cancel
Showing results for 
Search instead for 
Did you mean: 

BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

Highlighted
Hooked
Posts: 7
Registered: Sunday

BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

I run a small online business from home. As we accept credit cards payments, we have quarterly security checks carried out by Security Metrics to ensure PCI DSS compliance.

I’m using the BT Home Hub 6 router. It works really well & haven’t had any problems before but have failed the latest scan on our network due to "Vulnerabilities for OpenWrt Kamikaze 7.09 (Linux 2.6.22)" on the router.

The router is running the latest firmware & I’ve looked into patching the system as recommended below, but it’s beyond me so have ordered a different router to try & resolve the issue.

Just wondering has anyone else had similar issues?

I’m sure that most wouldn’t be aware as they are not subject to security scans, but a security flaw in the router is something that everyone should be aware of.

 

Scan results are:

Vulnerabilities for OpenWrt Kamikaze 7.09 (Linux 2.6.22)

Based

10.0

FAIL

CPE Based Vulnerabilities for OpenWrt Kamikaze 7.09 (Linux 2.6.22)

Title

CPE Based Vulnerabilities for OpenWrt Kamikaze 7.09 (Linux 2.6.22)

Synopsis

Impact

One or more vulnerabilities have been found that affect this service. Please see the relevant CVEs for more details.

Resolution

Apply the latest vendor patches to your operating system: OpenWrt Kamikaze 7.09 (Linux 2.6.22)

17 REPLIES 17
Highlighted
Community Veteran
Posts: 5,437
Thanks: 626
Fixes: 25
Registered: ‎10-06-2010

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

Those scan results seem highly dubious - neither type of BT Hub 6 run such an old Linux kernel version. Sounds more like a false positive.

Highlighted
Rising Star
Posts: 124
Thanks: 7
Fixes: 1
Registered: ‎24-10-2013

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

Hi welcome to the forum, the simplest solution would have been to reflash the router with the latest firmware you are running openwrt 7.09 the current version is 19.07 so a fair bit out of date see here  openwrt  fairly easy to do,

Incidently openwrt is not the official firmware for the hub6 

Highlighted
Seasoned Hero
Posts: 5,333
Thanks: 2,359
Fixes: 159
Registered: ‎30-06-2016

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

I hadn't realised that you could run OpenWRT on a Smarthub 6.

@SteveK 

Are you sure that you have a Smarthub 6 and not a hacked Home Hub 5?

Highlighted
Hooked
Posts: 7
Registered: Sunday

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

Hi all & thanks for the replies.

There's not a lot that I can do to query the scan results. Our network is scanned by Security Metrics on behalf of Global Payments & HSBC. I've tried a rescan & had the same results. If I don't get a pass, I'll be charged £75.00 per month while I'm non compliant.

I had looked at flashing the latest version, but couldn't see anything after Homehub 5 & to be honest, all looked a bit beyond me. Everything is working fine apart from this & I couldn't afford to lose the internet or make things worse.

The router was bought from Ebay a year ago as a Homehub 6 & it certainly say that on the back? Maybe it had been played with before I bought it, but certainly no support at that end.  I only changed routers  as we had too many devices for the Plusnet original, the smart plugs soon add up but I don't think I could go back to turning on the kettle myself in the morning 😁

Interesting to hear what you all think. The new router will arrive tomorrow, so I'll set it up, try a rescan with my fingers crossed & post an update.

Steve

Highlighted
Seasoned Champion
Posts: 1,224
Thanks: 528
Fixes: 25
Registered: ‎07-07-2009

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

The scan results are nonsense, the BT Home Hub 6 is not listed on the Openwrt website as a supported device.

Highlighted
Seasoned Hero
Posts: 5,333
Thanks: 2,359
Fixes: 159
Registered: ‎30-06-2016

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

@RealAleMadrid 

Hence my question as to whether this is a HH5, which is compatible.

Highlighted
Superuser
Superuser
Posts: 8,785
Thanks: 2,073
Fixes: 144
Registered: ‎30-07-2007

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

@SteveK what does the router GUI look like when you login ?

If it really is a HH5 running Openwrt then it should be possible to upgrade it to the latest Openwrt version which doesn't have the vulnerability

Highlighted
Hooked
Posts: 7
Registered: Sunday

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

I've hopefully attached photos of the router & UI.

Highlighted
Superuser
Superuser
Posts: 8,785
Thanks: 2,073
Fixes: 144
Registered: ‎30-07-2007

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

Well thats definitely a Home hub 6 and its running the standard BT software not Openwrt.

So I'm with the other posters, the results of the security scan are rubbish!

Highlighted
Hooked
Posts: 7
Registered: Sunday

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

Thanks for the confirmation.

I will continue with a different router to hopefully avoid any further issues & have Emailed Security Metrics to will try & get an answer from them. If I get any joy will report back here. 

 

Steve

Highlighted
Superuser
Superuser
Posts: 8,785
Thanks: 2,073
Fixes: 144
Registered: ‎30-07-2007

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

@SteveK just looking at the BT Hub GPL statements https://www.bt.com/help/user-guides/bt-hub--bt-voyager-and-connected-devices-gpl-code

as @ejs said earlier the BT Home Hub 6 uses a later version of the Linux kernel

Hub 6 Type A Version 3.4.11

Hub 6 Type B Version 3.10.12

In addition , as far as I can see, the bug only affects the opkg package, which from the GPL statements referenced above , is NOT used in the BT Home hub GPL code.

https://nvd.nist.gov/vuln/detail/CVE-2020-7982

Highlighted
Hooked
Posts: 7
Registered: Sunday

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

Well I haven't got to the bottom of this, but have installed the new Asus router & all now ok so will just hide the old home hub away.

We have passed the scan & are now officially PCI Data Security Standard Compliant once again.

Many thanks for all of your help, this post may be useful for anyone in the same position.

Steve

 

 

 

Highlighted
Newbie
Posts: 2
Thanks: 2
Registered: Tuesday

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

Hi Steve, have exactly the same issue happen today, small business with a failed PCI scan with Security Metrics, error messages pointing to router, also using TP link wireless adapters through the BT Business smart hub - Type A into the electrical wiring system which I gather can also be an issue?

Totally out of my depth on this issue, can I ask what model of Asus Router you used to fix the issue please?

Any comments on the safety of TP wireless adapters WRT safe versions appreciated, if there is such a thing in non technical language appreciated.

 

Highlighted
Hooked
Posts: 7
Registered: Sunday

Re: BT Home Hub 6 Security Issue - Fails PCI DSS Scan?

Hi.

I didn’t think that I would be the only one & I’m sure there will be many others as the scan dates come up! I’m guessing it may be a genuine security problem, that gets mislabelled in the scan results, but there doesn’t seem to be any other way around it than changing routers.

I’m on Plusnet Fibre & wanted a router that sat vertically like the home hub as it had to go on a small shelf. I also have a lot of smart devices connected, which is why the original Plusnet router had to go.

I went for the ASUS DSL-AC68U AC1900 Dual-Band Wireless VDSL/ADSL 2+ Gigabit Modem Router

https://www.amazon.co.uk/gp/product/B00O27PHGY

Next day delivery on prime & all up & running very quickly without any issues. I left it a few hours to update before going for a rescan & it went straight through.

Hope that helps.

Steve