Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Yes, we're back with more embedded devices vulnerability research! And
- yes, we're also back with more security attacks against the BT Home
- Hub (most popular DSL router in the UK)!
- As you know, we encourage folks in the community to team up with
- GNUCITIZEN in different projects as we've had very successful
- experiences doing so. This time it was Kevin Devine's turn. Kevin, who
- is an independent senior security researcher, did an awesome job at
- reverse engineering the *default WEP/WPA key algorithm* used by some
- Thomson Speedtouch routers including the BT Home Hub. Kevin noticed
- that all the public vulnerability research conducted in the past for
- the BT Home Hub had been released [1] by GNUCITIZEN, so he decided to
- share his findings and work with us in this fascinating project. As
- you might already know, at GNUCITIZEN we're committed members of the
- white-hat community who feel that it's our responsibility to inform
- the public when a security issue exists.
- * Confirmed suspicions *
- Many of us involved researching the security of wireless home routers
- have always suspected that routers that come with default WEP/WPA keys
- follow predictable algorithms for practical reasons. Yes, I'm talking
- about routers that come with those stickers [2] that include info such
- as S/N, default SSID, and default WEP/WPA key. Chances are that if you
- own a wireless router which uses a default WEP or WPA key, such key
- can be predicted based on publicly-available information such as the
- router's MAC address or SSID. In other words: it's quite likely that
- the bad guys can break into your network if you're using the default
- encryption key. Thanks to Kevin, our suspicion that such issue exists
- on the BT Home Hub has been confirmed (keep reading for more
- details!). Our advice is: *use WPA rather than WEP and change the
- default encryption key now!*
- * Brief history of default WEP/WPA key algorithms research *
- As far as I know, Kevin and james67 were the first researchers to
- publicly crack a default encryption key algorithm of a Wi-FI home
- router. Kevin cracked [3] the algorithm used by Netopia routers which
- are shipped Eircom in Ireland and AT&T in the US (the second ISP was
- never reported, 0day!). On the other hand james67 [4] targeted [5] the
- Netgear DG834GT router shipped by SKY in the UK. Unfortunately,
- james67 did not [6] publish the details of the algorithm he cracked
- which is a shame as it means that we cannot learn from his research.
- * The Thomson Speedtouch default WEP/WPA algorithm *
- Unlike james67, Kevin's strategy to crack default WEP/WPA algorithms
- involve debugging setup wizards shipped by some ISPs, as opposed to
- debugging the router which uses the default key algorithm. Kevin
- obtained a copy of such wizard ("stInstall.exe") provided by Orange in
- Spain - which can be found on broadband customers' installation CDs.
- Such setup utility allowed him to figure out the default key
- algorithm.
- In short we have:
- S/N -> hash -> default SSID and encryption key
- which can be read as: *a hashed version of the router's serial number
- is generated which is then used to derive both, the default SSID and
- the default encryption key.* This is just a high-level overview of the
- algorithm. More specifically we have (quoted from Kevin's stkeys tool
- source code comments):
- Take as example: "CP0615JT109 (53)"
- Remove the CC and PP values: CP0615109
- Convert the "XXX" values to hexadecimal: CP0615313039
- Process with SHA-1: 742da831d2b657fa53d347301ec610e1ebf8a3d0
- The last 3 bytes are converted to 6 byte string, and appended to
- the word "SpeedTouch" which becomes the default SSID: SpeedTouchF8A3D0
- The first 5 bytes are converted to a 10 byte string which becomes
- the default WEP/WPA key: 742DA831D2
- In the case of the BT Home Hub, the only difference that is we only
- take the last two bytes (rather than 3 bytes) from the SHA1 hash to
- derive the SSID:
- S/N: CP0647EH6DM(BF)
- Remove CC and PP values: CP06476DM
- "XXX" values hex-encoded: CP064736444D
- SHA1-ed: 06f48a28eba1ab896a396077d772fd65503b8df3
- Default SSID: BTHomeHub-8DF3
- Default encryption key: 06f48a28eb
- By brute-forcing possible serial numbers and deriving the default SSID
- and encryption key, we can find possible keys for a given default
- SSID, which is exactly what Kevin's stkeys [7] tool does.
