Superhub : Superhub 7 second exploit

[LemonyBrainAid]

Apologies if this has already been posted somewhere (searched and couldn't find anything), but stumbled across this and had to share.

Allegedly it's possible to make use of a 7-second window of unsecured WiFi access during the SuperHub boot process to gain access to the admin panel and retrieve the unmasked WiFi password.

It requires the admin panel password, but as we all know it's very rare for the general user to do change that

Read more (and learn how to protect against it) here:
http://ramblingrant.co.uk/2014/03/06...security-flaw/

[Coffeeguy]

More reason to put the darned thing into modem mode

[Synthetic]

Interesting, think i'll give this a try (on my own shub of course)

[thenry]

Quote:

Originally Posted by LemonyBrainAid

Apologies if this has already been posted somewhere (searched and couldn't find anything), but stumbled across this and had to share.

Allegedly it's possible to make use of a 7-second window of unsecured WiFi access during the SuperHub boot process to gain access to the admin panel and retrieve the unmasked WiFi password.

It requires the admin panel password, but as we all know it's very rare for the general user to do change that

Read more (and learn how to protect against it) here:
http://ramblingrant.co.uk/2014/03/06...security-flaw/

I told VM about this from the get go when testing the SH2 and it was taken on board and as far as I know it was fixed. Now when the SH2 boots up wifi 2.4GHz & 5GHz do not load up until a minute or two after the modem/router syncs etc.

Do your SH2 lights match up to whats actually going on? Could you please tell us the lighting sequence from power on to fully loaded up.

Also what is your software version > http://192.168.100.1/cgi-bin/VmRouterStatusInfoCfgCgi

[Skie]

Yeah, the SH2 popping up with unsecured wifi connections during boot was certainly reported by a few people during the trial. I wonder if the 'fix' was to just make them not broadcast their SSID during boot instead of actually fixing the problem properly.

Also interesting to know that you can reboot a superhub remotely.

[qasdfdsaq]

Sounds like a pretty standard bootup sequence for a consumer router to be honest.

[Ignitionnet]

Quote:

Originally Posted by qasdfdsaq

Sounds like a pretty standard bootup sequence for a consumer router to be honest.

Confirmed. The HH5 boots up in the same way.

[StevenNT]

Quote:

Originally Posted by Ignitionnet

Confirmed. The HH5 boots up in the same way.

Does the BT HH5 broadcast it's encryption key during boot?

[Ignitionnet]

Haven't sniffed it, just noted that the thing broadcasts SSIDs before it applies security policy.

[qasdfdsaq]

Openwrt and DD-Wrt also behave the same way.

That said nobody mentioned the Superhub broadcasting its encryption key... Only that you can log in and manually retrieve the network access password.

Actual encryption keys are randomly generated on the fly and automatically changed every few minutes anyway.

[Ignitionnet]

I assumed that he meant the network access password, Mr QWERTY. Would be a truly spectacular mess up if an AP broadcast that.

[qasdfdsaq]

To be honest actually broadcasting the password would be an equally spectacular mess up IMO.

[Sirius]

Quote:

Originally Posted by Coffeeguy

More reason to put the darned thing into modem mode