BT denies routers still vulnerable to months-old hack

An 'ethical hacking outfit' that exposed security flaws in BT's Home Hub routers last year claims it can hijack VoIP calls through the same hole — a claim denied by BT

BT has denied claims made by an "ethical hacker outfit" that the telecommunication company's wireless routers are vulnerable to hijacking by fraudsters.

The hackers, who call their organisation GNUCitizen, posted a blog on Monday that claimed users of BT's Home Hub routers could be conned into making premium-rate VoIP calls, due to the continued existence of a security hole in the router's firmware.

"In summary, if the victim visits our evil proof-of-concept web page, his/her browser sends a HTTP request to the BT Home Hub's web interface," read the post. "After this, the Home Hub starts a VoIP/telephone connection to the recipient's phone number specified in the exploit page. This is what the attack looks like: the victim's VoIP telephone starts ringing and shows an external call message on the LCD screen along with the recipient's phone number. However, what's interesting is that, from the point of view of the victim, it looks like he/she is receiving a phone call from the number shown on the screen, but in fact he/she is calling that number!"

The demonstration, shown on a YouTube video, follows a similar GNUCitizen announcement in October 2007. At that time, the hackers demonstrated a backdoor exploit to "control the router remotely", disable the router's wireless capabilities and steal the WEP/WPA passkey.

A spokesperson for BT told on Tuesday that GNUCitizen's latest exploit was the "same thing" as last year's exploit. "This particular vulnerability was resolved several firmware updates ago and it is no longer possible to do this," said the spokesperson.

However, Petko Petkov, one of the GNUCitizen hackers, subsequently denied BT's claim. Speaking to, he said the routers that had been hacked were still on firmware version 6.2.6.B. The latest version of the firmware, which BT started pushing out to Home Hub users on 12 December last year, is 6.2.6.E.

"Up until now, our testing Home Hub routers are still version 6.2.6.B, which means that no updates have been carried out by BT's firmware upgrade facilities," said Petkov. "Therefore, the attack, although based on CSRF and authentication-bypass vulnerabilities discussed back in September 2006, is very relevant today."

"I just want to stress that this is not the same hack that we exposed last year, but rather a side effect that occurs due to the fact that no upgrades/patches have been applied by BT to close [the flaws exposed in] our earlier security reports," Petkov added.

Asked about this counterclaim, BT's spokesperson maintained that the "alleged vulnerability was fixed in a firmware upgrade which we rolled out to BT Home Hub users last year".

"I'm not sure what's happening with [GNUCitizen's testing routers]. That's what we've done and, as far as we're concerned, the matter is closed," said BT's spokesperson. "No customers of ours have been, or are ever likely to be, affected by this."