BT Home Hub encryption under fire
Ethical hackers from open-source research site GNUCitizen have claimed to have found a flaw in BT Home Hub router encryption.
Adrian Pastor, a security researcher who contributes to the GNUCitizen site, claimed he had been able to build a program that acts like a "rainbow table", or list of possible keys, to discover default BT Home Hub WEP encryption keys.
"In the case of the BT Home Hub in the UK, we can narrow down the number of possible keys to about 80," wrote Pastor in a blog post. "In order to avoid the brute-forcing computation time required by the 'stkeys' tool, I created 'BTHHkeygen' which looks up the possible keys for a given SSID [service set identifier] from a pre-generated 'SSID->keys' table. Think of it as a rainbow table for cracking the BT Home Hub's default WEP encryption key." WEP, which stands for "wired equivalent privacy", is an encryption algorithm used on wireless networks.
Pastor said his research was made possible by the work of independent security researcher Kevin Devine, who last September published a strategy to crack WEP algorithms by debugging router set-up wizards. Devine found that, for some ISPs, the router's serial number is used to derive both the default SSID and the default encryption key.
Pastor applied this research to BT Home Hub routers and found that, by systematically trying all the logical options — so-called "brute-forcing" — he could derive the unique code of each hub or SSID and the encryption key.
"Once the list of around 80 keys is obtained, the second step in the attack is to try each of them automatically, until the valid key is identified," Pastor continued. "For this purpose I created 'BTHHkeybf', which is a fancy wrapper around the 'iwconfig' Linux tool."
Pastor claimed he tested three different BT Home Hubs and that "the attack seems to work fine". BT Home Hub routers are made by Thompson.
The researcher recommended that BT customers switch from using WEP to using WPA (Wi-Fi protected access) encryption and change the default password.
BT admitted that there was a problem with the routers but said it didn't believe that any customers had been affected.
"It's important to realise that, although it has been possible to demonstrate a theoretical scenario where the hub may be vulnerable, we don't believe it is something that should affect the majority of BT customers in real life," said a BT spokesperson.
BT also recommended that customers change the default wireless key and the encryption type from WEP to WPA, but added that customers should change the administrator login password of the Hub Manager and leave the Hub switched on at all times, to receive firmware updates.
In January, BT denied GNUCitizen claims that users of BT's Home Hub routers could be conned into making premium-rate VoIP calls due to the continued existence of a security hole in the router's firmware.