Warning for BT Home Hub Users about VOIP Hijacking.

billsavings

"Principals of the ethical hacking outfit GNUCitizen say they have found a serious security bug in the BT Home Hub that could allow attackers to engage in identity theft and other types of fraud by hijacking calls routed over the internet.
The vulnerability allows an attacker to initiate VoIP calls on the user's machine. From the end user's perspective, it would appear that the victim is receiving the call from a falsified number that is specified by the attacker. Attackers on the other end could then coax account credentials or other sensitive information from the victim by impersonating a person from a bank, a stock brokerage or some other trusted organization where the call appears to be originating."

Read the full article.
http://www.theregister.co.uk/2008/01/21/bt_home_hub_voip_hijacking/

BTwhistleblower

I have BT Broadband and Broadband Talk, and my last 2 bills have shown a huge increase in numbers called, [including at times when no-one was home and no PC running] which I have tracked as far as discount phone rate companies; the voip capability of the hub appears to have been hijacked and used to make calls with out my consent or knowledge.
Although BT claims to have closed this vulnerability, this has taken place from late Dec 07 till the present, with my Hub using firmware update 6.2.6.E; I have reported the problem but the response has been underwhelmingly disinterested.
I wonder if this has happened to other users?

littleboo

I dont think your problem could have been caused by this particular vulnerability. Here is what GNU Citizen say about it :-

In summary, if the victim visits our evil proof-of-concept webpage, his/her browser sends a HTTP request to the BT Home Hub’s web interface. After this, the Home Hub starts a VoIP/telephone connection to the recipient’s phone number specified in the exploit page. This is what the attack looks like: the victim’s VoIP telephone starts ringing and shows an external call message on the LCD screen along with the recipient’s phone number. However, what’s interesting is that from the point of view of the victim, it looks like he/she is receiving a phone call from the number shown on the screen, but in fact he/she is calling that number! Sweet, simple and effective, just the way we like it at GNUCITIZEN!

For starters, you've said calls have been made when you weren't in and the PC was off, which couldn't be the case with this vulnerability.

Browntoa

As the article says , I'm sure the problem was closed by the firmware updates

and the newest firmware is now doing a "forced" password change from admin/admin to admin/hub serial number and forces you to change it to something else (unless you are a complete !!!! and change it BACK to admin/admin !!)

BTwhistleblower

I don't claim to be an expert on the "how", the fact remains that I know it to be true that the calls were not made by me or anyone living with me, but they appear on my bill. Since I think it unlikely that 300 - 500 calls would have been billed in error, the likeliest explanation is some kind of Voip hijack; bear in mind that my usual monthly average of calls made is between 30 to 50 calls. Give me some credit for not being a complete !!!!, to me the real problem is that although I have identified a problem and reported it the issue is not being taken seriously. Since I identified the problem and disabled telephony on the hub, no further calls have appeared on my 'recent calls' list further indicating that it is not a billing glitch, and since the problem doesn't exist on my normal landline number, I would think that the calls do not originate from inside my residence. My wireless network is WPA protected which, while it may not be impregnable, rules out "accidental" trespass on the broadband hub.
To sum up: if it looks like a rat, smells like a rat and acts like a rat, the chances are that it is a rat. No matter how resolutely you bury your head in the sand.

littleboo

I don't think anyone has missed the point at all, except you maybe. If you read my post, I'm not suggesting that there isnt a problem, just pointing out that from what you have said it doesnt look like it would be caused by the specific vulnerability mentioned in the OP.

garny_boy

Hi

BTwhistleblower

I have the same problem and have been browsing the internet trying to find other people who've experienced the same problem. Took me a good 10 minutes to find this, the first, so not a widespread problem. The previous 10 mins have been spent looking at the "car jacking" voip hacks, which has already been pointed out to you as probably not the cause.

Wondering if anything became of the issue, i.e. did BT accept any responsibility, refund any call charges, etc ... ?

They've been awful with me, must have spoken to over 15 different people and I'm currently waiting for a manager to call me back (won't speak to anyone else now).

I think mine is a little more clear cut, ie I didn't even realise I had BT Talk (never activated it and I don't have the accompanying phone) only realised when my last bill suddenly started showing a new number with a lot of numbers that have never been called from my address. Again, like you, calls were made when no-one else was in the house, or computer on. The calls were also typical normal calls someone would make, e.g. to other residential addresses.

I did manage to get to a BT Technical engineer who explained how this "could" happen, but when he put me through to his manager, she changed the story and seemed to be back-tracking on the engineer's story ... I was left suspecting she was trying to cover something up.

Anyway, may try what the engineer told me to see if it can be done ... not posting it here as that might be irresponsible and open the doors for others to do it.

Anyway, please let me know if you got anywhere ... BT Customer Services have been appalling so far and have probably prevented anyone finding the source of these calls.

BTwhistleblower

Hi garny_boy

apologies for slow response - I haven't visited for some time.

sorry to hear you have this problem, but at least it confirms that I am not imagining this.

I took this up as a customer, and as an employee, and no one wants to know; no refund or acknowledgement of any sort. I also sent information to Dan Goodin of theregister.co.uk, who replied but have heard nothing further since.

In the end, I logged in to the Broadband Talk web page and blocked all outgoing calls.

In the interim, I had upgraded to the new Hub, v2.0, and recently wanted to take advantage of the cheaper international call rates, and temporarily unblocked some call categories; I have just checked my 'recent calls' using BT's online billing website, and found 3 calls that I had definitely not made - 2 were made at a time when I was alone at home, but using the landline on a conference call, and the other was made at a time when no-one was home. Googling the numbers returned places I would not have any reason to call, ever.

As I have acknowledged previously, I am sure that the cause of the problem is NOT the reported vulnerability that started the thread, and since the original post I have changed hub versions, which seems to rule out the firmware; I am guessing that somehow whoever is doing this is able to retrieve the SIP details from the hub, and make the call from a different location using a spoofed id. I suppose I could reenable outgoing calls and then switch off the hub for a week to see what happens, but that would be a major inconvenience.

BTW, if BB Talk was ordered as part of your BB order, you would not necessarily need to do anything to 'activate' it; originally the hub needed to be configured manually by visiting bt.com/bbv and entering your BB talk # and password; but most of the time this now happens automatically with the new Hub2.0 .

welshcakes

I decided to upgrade to BT Home Hub Broadband as it worked out cheaper than my existing BT wired 5 yr old package. All lovely, no probs with wireless connection.

My question is two part;

I opted for Option 1 (no hub phone) and understand that I can use a normal handset. As we have always used mobiles up til now - cheaper unless ringing 08/07 number, can I buy any old handset from say Asda and it will still be compatable?

Secondly, I didn't receive any 'new' phone number either in the emails or within the home hub box. How can I find out what my VoIP number is without having to speak to India for half an hour?

I only want a phone so I don't have to pay Orange charges for ringing a free phone number and so my parents don't run up costs ringing my from their landline.

Cheers in anticipation to all who have at least 3 kilo more networking savvy than myself

Heinz

If you have BT ADSL broadband, you must have a BT landline. Why don't you use that for your 0800 calls and give that number to your parents?