Twitter

by acls us

It's official, BT's Home Hub 3 (HH3) allows hackers to attack your VOIP system and it does this "By Design"


I know, it sounds wrong but it's true. The domestic Home Hub 3 (HH3), supplied to millions of UK households by BT will allow inbound connections to any SIP VOIP device that should be protected by the security firewall in the HH3 from hacking by the outside world. And worse than this, BT and the manufacturer both claim this is working by design and they will not fix this.


What does this mean? If you have a VOIP device that uses SIP (an Internet protocol for establishing VOIP Phone connections) and you make a connection to any other SIP device on the Internet (a VOIP Phone Call), then the HH3 will leave an open "port" that allows anyone to make a SIP connection back to your SIP device inside your network. You have no control over this. There is no way to disable this in the HH3. Turning on all the security options will not help at all.

How would this affect me? If you make use of modern VOIP technology to place cheap Internet phone calls from a device that uses SIP (in most cases this does not include Skype which uses a different VOIP protocol) you can be affected by this security exposure. In the simplest case, a hacker may just repeatedly try to make connections to your device and because the HH3 will allow this, they will then try to use your device to make calls for them. If your device is properly configured the attempts to make calls will fail but as the attack will continue to retry this may well have an effect on the performance of the device and its ability to make calls. Because these attempts to control your device arrive as data over your broadband connection, they count as part of your download allocation and could start to not just slow down your broadband but also cost you money. In the worst case where a hacker does take control of your device, they would be able to route calls at
your expense.

How was this discovered? I run a sophisticated VOIP server using an Open Source System called Asterisk. Due to it's high level of functionality, it was able to detect and report on these attacks. Which only started happening after I moved to a BT connection and a HH3. My server was hit with many attempts from the Middle East to place calls to numbers in Israel. Initial attempts to report this security exposure to BT were rejected by their HelpDesk as my problem as I must have mis-configured the HH3. All they would do would be to charge me to setup the correct configuration. I then posted questions to various Forums to see if anyone else had observed this problem, no takers. Then, to their credit, BT picked up on it and put me in touch with real HH3 specialists. I supplied them with my test results and various network packet traces that showed what was happening. This all started to look very promising until the gates came crashing down and I was told that this behaviour was how it was "supposed" to work and the HH3 had been "designed" to work this way.

You what? Yes, that's what I said too. I was told that if I wanted a more secure firewall I would need a BT business grade system. But why? Surely the one single basic function of a Firewall is to protect your network from unwanted intrusion? And this is a massive exposure not just because it's there but because it's in the UK's most widely used router/firewall. This is why, if you have the setup to be able to detect the attacks, it doesn't take long after you plug one in before you can see the hackers all queuing up to spend your money for you!

What can you do? If you have the technical know how, place a real firewall between the HH3 and your device. Or send the HH3 back to BT and use another Router/Firewall. But please do complain and feel free to quote this article. Maybe, with enough complaints BT may yet listen to it's customers and get this fixed!

Richard Gate, CommuniG8 Ltd.