Home Hub Hack (version 2.0)

Another vulnerability in the security settings of the BT Home Hub has been apparently been discovered by Adrian Pastor, one half of the dynamic duo who first pointed out a hole in the Hub back in October ’07.

This particular problem is related to VoIP calls, and allows hackers to make calls on a victim’s machine, masking their identity with a false incoming call number, which the hacker can change so that it resembles say, the number of the victim’s bank, and then attempt to retrieve sensitive information.

Ultimately, this type of phishing attack relies on the hacker being able to trick the victim into giving up security details; by insisting that the caller forwards information to you in writing (which will happen, if the call genuinely is from the bank) you can guarantee not to get stung.

However the implications of this bug are worse than just prank calls – the hole in the net allows hackers to bypass the router’s authentication system, potentially allowing access to DNS settings, so that victims can be directed to fraudulent websites.

BT deny any such risk existing, saying that they closed the loophole months ago: “There’s no risk whatsoever of any ‘VoIP hijacking’ in relation to the Home Hub – we closed this theoretical exploit about three firmware upgrades ago and the purported exploit doesn’t work on the latest version.”

If that is the case, then those who have not performed a firmware update on their Home Hub should do so at the earliest opportunity.

Share This: