Superhub 7 second exploit
 

Apologies if this has already been posted somewhere (searched and couldn't find anything), but stumbled across this and had to share.

Allegedly it's possible to make use of a 7-second window of unsecured WiFi access during the SuperHub boot process to gain access to the admin panel and retrieve the unmasked WiFi password.

It requires the admin panel password, but as we all know it's very rare for the general user to do change that ;)

Read more (and learn how to protect against it) here:
http://ramblingrant.co.uk/2014/03/06...security-flaw/

Re: Superhub 7 second exploit
 

More reason to put the darned thing into modem mode

Re: Superhub 7 second exploit
 

Interesting, think i'll give this a try (on my own shub of course)

Re: Superhub 7 second exploit
 

I told VM about this from the get go when testing the SH2 and it was taken on board and as far as I know it was fixed. Now when the SH2 boots up wifi 2.4GHz & 5GHz do not load up until a minute or two after the modem/router syncs etc.

Do your SH2 lights match up to whats actually going on? Could you please tell us the lighting sequence from power on to fully loaded up.

Also what is your software version > http://192.168.100.1/cgi-bin/VmRouterStatusInfoCfgCgi

Re: Superhub 7 second exploit
 

Yeah, the SH2 popping up with unsecured wifi connections during boot was certainly reported by a few people during the trial. I wonder if the 'fix' was to just make them not broadcast their SSID during boot instead of actually fixing the problem properly.

Also interesting to know that you can reboot a superhub remotely.

Re: Superhub 7 second exploit
 

Sounds like a pretty standard bootup sequence for a consumer router to be honest.

Re: Superhub 7 second exploit
 

Confirmed. The HH5 boots up in the same way.

Re: Superhub 7 second exploit
 

Does the BT HH5 broadcast it's encryption key during boot?

Re: Superhub 7 second exploit
 

Haven't sniffed it, just noted that the thing broadcasts SSIDs before it applies security policy.

Re: Superhub 7 second exploit
 

Openwrt and DD-Wrt also behave the same way.

That said nobody mentioned the Superhub broadcasting its encryption key... Only that you can log in and manually retrieve the network access password.

Actual encryption keys are randomly generated on the fly and automatically changed every few minutes anyway.

Re: Superhub 7 second exploit
 

I assumed that he meant the network access password, Mr QWERTY. Would be a truly spectacular mess up if an AP broadcast that.

Re: Superhub 7 second exploit
 

To be honest actually broadcasting the password would be an equally spectacular mess up IMO.

Re: Superhub 7 second exploit
 

:tu: