BT’s plan is to sneak one of these boxes into every UK home. Not only does the BT Home Hub support broadband but also VoIP (BT Broadband Talk), UMA mobile telephony (BT Fusion), and digital TV (BT Vision). Additionally BT will give users the option to use their BT Home Hub to join FON, a community-shared Wi-Fi. An unofficial source has reported us that there are 2+ million BT Home Hub users in the UK.
If you’re thinking: “well I’m not based in the UK so this research doesn’t concern me”, then think again! The BT Home Hub is just a Thomson/Alcatel Speedtouch 7G router. Furthermore, the vulnerabilities we found are most likely present in other Speedtouch models due to code reuse (more on that later).
So what can we do? Well, we can fully own the router remotely. At the moment we have three demo exploits which do the following:
* enable backdoor in order to control the router remotely
* disable wireless completely (can only be re-enabled if the user is technically capable)
* steal the WEP/WPA key
BT Home Flub: Pwnin the BT Home Hub | GNUCITIZEN