cancel
Showing results for 
Search instead for 
Did you mean: 
llme
Aspiring Contributor
2,081 Views
Message 1 of 10

VPNFilter

Go to solution

Are any of the BT supplied routers vulnerable to the VPNFilter malware? (router implant)

9 REPLIES 9
Luckyfish
Newbie
1,993 Views
Message 2 of 10

Re: VPNFilter

Go to solution

Good question, especially as this appear to be a growing problem:

https://www.theregister.co.uk/2018/06/07/vpnfilter_is_much_worse_than_everyone_thought/

0 Ratings
Reply
bob2k
Newbie
1,917 Views
Message 3 of 10

Re: VPNFilter

Go to solution

and the answer from BT is a deafening silence...............

0 Ratings
Reply
dlewins
Beginner
1,894 Views
Message 4 of 10

Re: VPNFilter

Go to solution
It would be really good to hear from BT about this. Any security questions should go to the top of the pile.
0 Ratings
Reply
GlueGunny
Beginner
1,765 Views
Message 5 of 10

Re: VPNFilter

Go to solution

Because a router does not have antivirus of its own, the main antivirus effort residing within the computer, any cleansing of the router's functions, although necessary, will not prevent reinfection.   Solutions to this problem would seem difficult, including the possible introduction of anitivirus software at router level,  new resistant firmware, and/or the frequent reinstallation of uninfected firmware.

Does BT have a malware filtering application for traffic while it is within the ISP?  If so, then there is a glimmer of light in the darkness.  

But, all of these approaches look complex and would take time, so I am not surprised that there is a long silence.

Regards, GlueGunny 

0 Ratings
Reply
Agent-Smith
Newbie
1,702 Views
Message 6 of 10

Re: VPNFilter

Go to solution

I too would like to know. I contacted BT through their text chat help. I breifly outlined my query about the VPNfilter malware and would like to know if the BT HUB 5 was vulnerable to it. I was then told that it had a filter built in and didn't need one. Errr No! After explaining it again and giving a link describing the problem they then looked it up on google and read the list of affected routers from some web page which is not a definitive list at present. Basically they did not know. I asked about how to get the router firmware updated to which I was referred to the technical experts line. I rung the number- 0800 032 1118 and explained the query again. He had to look it up on google and did not think there was a problem because no one has highlighted it to him that there was one. I asked how to update the router firmware. He did not know and has never been asked that question in 7 years. Wow! seemed like a basic question for a technical expert. He then referred me to the broadband help department which appeared to be an off shore service. I spoke to someone else and again I asked the malware question. He googled it so basically did not know as he was not sourcing any information from within their own information base. One thing I was told was that the firmware updates are no longer rolled out to Home Hub 5 since the introduction of Home Hub 6.  So I've hit a brick wall. Hopefully for all those out there that HH5. Let's hope it's not vulnerable because it seems there is no further firmware updates for it.

 

MikeP_UK
Contributor
1,529 Views
Message 7 of 10

Home Hub 5 Firmware Updates?

Go to solution

I use a HH5 running firmware version 4.7.5.1.83.8.236.1.2 and it was last updated 12th July 2017. In light of recent events concerning the VPNFilter vulnerability that requires a firmware update to be applied (see https://nakedsecurity.sophos.com/2018/06/11/check-your-router-list-of-routers-affected-by-vpnfilter-... ), when can we expect BT to issue the update to all our routers?

 

Thanks

0 Ratings
Reply
Moderator
Moderator
1,285 Views
Message 8 of 10

Re: Home Hub 5 Firmware Updates?

Go to solution

Hi All,

BT Hubs are not vulnerable to the VPNFilter malware. 

BT Hubs have built-in security protections against this type of malware, such as:-

  • BT Hubs do not use common default passwords across multiple devices.
  • BT Hubs do not give access to the operating system via any login method. 

We are unaware of any exploits on supported BT Hubs that would allow access to install this malware.  

Thanks

PaddyB

Community ModeratorPaddyB
Did you get the help you needed?
Help others by clicking on ‘Mark as accepted solution’
Show your appreciation!
Click on the star next to a reply to say thanks
Help guide to using the community? Click below
Kudos”Kudos”
0 Ratings
Reply
Highlighted
996 Views
Message 9 of 10

Re: Home Hub 5 Firmware Updates?

Go to solution

 

What BT Support says is untrue. The built-in security features did very little once the VPN Filter was installed on the BT Hub.

Even the newest BT Hubs V6.0 are vulnerable to the attack. BE EXTREMELY vigilant.

I had BT Hub V6.0A when things started to get peculiar (packages installed, unseen drivers installed, Software packages under Devicer Manager, weird tunnelling pseudo-interface adapters, ESET Internet Security settings compromised and firewall rules 'updated', uPnP devices allowed over TCP), Remote Assistance settings changed (no option to disable it - greyed out and unable to untick), Remote Assistance service disable option also greyed out.

Every device that I had connected to the router was infected - including Android devices and laptops. An old iPhone 4 was also compromised, the newer iOS devices have withstood the attack and so far seem to be ok.

I noticed the VPNFilter opened an external IPv6 address on the router which was clearly visible under Ports section with port 80, however, greyed out and with no option to disable it. The IPv6 address matched with the WIFI adapter's internal IPv6 address. However, if I disabled IPv6 protocol in the wifi adapter's settings, the internet connection was unreachable.

By monitoring outgoing/incoming traffic I noticed that the VPNFilter uses port 80 for every application - that is Stage 3 module known as “ssler” is capable of intercepting all traffic going through the device via port 80, meaning the attackers can snoop on web traffic and also tamper with it to perform man-in-the-middle (MitM) attacks.

Similarly, every application, regardless of its nature started using port 80, whereas before it used their own respective ports, meaning the hijackers were using every application to bypass the firewall as obviously the firewall would allow port 80 normally. I have taken screenshots of Network analyzer and and extensive list of apps, excluding internet browsers using port 80.

VPNFilter is a multi-staged piece of malware. Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules.

That is exactly what I have experienced. It somehow managed to change windows server urls in Windows Update, so when I was downloading updates - I was actually downloading malware packaged - this is evident from the logs, when the urls have been hijacked.

I managed to survive the attack of VPNFilter, and running out of options, trying to reset to router to factory defaults did nothing. As the original firmwave was reinstalled so the 'factory defaults' had already the predefined gateways for the attackers to reach the BT router. 

But then getting new hub was a trouble when trying to explain what happened. The easiest explanation for BT Customer Service was that the BT Hub has stopped working, so I received a replacement. So far, the problem has gone with BT Hub V5.0.

I told the BT engineer the Hub was compromised and requested to bring the hub immediately to their internal security team for inspection. Hopefully he took me seriously as he was completely unaware what I was talking about and obviously was never heard that routers can get infected.

I hope this helps. Please be very vigilant if router settings suddently changes and a persistent tunneling address appears out of nowhere.

Regards,

Jonas Dudonis

Tags (3)
eliotrw
Aspiring Contributor
923 Views
Message 10 of 10

Re: Home Hub 5 Firmware Updates?

Go to solution

Hi Jonas,

 

Have you heard anything since?

0 Ratings
Reply