- The bigger the number of hexadecimal digits the target SSID has, the
- smaller the number of generated possible keys is. For instance, if the
- target SSID is "SpeedTouchF8A3D0″, we can narrow down the number of
- possible keys to only two. On the other side, a target SSID with only
- 4 hex digits (2 bytes) such as "BTHomeHub-20E3″ would give us 80
- possible keys on average.
- We've tested ST585v6 which is shipped by Orange in Spain. Thomson
- Speedtouch routers provided by Orange in Spain come with WPA enabled
- by default. Being able to *narrow down the number of possible default
- WPA keys to only two* using Kevin's tool is quite remarkable.
- _Spanish translation of previous paragraph:_
- _Hemos probado el ataque contra el ST585v6 que viene con las
- conexiones de banda ancha de Orange en España. Los routers Thomson
- Speedtouch que son proveidos por Orange en España vienen con llave WPA
- activada por defecto. El poder reducir el numero de posibles llaves
- WPA que vienen por defecto a solo dos usando la herramienta de Kevin
- es formidable!_
- In the case of the BT Home Hub in the UK (which only comes with 40
- bits WEP encryption by default by the way), we can narrow down the
- number of possible keys to about 80. In order to avoid the
- brute-forcing computation time required by the "stkeys" tool, I
- created "BTHHkeygen" which looks up the possible keys for a given SSID
- from a pre-generated "SSID->keys" table. Think of it as a rainbow
- table for cracking the BT Home Hub's default WEP encryption key. Once
- the list of around 80 keys is obtained, the second step in the attack
- is to try each of them automatically, until the valid key is
- identified. For this purpose I created "BTHHkeybf" which is a fancy
- wrapper around the "iwconfig" Linux tool. We tested three different
- BT Home Hubs, and the the attack seems to work fine.
- _The BT Home Hub v1.5 model uses a different algorithm which we have
- not attempted to crack yet._
- There is one thing that I want to mention regarding this attack when
- launched against a BT Home Hub: breaking into a BT Home Hub Wi-Fi
- network which uses default settings (40 bits WEP) has always been
- possible in a matter of minutes (if packet injection attacks are used)
- since the Home Hub was released into the market. Therefore, this
- predictable-default-key attack doesn't change the current state of the
- BT Home Hub's Wi-Fi insecurity. It's always been known that BT Home
- Hub Wi-Fi networks can be easily broken into by cracking the WEP key!
- [8]
- * PoC *
- BTHHkeygen (including rainbow tables) and BTHHkeybf can be found here:
- http://conference.hitb.org/hitbsecconf2008dubai/materials/D2T1%20-%20Adrian%20Pastor%20-%20Cracking%20Into%20Embeded%20Devices%20and%20Beyond.zip
- (located on the "\BT Home Hub\demo_exploits\Default WEP key cracking\" folder)
- * References *
- [1] http://www.google.co.uk/search?q=site:gnucitizen.org+bt+home+hub&num=100&hl=en&filter=0
- [2] http://www.belkin.com/support/dl/assets/uk-labels/bthomehub2.jpg
- [3] http://h1.ripway.com/kevindevine/wep_key.html
- [4] http://www.skyuser.co.uk/forum/blogs/james67/
- [5]
- http://www.skyuser.co.uk/forum/sky-broadband-help/20295-breaking-terms-conditions-your-views-welcome-2.html#post128738
- [6] http://www.theregister.co.uk/2008/02/21/sky_broadband_wi_fi_keys_unpicked/
- [7] http://weiss.u40.hosting.digiweb.ie/stech/stkeys.zip
- [8] http://www.hackernotcracker.com/2007-06/using-aircrack-ngaireplay-ng-under-injection-monitor-mode-in-windows.html
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement