British DSL Service Flawed, Warn Hackers
Vulnerability in British Telecom's (BT) DSL home gateway could lead Internet users to reveal personal data over telephone to a person they mistakenly believe to be an employee of their bank, according to a self-styled group of ethical hackers called GNUCitizen.
The attacker, by exploiting the vulnerability, initiates VoIP (Voice over Internet Protocol) calls to the user's computer, which the user thinks is from a false number that the attacker specifies.
From the attackers' end, they would then try to extract sensitive information like account credentials from their victim by pretending to be someone calling from a stock exchange, a bank, or any other legitimate organization.
The vulnerability that attackers take advantage of relates to a harmful backdoor that hacker Adrian Pastor at GNUCitizen, and his colleague and researcher, Petko D. Petkov also at GNUCitizen discovered in October 2007, which exposed users to caller spoofing, eavesdropping and similar nasty attacks. Theregister published this on January 21, 2008.
Instead of actually repairing the security hole, BT simply deactivated the Remote Assistant functionality. This although resolved the original problem, but it could not prevent VoIP hacking.
A VoIP hijacking is launched with a combination of a bug in the cross-site request forgery that lets the request to forge a VoIP call, and vulnerability that allows to bypass authentication, both enabling the hijacking to get around password requirements of the router. In addition, the cunning attacker could make the hijacked system dial a premium-rate phone connection that the hacker controls with a fee ensuing to him every time the victim calls the number.
Thus, GNUCitizen's security researchers caution broadband users from visiting suspicious websites, although with the current security conditions that may not be possible. Recent news report umpteen examples of even wary people being diverted to malicious points while browsing on trusted sites infected with parasites and poisoned scripts.
» SPAMfighter News - 31-01-2008