algorithm in Thomson and BT Home Hub routers" > http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/ > > [4] "Cracking into embedded devices and beyond! - CONFidence, Krakow 2008" > http://www.gnucitizen.org/projects/confidence-2008/Cracking%20into%20embedded%20devices%20-%20CONFidence%202K8.pdf > -- Adrian 'pagvac' Pastor | Security Consultant and White Hat Hacker | GNUCITIZEN gnucitizen.com
