![]() ![]()
The bigger the number of hexadecimal digits the target SSID has, the smaller the number of generated possible keys is. ROUTER KEYGEN THOMSON DICTIONARY DOWNLOAD SERIAL NUMBERSSHA1-ed: 06f48a28eba1ab896a396077d772fd65503b8df3īy brute-forcing possible serial numbers and deriving the default SSID and encryption key, we can find possible keys for a given default SSID, which is exactly what Kevin's stkeys tool does. In the case of the BT Home Hub, the only difference that is we only take the last two bytes (rather than 3 bytes) from the SHA1 hash to derive the SSID: The first 5 bytes are converted to a 10 byte string which becomes the default WEP/WPA key: 742DA831D2 The last 3 bytes are converted to 6 byte string, and appended to the word "SpeedTouch" which becomes the default SSID: SpeedTouchF8A3D0 ROUTER KEYGEN THOMSON DICTIONARY DOWNLOAD CODEMore specifically we have (quoted from Kevin's stkeys tool source code comments):Ĭonvert the "XXX" values to hexadecimal: CP0615313039 This is just a high-level overview of the algorithm. ROUTER KEYGEN THOMSON DICTIONARY DOWNLOAD SERIAL NUMBERIn short we have: S/N -> hash -> default SSID and encryption key which can be read as: a hashed version of the router's serial number is generated which is then used to derive both, the default SSID and the default encryption key. Such setup utility allowed him to figure out the default key algorithm. Kevin obtained a copy of such wizard ("stInstall.exe") provided by Orange in Spain - which can be found on broadband customers' installation CDs. Unlike james67, Kevin's strategy to crack default WEP/WPA algorithms involve debugging setup wizards shipped by some ISPs, as opposed to debugging the router which uses the default key algorithm. The Thomson Speedtouch default WEP/WPA algorithm ROUTER KEYGEN THOMSON DICTIONARY DOWNLOAD CRACKEDUnfortunately, james67 did not publish the details of the algorithm he cracked which is a shame as it means that we cannot learn from his research. ![]() On the other hand james67 targeted the Netgear DG834GT router shipped by SKY in the UK. Kevin cracked the algorithm used by Netopia routers which are shipped Eircom in Ireland and AT&T in the US (the second ISP was never reported, 0day!). Our advice is: use WPA rather than WEP and change the default encryption key now! Brief history of default WEP/WPA key algorithms researchĪs far as I know, Kevin and james67 were the first researchers to publicly crack a default encryption key algorithm of a Wi-FI home router. Thanks to Kevin, our suspicion that such issue exists on the BT Home Hub has been confirmed (keep reading for more details!). In other words: it's quite likely that the bad guys can break into your network if you're using the default encryption key. Chances are that if you own a wireless router which uses a default WEP or WPA key, such key can be predicted based on publicly-available information such as the router's MAC address or SSID. Yes, I'm talking about routers that come with those stickers that include info such as S/N, default SSID, and default WEP/WPA key. Many of us involved researching the security of wireless home routers have always suspected that routers that come with default WEP/WPA keys follow predictable algorithms for practical reasons. Kevin noticed that all the public vulnerability research conducted in the past for the BT Home Hub had been released by GNUCITIZEN, so he decided to share his findings and work with us in this fascinating project. Kevin, who is an independent senior security researcher, did an awesome job at reverse engineering the default WEP/WPA key algorithm used by some Thomson Speedtouch routers including the BT Home Hub. Yes, we're back with more embedded devices vulnerability research! And yes, we're also back with more security attacks against the BT Home Hub (most popular DSL router in the UK)!Īs you know, we encourage folks in the community to team up with us in different projects as we've had very successful experiences doing so. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |