ITWire

Home Business IT Security Every BigPond Speedtouch router WiFi password vulnerable

Every BigPond Speedtouch router WiFi password vulnerable

Get all your tech news delivered to your mail box five days a week
iTWire UPDATE - it's FREE!


The magic behind this is in the publication of the algorithm that Thomson use, reverse-engineered by “security researchers.”
The Thomson Speedtouch isn’t only used by BigPond by any means; it’s also the hardware preferred by British Telecom (BT) in the United Kingdom, by Orange in Spain and many other large ISPs across the world.

Rather than try to crack the working of the hardware itself, a researcher named Kevin Devine discovered the Thomson algorithm by targeting the setup utility provided on the CD accompanying the device.

He found that a hashed version of the router’s serial number is generated, which then derives both the default SSID and the default encryption key.

Devine gave a high-level overview of the algorithm within the source code of his program stkeys:

Take as example: “CP0615JT109 (53)”
Remove the CC and PP values: CP0615109
Convert the “xxx” values to hexadecimal: CP0615313039
Process with SHA-1: 742da831d2b657fa53d347301ec610e1ebf8a3d0
The last 3 bytes are converted to 6 byte string, and appended to the word “Bigond” which becomes the default SSID: BigPondF8A3D0
The first 5 bytes are converted to a 10 byte string which becomes the default WEP/WPA key: 742DA831D2

It then becomes a matter of effort to brute-force possible serial numbers to find possible passwords for a given default SSID. This is what Devine’s stkeys tool does.

For a unit shipped to hundreds of thousands of homes within the country, the ability to narrow down the number of possible WPA keys to only two with just a matter of time is disturbing and remarkable.

Another security researcher has made tools based on stkeys to speed up the process using a pre-generated table of SSID to keys, meaning the crack becomes merely a lookup rather than a brute-force process. His tool also automatically applies each key to the WiFi network until the valid password is identified.

Although he declined to publish his code it is easy to imagine the possible harm if a fast and completely automated Speedtouch cracking tool were to become available to all and sundry.

Of course, you can still test your own network, just for informational purposes you understand, by using Devine’s stkeys or this dead simple Python script by Stavros aka Poromenos.

What’s the lesson? Never be lulled into a false sense of security when it comes to your home network. Just because a shiny card comes with your box that says “keep this card safe” you absolutely must set your own SSID and WPA key.

RECRUITMENT & RETENTION REPORT 2013

HIRE OR FIRE? BUY OR BUILD

2013 is well underway and Australian companies need to know whether they should invest in IT skills training or pay a premium for the people they need.

If you want to know which choices are being made in your sector, what skills are hard to find, which sectors intend to hire or fire and where the IT spend is going, this free report is must have.

GET YOUR REPORT NOW

David M Williams

joomla site stats

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. Within two years, he returned to his alma mater, the University of Newcastle, as a UNIX systems manager. This was a crucial time for UNIX at the University with the advent of the World-Wide-Web and the decline of VMS. David moved on to a brief stint in consulting, before returning to the University as IT Manager in 1998. In 2001, he joined an international software company as Asia-Pacific troubleshooter, specialising in AIX, HP/UX, Solaris and database systems. Settling down in Newcastle, David then found niche roles delivering hard-core tech to the recruitment industry and presently is the Chief Information Officer for a national resources company where he particularly specialises in mergers and acquisitions and enterprise applications.

More in this category: « GSM encryption is now effectively broken NIST-certified secure USB drives easily cracked »
back to top


Services

Company

Community

Connect

http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=tf&c=19&mc=imp&pli=5460041&PluID=0&ord=[2000]&rtu=-1