[VOIPSEC] Call Jacking: Phreaking the BT Home Hub

Adrian P unknown.pentester at gmail.com
Mon Jan 21 04:59:41 EST 2008


* Call Jacking: Phreaking the BT Home Hub *

OK, this is a bit of a funny attack - although it could also be used
for criminal purposes! After playing with the BT Home Hub for a while
(again!) [1], pdp and I discovered that attackers can steal/hijack
VoIP calls. Let me explain …

In summary, if the victim visits our evil proof-of-concept webpage,
his/her browser sends a HTTP request to the BT Home Hub's web
interface. After this, the Home Hub starts a VoIP/telephone connection
to the recipient's phone number specified in the exploit page. This is
what the attack looks like: the victim's VoIP telephone starts ringing
and shows an external call message on the LCD screen along with the
recipient's phone number. However, what's interesting is that from the
point of view of the victim, it looks like he/she is receiving a phone
call from the number shown on the screen, but in fact he/she is
calling that number! Sweet, simple and effective, just the way we like

POST http://api.home/cgi/b/_voip_/stats//?ce=1&be=0&l0=-1&l1=-1&name=


Now, this attack will work even if the default admin password has been
changed on the BT Home Hub. Reason for this is that the exploit relies
on an authentication bypass vulnerability that we have reported [2] a
while ago and hasn't still been fixed by BT! In our original report,
we mentioned that the HTTP authentication mechanism can by bypassed by
using double slashes in the target URL. Actually, the authentication
can also be bypassed with many other characters, but I'll leave this
to the reader to discover.

The following are some attack scenarios in which this vulnerability
could be used for:

- annoyance or prank purposes
- advanced phishing attacks in which the victims gets a phone call
from "Trusted Bank" after clicking on a link included in the phishing
email. The fact that the attacker calls the victim's phone number
would help him/her gain the victim's trust. HINT: Phishers usually
don't know your phone number!
- toll fraud attacks in which the victim calls one of those very
expensive number that allow the bad guys to make good bucks by simply
starting the conversation

I don't want to repeat myself, but please remember that from the
victim point of view it looks like he is receiving a phone call but in
fact he is making/paying for the phone call!

And finally the boring (but needed) testing details: tested on BT Home
Hub firmware 6.2.6.B. Only customers using the BT Broadband Talk
service are affected by this attack.

launch: Call Jacking POC exploit


GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think
Tank, which primarily deals with all aspects of the art of hacking.
Our work has been featured in established magazines and information
portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and
many others. The members of the GNUCITIZEN group are well known and
well established experts in the Information Security, Black Public
Relations (PR) Industries and Hacker Circles with widely recognized
experience in the government and corporate sectors and the open source

* References *

[1] http://www.google.com/search?q=site%3Agnucitizen.org+bt+home+hub

[2] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4

gnucitizen.org, ikwt.com

More information about the Voipsec mailing list