Go Back   The Scream! > ISP FORUMS > News
Reload this Page BT Adds Backdoor access to Latest Home Hub firmware.
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 04-February-2010, 21:57
PsiDOC PsiDOC is offline
Screamer
  
Join Date: Aug 2003
Location: The Far Side.....
Posts: 61
Default BT Adds Backdoor access to Latest Home Hub firmware.
BT Has added an open port and firewall rule that allows anyone with the correct rsa keyfile full access to the BT HomeHub settings and possibly more.

Affected Hardware : BT Home Hub Version 2.0a
Affected Firmware : 8.1.H.J

During my recent exploits unlocking the latest Home Hub 2.0A firmware - Version 8.1.H.J - I have some very worrying issues.

This line has been added to the firewall:
Code:
rule add chain=forward_custom name=BTAgent srcintf=wan dstintf=lan dstip=192.168.1.253 serv=BTAgent_dst state=enabled action=accept
What this line says is to accept all traffic from a port tagged "BTAgent_dst" and pass it from the WAN (internet) to network IP address 192.168.1.253, which is the secondary address of the router.
The port tag "BTAgent_dst" can be found in the expr.def file and is:
Code:
add name=BTAgent_dst type=serv proto=udp dstport=snmp
The UDP SNMP port is port 162.

Was this left there by accident? I think not. Please read on

Also in the firmware some extra files and directories have been added. These are a BTAgent executable, it' start script (btagentstart.sh), libtransport ,libplugins a secure key file for authentication and a few more bits and bobs. I am no linux expert so I have uploaded them here for those that know more than me can have a look and comment. I have however removed the rsa keyfile for security reasons.
What does worry me about this is the fact that the btagentstart.sh contains reference to a read / write directory what is that needed for? To upload plugins?

To summarise:
BT Have put a backdoor into firmware 8.1.H.J This port is permanently open and cannot be closed by the router user.
BT Are running extra files on the router called BTAgent which obviously recieves traffic from the backdoor above.
BT can access any router with this firmware version at any time through the above!
No one was any the wiser about this as BT kept it hidden from view.

I have queried this backdoor with BT on their community forum.
They admitted to it being there on the 1st post of this page and yet deny it's existance on the last post at the bottom. Then they locked the thread soon after. That being very suspect in itself.
Last edited by Memfis; 05-February-2010 at 00:35. Reason: Removed port number
Reply With Quote

 

Edit Tags
Tags
None

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unlocking BT Home Hub V1.5 6.2.6.H FIRMWARE mulkman Hardware 1 17-December-2009 23:23
BT Home Hub V1.0 - Cannot access even after flashing firmware Gomog6 Hardware 0 23-February-2009 12:53
Home hub firmware update BLI and Magic Gate? moog Hardware 0 18-October-2007 16:16
lsass.exe Windows XP DigitalAlex General Software 17 12-August-2007 23:49
TiVo pitches DVRs as home network hub gem News 0 10-January-2003 17:52


All times are GMT +1. The time now is 02:29.

Contact Us - The Scream! - Privacy Statement - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Copyright ©1999-2009 The Scream!