BT Adds Backdoor access to Latest Home Hub firmware.

[PsiDOC]

BT Has added an open port and firewall rule that allows anyone with the correct rsa keyfile full access to the BT HomeHub settings and possibly more.

Affected Hardware : BT Home Hub Version 2.0a
Affected Firmware : 8.1.H.J

During my recent exploits unlocking the latest Home Hub 2.0A firmware - Version 8.1.H.J - I have some very worrying issues.

This line has been added to the firewall:

Code:

rule add chain=forward_custom name=BTAgent srcintf=wan dstintf=lan dstip=192.168.1.253 serv=BTAgent_dst state=enabled action=accept

What this line says is to accept all traffic from a port tagged "BTAgent_dst" and pass it from the WAN (internet) to network IP address 192.168.1.253, which is the secondary address of the router.
The port tag "BTAgent_dst" can be found in the expr.def file and is:

Code:

add name=BTAgent_dst type=serv proto=udp dstport=snmp

The UDP SNMP port is port 162.

Was this left there by accident? I think not. Please read on

Also in the firmware some extra files and directories have been added. These are a BTAgent executable, it' start script (btagentstart.sh), libtransport ,libplugins a secure key file for authentication and a few more bits and bobs. I am no linux expert so I have uploaded them here for those that know more than me can have a look and comment. I have however removed the rsa keyfile for security reasons.
What does worry me about this is the fact that the btagentstart.sh contains reference to a read / write directory what is that needed for? To upload plugins?

To summarise:
BT Have put a backdoor into firmware 8.1.H.J This port is permanently open and cannot be closed by the router user.
BT Are running extra files on the router called BTAgent which obviously recieves traffic from the backdoor above.
BT can access any router with this firmware version at any time through the above!
No one was any the wiser about this as BT kept it hidden from view.

I have queried this backdoor with BT on their community forum.
They admitted to it being there on the 1st post of this page and yet deny it's existance on the last post at the bottom. Then they locked the thread soon after. That being very suspect in itself.

[Austin_KW]

BT has the ability to remotely manage some of its business products.
Sounds like they have added similar functions to the homehub. And obviously SNMP was how we managed (monitored and configured) all network devices before we had nice web interfaces.

You may be concerned that BT could manage or that some third party could gain access to your device/network. BT can already see what's on the WAN side (Phorm trial) but you could be concerned that they have an agent sitting on your lan boundary.

[silver]

also unless I missed it in the text having the rsa key file off of the router does not have to mean you can use that key file to gain entry to other routers,.

I do not know enough about the system they are using but common sense would suggest they would be doing something to lock it down to just them (i.e. regardless of if the rsa key file was made public) - I could be wrong but that is my current feeling

[Austin_KW]

I would assume it is the public key of a client authentication. The private part is kept (secret) by bt to prove who the are and then only they can connect?

Similar to server SSL where everyone can know the servers public key, but only the server can encode using the server key, so the server authenticates itself.
At least that is how these things are supposed to work. Releasing a public key has no security problems, the secret is the private key.

[slowgrind]

I would assume it is the public key of a client authentication. The private part is kept (secret) by bt to prove who the are and then only they can connect?

Similar to server SSL where everyone can know the servers public key, but only the server can encode using the server key, so the server authenticates itself.
At least that is how these things are supposed to work. Releasing a public key has no security problems, the secret is the private key.

Originally Posted by Austin_KW

so is homehub 2.0 type A 8.1.H.J firmware hackable via software or not?

[Bob re Ofcom]

Hi,
does anyone have any information regarding Ofcom and PPP's failaure to regualte the Premium Rate Phone Industry? I am the person who blew the whistle from within the ITN Building that led to the fraud squad raid. Ther had been more than one of us reporting the fraud to Ofcom and PPP during the previous year. Dis anyone ever compalin about BGTV to the regulators? Has anyone written to the Parliamentary Ombudsman? I need this information re an unresolved £200 million fraud on the public by the regulators. My evidence to Parlaimanrt is at http://www.parliament.the-stationery.../72/72we22.htm