BT Home Hub SIP backdoor blunder blamed for VoIP fraud

Block and tackle

The router was a BT Home Hub 5A that was set to “Block all incoming connections”, although Harbridge then discovered that the kit did allow any incoming connection on port 5060 (the standard VOIP port).

"No matter how paranoid you make the firewall settings (and there aren’t many options in that respect) in the router, a BT Home Hub 5A will always allow unrestricted access to port 5060," Harbridge explained. "As I understand it, this is 'by design' and is done to make things easier for customers using the BT VoIP service."

"To make matters worse, the Home Hub will even go to the effort of doing the NAT for you until it finds a working SIP device to connect to," he added.

He explained that hackers successfully brute-forced a SIP test account in order to make calls after smuggling attack traffic through the BT Home Hub rig, giving a detailed account as follows:

The fraud originated from the US (Texas and Virginia). Several port scans revealed that port 5060 was open and responsive, despite the Home Hub having its settings set to deny all connections.

UPnP (Universal Plug and Play) was turned off in the settings of the Home Hub, but somehow this didn’t seem to bother the router which forwarded all requests on this port to the FreePBX system powering the phone service.

Quite how the router did this when UPnP was turned off and there were no settings to forward any ports or any DMZ settings is a mystery, but I suspect the router is set up to support a BT VoIP service with minimal fuss, and therefore anything to do with VOIP gets special treatment.

So, having found the FreePBX system [the hackers] began the long process of hammering away at it until a password and SIP account was found. The extensions all had strong 256-bit passwords.

Through the admin control panel of their Yealink desk phones I was able to see the passwords and initially I was thinking 'No way in hell did they break that password'. I mean these things used the full ASCII range of characters not just letters and numbers.

However, the original engineer had clearly missed a testing account that should have been removed after setup and it had a weaker password (though I wouldn’t have called it insecure by any means) and the attackers had managed to crack that.

As soon as they did so, they placed a few international calls. Not a great many, the system's own auditing system caught the calls a few seconds before BT and Sipfone’s automated systems terminated the trunks. The call charges were in the region of about £90.

I believe the client is also awaiting a response from BT regarding information that [appears to show] that the Home Hub just allowed the attackers to walk in, even when due diligence had been applied in making sure the settings were correct in the control panel of the router.

BT's fraud prevention team informed Keith's client that all charges would remain valid since it was not BT’s fault that fraud had occurred on customers' equipment.

Harbridge strongly disagreed. "If a firewall tells me it is blocking all incoming connections, I reasonably expect it to block 'All' incoming connections, not 'All incoming connections with the exception of port 5060 because we need that one open for our own use, thanks'."

The latest issue involves shortcomings in the firewall built into the BT Home Hub device and is unrelated to a hacking vulnerability discovered by GNUCITIZEN back in 2007 or several flaws since (examples here and here).