cancel
Showing results for 
Search instead for 
Did you mean: 

Hub One Firmware - Firewall Bugs wont be patched according to Plus.Net

old_fogey
Dabbler
Posts: 17
Thanks: 6
Registered: ‎31-10-2016

Hub One Firmware - Firewall Bugs wont be patched according to Plus.Net

I noticed that my HubOne leaves port 5060 open (to any server) when the firewall is set to block all incoming traffic.  A port scan seems to indicate that this happens whenever a computer on the LAN uses port 5060 for outbound traffic.

I raised concerns with Plus.Net, but they said that because I use VoIP, UPnP would have opened the port (even though I've got UPnP turned off....)  As a result they won't escalate internally.

 

 

If you use any VoIP traffic, I would recommend you do a port scan on your external IP address, and if you see 5060 open then take some avoiding action, such as (in increasing order of hassle):

- buying another router

- putting OpenWRT on the hub one as variously explained elsewhere on the internet

- changing ISP (but not to BT as the HH5 is essentially the same....)

I have observed up to 120SIP registrations per second hitting my Asterisk server and generating traffic of ~20Mbytes incoming every 15 mins.  Although the traffic is firewalled at the server, the fact that the port is open on the Hub one is an open invitation to hackers, who seem mostly based in France (where sagemcom presumably has an installed base of people who know their routers are a bit light on security), Belgium and the Netherlands.

As ever, YMMV.  If you want Plus.Net to update their router firmware to deal with this, please contact them as the more people who do so, the more chance is that they will take it seriously. 

7 REPLIES 7
MisterW
Superuser
Superuser
Posts: 14,578
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: Hub One Firmware - Firewall Bugs wont be patched according to Plus.Net

It's been known about for some time on the BT HH5 Type A & B https://thecomputerperson.wordpress.com/2015/04/03/bt-home-hub-5b-5-b-and-the-sip-flaw/ . I'm not surprised that it exists on the PlusNet Hub one as it's basically a HH5 Type A. Seems like it's a flawed SIP ALG and there appears to be no way of disabling it!. TBH I wouldn't recommend using a basic ISP supplied router to anyone using voip.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

old_fogey
Dabbler
Posts: 17
Thanks: 6
Registered: ‎31-10-2016

Re: Hub One Firmware - Firewall Bugs wont be patched according to Plus.Net

Thanks for that article, yes the symptoms described there are exactly what I saw. But the hub one shows the flaw even with default firewall settings.

On the HH5 there is an option to turn the SIP alg off, which I've always done because I've no clue what it's doing. No such option on the hub one....
MisterW
Superuser
Superuser
Posts: 14,578
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: Hub One Firmware - Firewall Bugs wont be patched according to Plus.Net

On the HH5 there is an option to turn the SIP alg off

Are you sure about that ? I've never used one myself but all the information I've seen on other forums seems to indicate there isn't any way to turn it off on the HH5.

I won't try and explain fully, but in brief, SIP has a problem traversing NAT. A SIP alg tries to assist by rewriting any private IP addresses in SIP packets, but unfortunately most SIP algs don't work very well and so are best turned off and other methods such as STUN or Outbound proxy used to solve the NAT problem.

Asterisk overcomes the problem by allowing you to configure it with your public IP and therefore prevents using private IP addresses in the SIP packets.  

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

old_fogey
Dabbler
Posts: 17
Thanks: 6
Registered: ‎31-10-2016

Re: Hub One Firmware - Firewall Bugs wont be patched according to Plus.Net

Instructions for turning SIP alg off, which I found is required to get things to work in almost all configurations:

http://www.surevoip.co.uk/support/wiki/troubleshooting:sip_alg:bt_business_hub

 

 

MisterW
Superuser
Superuser
Posts: 14,578
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: Hub One Firmware - Firewall Bugs wont be patched according to Plus.Net

That's for a BT Business hub not a BT HH 5. The PN Hub one is the same as the HH 5

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

old_fogey
Dabbler
Posts: 17
Thanks: 6
Registered: ‎31-10-2016

Re: Hub One Firmware - Firewall Bugs wont be patched according to Plus.Net

Ah, sorry for any confusion caused by my lack of understanding of the various routers supplied.  It must therefore have been a BT Business Hub that I was comparing with the PlusNet Hub one (the one that looks like this: https://www.broadbandchoices.co.uk/guides/hardware/plusnet-hub-one ). 

 

Both ISP accounts are indeed small business accounts and both routers look identical to me (apart from the colour and the fine details of the options on the configuration screen).  Both have 2.4GHz and 5GHz wireless and the facility to make the lights on the front brighter and dimmer.  Both open port 5060.  The BT Business Hub allows turning off a SIP alg... the Plus.Net Hub one doesn't.

 

In fact so similar are these 2 routers that if you program one in Internet explorer and then try to program the other from the same PC without deleting internet temporary files the style sheets transfer from one to the other... and the HubOne will announce itself as a BT Business Hub.

MisterW
Superuser
Superuser
Posts: 14,578
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: Hub One Firmware - Firewall Bugs wont be patched according to Plus.Net

Yes, they're all basically the same hardware but the Business hub 5 has different firmware to the HH5 ( and the PN Hub one )

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.