cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Aspiring Contributor
19,407 Views
Message 1 of 9

port 4567 (backdoor)

Hello, After a lot of digging around this forum i found i very useful post, it talked about a backdoor in the firmware. The thread is read only, it had been closed due to repetitive posts http://community.bt.com/t5/BB-in-Home/Why-have-BT-put-a-backdoor-in-the-8-1-H-J-firmware-that-allows...

 

It appears that there is a different one within the 4.7.5.1.83 (Type B) firmware.

A simple scan of the routers services shows:

22/tcp filtered ssh

80/tcp open http

139/tcp open netbios-ssn

443/tcp open https

445/tcp open microsoft-ds

4567/tcp open unknown (hmm what is this)

8080/tcp open http-proxy

8443/tcp open https-alt

 

I am not trying to intimidate or scare customers, just merely point out what i have found. I think people deserve an answer

 

So firstly lets try connecting to this port using a browser

 

hxxp://192.168.1.254:4567

 

On the typeB HH you will notice a login prompt asking for a username and password! Please keep in the mind this is NOT the password you have set within the hubs web interface Even more concerning this is accessible over WAN IPv6, if it is not a backdoor what is it? I have been told by a BTagent that port 4567 is an essential port in TCP/IP networking. Clearly this is untrue and incorrect. After a tonne of emails i got a response along the lines of "the home hub is a free gift, you dont have to use it" Any mass administrated product is vulnerable, simply because there millions of usernames and passwords. For Practical reasons they must all have something in common.

 

I am currently unable to dump the typeB firmware which will contain the secret username and password for my hub. I find it scary that someone anywhere in the world can put in my ip followed by :4567 and be greeted with a login prompt. Also there is no failed login attempts or even a delay between logins, Bruteforce attack is very possible and is able to try millions of user passwd combination's in just a few hours. BTW I did try to disable the port within the web interface with no success I am very interested to hear your definition of what this is, I would personally define it as a backdoor if it is set with a user name and password i am unaware of

 

Regards

Ben

0 Ratings
8 REPLIES 8
Highlighted
Aspiring Expert
19,371 Views
Message 2 of 9

Re: port 4567 (backdoor)

The Home Hub has an interface to the network which is not visible to the customer. It hosts a network management protocol known as "TR-069". This is widely used in the ISP business to manage routers, set top boxes and the like. TR-069 often uses port 4567. Check Wikipedia for more details.

 

The TR-069 interface is used to control the Home Hub (firmware downloads, parameter changes etc.), and this function is carried out using software provided by Motive Inc. More details from Motive's website at : http://www.motive.com/solutions/homenetworking/homenetworkingproducts.asp

The actual product used is "HDM". As far as I am aware, firmware updates and other Hub management is carried out by Motive, on behalf of BT.

 

The Home Hub is part of a fully managed system. This suits some customers, but not others. If you want to retain full control of your own networking, your only option is to buy your own router and retire the Home Hub.

 

 

 

 

0 Ratings
Highlighted
Aspiring Expert
19,362 Views
Message 3 of 9

Re: port 4567 (backdoor)

I'm ok then as I've changed my standard ip addresses to something completely different lol but the login does appear when If I use my ip addresses but hopefully no one else can get in

0 Ratings
Highlighted
Aspiring Expert
19,351 Views
Message 4 of 9

Re: port 4567 (backdoor)

Changing your private  IP addresses won't help - they're on the other side of the NAT firewall. The network facing addresses are assigned by BT - and they will still have access.

0 Ratings
Highlighted
Aspiring Contributor
19,333 Views
Message 5 of 9

Re: port 4567 (backdoor)

You cannot close the port through the firewall. Surely a customer can opt out of this mass administrated software solution.(own risk) If I did not sign up for it, it is because I do not want it I would like to Analise the firmware for myself but there is no full source code available for download The USB port on the Hub would be useful for updating firmware without any remote access (in my opinion much safer) The only good use of the USB port is pluging in some novelty USB xmas lights. My Hub should be my way
0 Ratings
Highlighted
Aspiring Expert
19,292 Views
Message 6 of 9

Re: port 4567 (backdoor)

OK so this is a backdoor then it would only take 1 unscrupulous employee to give out the universal keys and we are all in the doo do

0 Ratings
Highlighted
Aspiring Contributor
19,278 Views
Message 7 of 9

Re: port 4567 (backdoor)

YEP! The one good thing is SQL injection is not possible via this login box, character filtering stops that Thank Goodness. That would just be too easy. But the very fact its open for the world to see makes it vulnerable. There are a lot of these typeB hubs in UK and if they did get exploited that would be a heck of a botnet

0 Ratings
Highlighted
Aspiring Expert
19,252 Views
Message 8 of 9

Re: port 4567 (backdoor)

 


@mr_blaze wrote:
Surely a customer can opt out of this mass administrated software solution.(own risk) If I did not sign up for it, it is because I do not want it

 

Well - you did, actually. It's part of the bundle - you don't sign up for some bits and not others. BT's entire Internet proposition is based on managed CPE (via TR-069). The firmware on the Hub was progressively modified to prevent any real user control - there used to be a telnet interface - long gone.

 

Your options are simple. Get another router.

 

0 Ratings
Highlighted
Aspiring Contributor
19,202 Views
Message 9 of 9

Re: port 4567 (backdoor)

Spot on "Retire the home hub" is the only way. I was irritated when a while back I was told on the phone by a "BT Technician" If i did not have a home hub my internet would not work. I knew this was untrue. He also said if I disabled 4567 my internet would not work?!?!?. (it is impossible to close anyway!). I just like the look of the HH. And wish i had a firewall to block not just to add exceptions.

 

I am happy now my sister gave me her 1.5 I am currently flashing modified speedtouch firmware. If I have not got the 2.0B router, I do not have the vulnerability to worry about. I still like the HH (it looks tidy). It could be a good little hub with the right firmware

 

No wonder its free

 

 

0 Ratings