Feeds

UK's number one router open to VoIP hijacking

BT Home Hub pwned (again)

Build a business case: developing custom apps

Updated Principals of the ethical hacking outfit GNUCitizen say they have found a serious security bug in the BT Home Hub that could allow attackers to engage in identity theft and other types of fraud by hijacking calls routed over the internet.

The vulnerability allows an attacker to initiate VoIP calls on the user's machine. From the end user's perspective, it would appear that the victim is receiving the call from a falsified number that is specified by the attacker. Attackers on the other end could then coax account credentials or other sensitive information from the victim by impersonating a person from a bank, a stock brokerage or some other trusted organization where the call appears to be originating.

"We believe this is gonna be very hot in the VoIP fraud arena," Adrian Pastor, one of the hackers from GNUCitizen, wrote in an email.

BT's Home Hub is one of the UK's most popular home routers, so the report it is susceptible to call tampering is no trivial matter. What's more, the bug can be exploited even if the default password for BT Home Hub has been changed. All that's required for the attack to work is that a BT subscriber who uses VoIP be lured to a website that hosts some malicious code.

The vulnerability is related to a gaping backdoor Pastor and his colleague, Petko D. Petkov, found in October that left users wide open to eavesdropping, caller spoofing and other nasty attacks. A constellation of bugs in the router, which is made by Thomson/Alcatel, made it possible to bypass the device's password authentication system and gain complete administrative control. That in turn could have allowed attackers to steal a user's WPA key, listen in on VoIP calls, steal VoIP credentials or change DNS settings so users are silently redirected to fraudulent websites.

Rather than actually fix the bug that allowed attackers to by pass the router's authentication safeguards, BT simply disabled the Remote Assistance features that allow support professionals to gain administrative control over the device, according to Pastor and Petkov. The removal fixed the original vulnerability, but it did nothing to prevent VoIP hijacking, they say.

"Obviously BT wanted to downplay the whole topic and make it look like it's now safe and fixed," Pastor wrote to El Reg. "Because those 2 issues remain, now we have been able to come up with a new technique to steal VoIP calls."

A BT spokesman contacted outside of business hours in the UK said he was investigating the report, but had no immediate comment.

The VoIP hijacking is made possible by combining a cross-site request forgery bug - which allows the request to make a VoIP call to be forged - with an authentication bypass vulnerability, which allows the attack to skirt the router's password requirements.

Besides phishing attacks, VoIP hijacking could also force victims to call expensive phone numbers under the control of bad guys or open people up to a host of pranks.

The attack is possible on the BT Home Hub running firmware 6.2.6.B, and is likely on other versions. The GNUCitizen report is available here and proof-of-concept code is here. (Note to readers with sleeping housemates: This will cause vulnerable systems to launch a VoIP call.)

Of course, users should be careful not to visit suspicious sites, but given the current state of security, that's not always possible. Recent news reports are chock full of examples of responsible people being redirected to malicious destinations when browsing to trusted sites that have been infected with poisoned scripts and other parasites.

Until BT issues a patch, users can mitigate the risk by using the Firefox browser and the NoScript extension. ®

Update

BT sent us this statement: "There's no risk whatsoever of any 'VoIP hijacking' in relation to the Home Hub - we closed this theoretical exploit about three firmware upgrades ago and the purported exploit doesn't work on the latest version."

Secure remote control for conventional and virtual desktops

More from The Register

next story
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Canadian ISP Shaw falls over with 'routing' sickness
How sure are you of cloud computing now?
Don't call it throttling: Ericsson 'priority' tech gives users their own slice of spectrum
Actually it's a nifty trick - at least you'll pay for what you get
Three floats Jolla in Hong Kong: Says Sailfish is '3rd option'
Network throws hat into ring with Linux-powered handsets
Fifteen zero days found in hacker router comp romp
Four routers rooted in SOHOpelessly Broken challenge
New Sprint CEO says he will lower axe on staff – but prices come first
'Very disruptive' new rates to be revealed next week
PwC says US biz lagging in Internet of Things
Grass is greener in Asia, say the sensors
Ofcom sees RISE OF THE MACHINE-to-machine cell comms
Study spots 9% growth in IoT m2m mobile data connections
O2 vs Vodafone: Mobe firms grab for GCHQ, gov.uk security badge
No, the spooks love US best, say rival firms
Ancient pager tech SMS: It works, it's fab, but wow, get a load of that incoming SPAM
Networks' main issue: they don't know how it works, says expert
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.