Rate your broadband service!

Happy with broadband? Or is it letting you down?

Rate your broadband ISP here >>

BT calms fears about BT Home Hub VoIP vulnerability

Today it has been reported that a hacking outfit found a security flaw in the popular BT Home Hub router.

The security issue was found from an experiment by ethical hacking website GNUCitizen.  They set-up a special webpage containing malicious code.  When a user visits the page, the code then connects to the Home Hub and starts a VoIP (Voice Over IP) telephone connection to the recipient number set in the malicious code. The user would then appear to receive a call at home from the recipient number, when in fact a call is being made by the user to that number.

This type of vulnerability could be used in phishing attacks, where users are lured to a fake website, normally by receiving a fake email which appears to be from a trusted organisation such as a bank.  Upon accessing the fake website, the exploit would run and the user could receive a call from what looks like a valid phone number and be used to get personal data from a user.  Banks never contact their customers by email to ask them for this information.

GNUCitizen state that the attack will work even if the default admin password is changed on the Home Hub.  This is because the exploit relies on another separate vulnerability discovered by the website which they said has not been fixed by BT.

A BT spokesman however issued a late statement to the Register stating: “There’s no risk whatsoever of any ‘VoIP hijacking’ in relation to the Home Hub – we closed this theoretical exploit about three firmware upgrades ago and the purported exploit doesn’t work on the latest version.”

The BT Home Hub is updated automatically, and BT’s latest firmware update started on 12th December 2007.  It can take a few weeks before reaching all BT Home Hubs as stated at this BT security and support page.