BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Router
- :
- Re: BT Home Hub 6 Security Issue - Fails PCI DSS S...
BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
18-10-2020 7:37 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I run a small online business from home. As we accept credit cards payments, we have quarterly security checks carried out by Security Metrics to ensure PCI DSS compliance.
I’m using the BT Home Hub 6 router. It works really well & haven’t had any problems before but have failed the latest scan on our network due to "Vulnerabilities for OpenWrt Kamikaze 7.09 (Linux 2.6.22)" on the router.
The router is running the latest firmware & I’ve looked into patching the system as recommended below, but it’s beyond me so have ordered a different router to try & resolve the issue.
Just wondering has anyone else had similar issues?
I’m sure that most wouldn’t be aware as they are not subject to security scans, but a security flaw in the router is something that everyone should be aware of.
Scan results are:
Vulnerabilities for OpenWrt Kamikaze 7.09 (Linux 2.6.22)
Based
10.0
FAIL
CPE Based Vulnerabilities for OpenWrt Kamikaze 7.09 (Linux 2.6.22)
Title
CPE Based Vulnerabilities for OpenWrt Kamikaze 7.09 (Linux 2.6.22)
Synopsis
Impact
One or more vulnerabilities have been found that affect this service. Please see the relevant CVEs for more details.
Resolution
Apply the latest vendor patches to your operating system: OpenWrt Kamikaze 7.09 (Linux 2.6.22)
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
18-10-2020 9:34 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Those scan results seem highly dubious - neither type of BT Hub 6 run such an old Linux kernel version. Sounds more like a false positive.
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
18-10-2020 9:47 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi welcome to the forum, the simplest solution would have been to reflash the router with the latest firmware you are running openwrt 7.09 the current version is 19.07 so a fair bit out of date see here openwrt fairly easy to do,
Incidently openwrt is not the official firmware for the hub6
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
18-10-2020 10:31 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I hadn't realised that you could run OpenWRT on a Smarthub 6.
Are you sure that you have a Smarthub 6 and not a hacked Home Hub 5?
Moderator and Customer
If this helped - select the Thumb
If it fixed it, help others - select 'This Fixed My Problem'
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
18-10-2020 12:25 PM - edited 18-10-2020 12:25 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi all & thanks for the replies.
There's not a lot that I can do to query the scan results. Our network is scanned by Security Metrics on behalf of Global Payments & HSBC. I've tried a rescan & had the same results. If I don't get a pass, I'll be charged £75.00 per month while I'm non compliant.
I had looked at flashing the latest version, but couldn't see anything after Homehub 5 & to be honest, all looked a bit beyond me. Everything is working fine apart from this & I couldn't afford to lose the internet or make things worse.
The router was bought from Ebay a year ago as a Homehub 6 & it certainly say that on the back? Maybe it had been played with before I bought it, but certainly no support at that end. I only changed routers as we had too many devices for the Plusnet original, the smart plugs soon add up but I don't think I could go back to turning on the kettle myself in the morning 😁
Interesting to hear what you all think. The new router will arrive tomorrow, so I'll set it up, try a rescan with my fingers crossed & post an update.
Steve
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
18-10-2020 3:22 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The scan results are nonsense, the BT Home Hub 6 is not listed on the Openwrt website as a supported device.
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
18-10-2020 3:28 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hence my question as to whether this is a HH5, which is compatible.
Moderator and Customer
If this helped - select the Thumb
If it fixed it, help others - select 'This Fixed My Problem'
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
18-10-2020 3:29 PM - edited 18-10-2020 3:31 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@SteveK what does the router GUI look like when you login ?
If it really is a HH5 running Openwrt then it should be possible to upgrade it to the latest Openwrt version which doesn't have the vulnerability
Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
18-10-2020 4:14 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I've hopefully attached photos of the router & UI.
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
18-10-2020 6:53 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Well thats definitely a Home hub 6 and its running the standard BT software not Openwrt.
So I'm with the other posters, the results of the security scan are rubbish!
Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
18-10-2020 7:31 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thanks for the confirmation.
I will continue with a different router to hopefully avoid any further issues & have Emailed Security Metrics to will try & get an answer from them. If I get any joy will report back here.
Steve
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
19-10-2020 8:59 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@SteveK just looking at the BT Hub GPL statements https://www.bt.com/help/user-guides/bt-hub--bt-voyager-and-connected-devices-gpl-code
as @ejs said earlier the BT Home Hub 6 uses a later version of the Linux kernel
Hub 6 Type A Version 3.4.11
Hub 6 Type B Version 3.10.12
In addition , as far as I can see, the bug only affects the opkg package, which from the GPL statements referenced above , is NOT used in the BT Home hub GPL code.
https://nvd.nist.gov/vuln/detail/CVE-2020-7982
Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
19-10-2020 10:20 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Well I haven't got to the bottom of this, but have installed the new Asus router & all now ok so will just hide the old home hub away.
We have passed the scan & are now officially PCI Data Security Standard Compliant once again.
Many thanks for all of your help, this post may be useful for anyone in the same position.
Steve
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
20-10-2020 1:07 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi Steve, have exactly the same issue happen today, small business with a failed PCI scan with Security Metrics, error messages pointing to router, also using TP link wireless adapters through the BT Business smart hub - Type A into the electrical wiring system which I gather can also be an issue?
Totally out of my depth on this issue, can I ask what model of Asus Router you used to fix the issue please?
Any comments on the safety of TP wireless adapters WRT safe versions appreciated, if there is such a thing in non technical language appreciated.
Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?
20-10-2020 7:30 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi.
I didn’t think that I would be the only one & I’m sure there will be many others as the scan dates come up! I’m guessing it may be a genuine security problem, that gets mislabelled in the scan results, but there doesn’t seem to be any other way around it than changing routers.
I’m on Plusnet Fibre & wanted a router that sat vertically like the home hub as it had to go on a small shelf. I also have a lot of smart devices connected, which is why the original Plusnet router had to go.
I went for the ASUS DSL-AC68U AC1900 Dual-Band Wireless VDSL/ADSL 2+ Gigabit Modem Router
https://www.amazon.co.uk/gp/product/B00O27PHGY
Next day delivery on prime & all up & running very quickly without any issues. I left it a few hours to update before going for a rescan & it went straight through.
Hope that helps.
Steve
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Router
- :
- Re: BT Home Hub 6 Security Issue - Fails PCI DSS S...