BT Issues Patch For Wi-Fi Extender Security Vulnerability

BT is urging its customers to patch the firmware of its Wi-Fi extender unit after the discovery of security issues with the device.

The discovery was made by penetrating testing and security specialist Pen Test Partners, and concerns BT’s Wi-Fi Extender 300 Kit (Booster) unit running firmware V1.1.5.

Patch Now

Pen Test Partners said that the flaws include a cross-site scripting flaw and a risky procedure when changing a password.

It also said there was a Cross-Site Request Forgery (CSRF) risk. CSRF is an attack that occurs when a malicious web site or program for example could cause a web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

It labelled the later flaw as a low risk issue that affected mostly older versions of the Firefox and Chrome web browser.

Likewise the password flaw is also classified as low risk, as the researchers found that they didn’t need to supply the old password in order to change the password.

A bit more serious was the cross-site scripting flaw.

“Authentication bypass is not good,” blogged the researchers. “Together with the XSS and some poor UI design, this means I can steal your Wi-Fi password.”

It advised users to immediately upgrade the firmware to V1.1.8, available here.

The researchers said that they had contacted BT upon discovery of the flaws, and it seems that the telecoms giant reacted quickly and pushed out the firmware upgrade for its customers last month.

“We are grateful to Pen Test Partners for alerting us to this issue,” a BT spokesperson told TechweekEurope. “We have been working to address this potential weakness and issued an update which corrected the problem in August 2016.

“We are not aware of any cases where customers have suffered any issues. Customers should ensure they download the firmware update from the BT website.”

Wi-Fi Risks

The increasing need for connectivity nowadays has prompted a number of security issues of late. This was starkly illustrated earlier this year when security researchers from PacketSled were able to trick Apple devices into downloading a malicious update that changed the date, by simply setting up rogue Wi-Fi networks and exploiting flaw that connects Apple devices automatically to previously accessed hotspots.

And it should be remembered that flaws embedded in routers and Wi-Fi extenders are not uncommon. Last year for example, CERT Coordination Center warned that one of the most popular routers from Belkin contained “multiple vulnerabilities” that could have allowed a hacker to take control of it.

Businesses are also becoming aware of the possible risks from dodgy Wi-Fi in today’s BYOD environment.

Earlier this year research from iPass for example found that nearly half (47 percent) of British organisations have banned their employees from using free Wi-Fi hotspots because of the associated security risks.

Are you acquainted with Wi-Fi ? Try our quiz!