Hello, After a lot of digging around this forum i found i very useful post, it talked about a backdoor in the firmware. The thread is read only, it had been closed due to repetitive posts http://community.bt.com/t5/BB-in-Home/Why-have-BT-put-a-backdoor-in-the-8-1-H-J-firmware-that-allows...
It appears that there is a different one within the 18.104.22.168.83 (Type B) firmware.
A simple scan of the routers services shows:
22/tcp filtered ssh
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
4567/tcp open unknown (hmm what is this)
8080/tcp open http-proxy
8443/tcp open https-alt
I am not trying to intimidate or scare customers, just merely point out what i have found. I think people deserve an answer
So firstly lets try connecting to this port using a browser
On the typeB HH you will notice a login prompt asking for a username and password! Please keep in the mind this is NOT the password you have set within the hubs web interface Even more concerning this is accessible over WAN IPv6, if it is not a backdoor what is it? I have been told by a BTagent that port 4567 is an essential port in TCP/IP networking. Clearly this is untrue and incorrect. After a tonne of emails i got a response along the lines of "the home hub is a free gift, you dont have to use it" Any mass administrated product is vulnerable, simply because there millions of usernames and passwords. For Practical reasons they must all have something in common.
I am currently unable to dump the typeB firmware which will contain the secret username and password for my hub. I find it scary that someone anywhere in the world can put in my ip followed by :4567 and be greeted with a login prompt. Also there is no failed login attempts or even a delay between logins, Bruteforce attack is very possible and is able to try millions of user passwd combination's in just a few hours. BTW I did try to disable the port within the web interface with no success I am very interested to hear your definition of what this is, I would personally define it as a backdoor if it is set with a user name and password i am unaware of
The Home Hub has an interface to the network which is not visible to the customer. It hosts a network management protocol known as "TR-069". This is widely used in the ISP business to manage routers, set top boxes and the like. TR-069 often uses port 4567. Check Wikipedia for more details.
The TR-069 interface is used to control the Home Hub (firmware downloads, parameter changes etc.), and this function is carried out using software provided by Motive Inc. More details from Motive's website at : http://www.motive.com/solutions/homenetworking/homenetworkingproducts.asp
The actual product used is "HDM". As far as I am aware, firmware updates and other Hub management is carried out by Motive, on behalf of BT.
The Home Hub is part of a fully managed system. This suits some customers, but not others. If you want to retain full control of your own networking, your only option is to buy your own router and retire the Home Hub.
I'm ok then as I've changed my standard ip addresses to something completely different lol but the login does appear when If I use my ip addresses but hopefully no one else can get in
Changing your private IP addresses won't help - they're on the other side of the NAT firewall. The network facing addresses are assigned by BT - and they will still have access.
OK so this is a backdoor then it would only take 1 unscrupulous employee to give out the universal keys and we are all in the doo do
YEP! The one good thing is SQL injection is not possible via this login box, character filtering stops that Thank Goodness. That would just be too easy. But the very fact its open for the world to see makes it vulnerable. There are a lot of these typeB hubs in UK and if they did get exploited that would be a heck of a botnet
Surely a customer can opt out of this mass administrated software solution.(own risk) If I did not sign up for it, it is because I do not want it
Well - you did, actually. It's part of the bundle - you don't sign up for some bits and not others. BT's entire Internet proposition is based on managed CPE (via TR-069). The firmware on the Hub was progressively modified to prevent any real user control - there used to be a telnet interface - long gone.
Your options are simple. Get another router.
Spot on "Retire the home hub" is the only way. I was irritated when a while back I was told on the phone by a "BT Technician" If i did not have a home hub my internet would not work. I knew this was untrue. He also said if I disabled 4567 my internet would not work?!?!?. (it is impossible to close anyway!). I just like the look of the HH. And wish i had a firewall to block not just to add exceptions.
I am happy now my sister gave me her 1.5 I am currently flashing modified speedtouch firmware. If I have not got the 2.0B router, I do not have the vulnerability to worry about. I still like the HH (it looks tidy). It could be a good little hub with the right firmware
No wonder its free