BT Broadband Fail to Follow Their Own Advice
If you're new here, you may want to subscribe to our RSS newsfeed so you don't miss out on all the information, news, tips and tricks.
Thanks for visiting!
… and we’re going to enlighten you to what is going on in this blog post.
We’ve come across two instances over the last few week in Fife where BT Broadband personnel have failed to secure end customer equipment using their own recently updated and freely available advice and instructions.
What exactly is this newly discovered vulnerability that requires the advice to have been recently updated? Well, it isn’t the older discovery that WEP encryption can be cracked within a minute, a fact that has long since seen WEP being considered as NO security. It is the more recent discovery that sees the Home Hub being cracked with practically no effort due to its particularly bad WEP implementation.
As a slight side note, the Wikipedia entry for WEP makes an interesting statement:
Wired Equivalent Privacy (WEP) is a deprecated algorithm to secure IEEE 802.11 wireless networks.
For those who’re unaware of what "deprecated" means, we’ll draw upon another Wikipedia entry:
In computer software standards and documentation, the term deprecation is applied to software features that are superseded and should be avoided.
 |
Since the Home Hub uses WEP security by default, and appears to be left in this state by BT Broadband employees, then there is going to be a large number of Home Hubs vulnerable to all manner of criminal activity.
Following the logic through on this one, BT Broadband leaves their product in a state that has been superceded and should be avoided. |
At least someone at BT has noticed this security issue and has tried to deal with it:
Automatic wireless security
To help you get set up quickly and help prevent unauthorised users access your wireless network, your BT Home Hub automatically provides some wireless security via a WEP (Wired Equivalent Privacy) key. However, using new technology, it may be possible for hackers to break this key and connect to your Hub, possibly accessing your computer or using your broadband service.
You can increase this basic level of security, at no extra cost, by changing your Hub’s security from WEP to WPA (Wi-Fi Protected Access). We recommend that you consider doing this, even if you don’t connect to your Hub wirelessly.
It is a shame that their installers and support people don’t seem to know about this issue and a travesty that they haven’t been trained to leave customer’s broadband in a more secure state.
Let’s now look at the two scenarios that led to us question the training and skills of personnel in the BT Broadband installation and support operation.
Scenario 1:
A long standing BT customer signs up for BT Broadband after using their dial-up service for many years. They asked for an "engineer" install, at an additional charge, believing this would be the best way to achieve a problem free broadband connection. The day of the activation comes around and a BT installer turns up to setup their broadband. The installer starts on the installation, the customer leaves him alone to complete the work and job done, he leaves the customer’s home.
Later, they try to use the shiny new broadband for the first time, but all that was observed was the computer trying to connect to the dial-up service and errors being generated when attempts were made to download emails. At this point they gave up and called us in.
We arrive on scene and notice the following issues within a few minutes:
1. WEP encryption in use, against the best practice advice from BT themselves.
2. Computer has been left to use the Dial-Up service by default.
3. The email program had been left configured to use the Dial-up connection.
4. The customer security software was out of date.
5. New email addresses assigned to this broadband account wasn’t setup.
It looks very much like the engineer has opened up the box, plugged in the ADSL filters, powered up the Home Hub, before finally connecting the customer laptop using the default WEP encryption key. It would appear that no attempt was made to connect to a webpage or to try to access email.
The fourth issue can be forgiven if the customer hasn’t signed up for one of the BT options that comes with BT security software as part of the deal. We didn’t ask so cannot comment further on this one. However, any good computer engineer would have noticed the lack of up to date security software and informed the customer that someone needs to take a look at it.
Needless to say, the issues were fixed and the customer was left fully satisfied with their new broadband connection.
Careless cleaner allows the ADSL lead to be sucked up into the vacuum cleaner, thereby breaking at least one of the signal cores in the cable. At this point, all that was required was a simple replacement of the damaged ADSL lead and the customer would have been fully operational again.
Scenario 2:
Instead, they phoned BT Broadband for advice and struggle for forty minutes to understand the broken English and broad accent of the Asian call centre support representative. After 40 minutes on the telephone, the customer has been told to turn off the Home Hub, reset it to defaults and finally to replace the damaged cable.
A trip to the local electrical retailer sees a new cable in place, but the broadband is still broken. Why is it still broken? Simple, we had previously secured their wireless network with a decent WPA-PSK pass phrase and now the computers were trying to connect to the router with the pass phrase they knew, but the router was using WEP and a completely different pass phrase! To use an appropriate analogy: a case of the computers talking English when the router is talking Hindi!
Another support call out for Roundtrip Solutions from the disgruntled Fife based BT customer. Within minutes we had logged into the Home Hub, went through some router initiated security configuration changes, before making the all important, and BT recommended, wireless security encryption changes to use WPA-PSK with the same pass phrase as used before. Everything sprung into life instantly without any further intervention.
The customer was delighted with our prompt service and completely pissed off dissatisfied with British Telecom, their support personnel and the fault resolution advice provided by BT, which did appear to be a bit back to front! They were even more frustrated when we told them all they had to do was to replace the damaged ADSL lead to get everything working again and all the resetting of routers had been completely unnecessary.
Again, we couldn’t believe the customer support person had left the customer’s router using the super insecure Home Hub version of WEP.
The Crux of IT
The BT Broadband advice available on their website clearly recommends setting up their Home Hub wireless router using WPA. Actually, that should be WPA-PSK if BT wish to be technically correct, but we’ll not be too pedantic in this blog post as more important issues are being dealt with.
In general, all users of a wireless network should ensure it uses WPA-PSK or WPA2-PSK with a strong pass phrase as a minimum level of security. Do not, we repeat, DO NOT use WEP - replace everything that only supports WEP.
If you are a Home Hub user then double check your configuration is secure.
If BT Broadband is doing an engineering installation then ensure BT’s own security advice is followed. Same applies for anyone that phones their call centre for support and has their Home Hub reset as part of the fault finding process.
We certainly wouldn’t recommend or condone the "repair" procedure used by this BT Home Hub user.
Technorati Tags: ADSL, broadband, BT, BT Broadband, Home Hub, router, WEP, wireless, wireless security, WPA, WPA-PSK, WPA2-PSK
Leave a Reply