exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Belkin Insecure Default WPA2 Passphrase

Belkin Insecure Default WPA2 Passphrase
Posted Nov 19, 2012
Authored by Jakob Lell

Having a preconfigured randomly generated WPA2-PSK passphrase for wireless routers is basically a good idea since a vendor-generated passphrase can be much more secure than most user-generated passwords. However, in the case of Belkin the default password is calculated solely based on the MAC address of the device. Since the MAC address is broadcasted with the beacon frames sent out by the device, a wireless attacker can calculate the default passphrase and then connect to the wireless network. Vulnerable versions include, but are not limited to, Belkin Surf N150 Model F7D1301v1, Belkin N900 Model F9K1104v1, Belkin N450 Model F9K1105V2, and possibly Belkin N300 Model F7D2301v1.

tags | advisory
advisories | CVE-2012-4366
SHA-256 | 684453e25779c4ae90104f2addefb07264bc19185c67e2fec33fdde7ceba7c7c

Belkin Insecure Default WPA2 Passphrase

Change Mirror Download
CVE-2012-4366: Insecure default WPA2 passphrase in multiple Belkin 
wireless routers

I. Background

Belkin ships many wireless routers with an encrypted wireless network
configured by default. The network name (ESSID) and the (seemingly
random) password is printed on a label at the bottom of the device.

II. Description of vulnerability

Having a preconfigured randomly generated WPA2-PSK passphrase for
wireless routers is basically a good idea since a vendor-generated
passphrase can be much more secure than most user-generated passwords.
However, in the case of Belkin the default password is calculated solely
based on the mac address of the device. Since the mac address is
broadcasted with the beacon frames sent out by the device, a wireless
attacker can calculate the default passphrase and then connect to the
wireless network.

Each of the eight characters of the default passphrase are created by
substituting a corresponding hex-digit of the wan mac address using a
static substitution table. Since the wan mac address is the wlan mac
address + one or two (depending on the model), a wireless attacker can
easily guess the wan mac address of the device and thus calculate the
default WPA2 passphrase.

Moreover, the default WPA2-PSK passphrase solely consists of 8
hexadecimal digits, which means that the entropy is limited to only 32
bits (or 33 bits since some models use uppercase hex digits). After
sniffing one successful association of a client to the wireless network,
an attacker can carry out an offline brute-force attack to crack the
password. The program oclhashcat-plus can try 131,000 passwords per
second on one high end GPU (AMD Radeon hd7970) [1]. Doing a full search
of the 32-bit key space takes about 9 hours at this rate.

III. Impact

An attacker can exploit this vulnerability to calculate the WPA2-PSK
passphrase of a wireless network. This allows sniffing and decrypting
all wireless traffic in a purely passive attack given that the attacker
has also sniffed the association.

The attacker may also connect to the wireless network, which may allow
further exploitation of unprotected systems in the local network. An
attacker may furthermore use the wireless network to access the internet
from the owner's network. The network owner may then be held responsible
for any illegal activities perpetrated by the unauthorized users.


IV. Affected devices

Belkin Surf N150 Model F7D1301v1

The official Belkin support page [2] contains pictures of the label of
several other WiFi devices, which show that the following devices are
vulnerable as well:

Belkin N900 Model F9K1104v1
Belkin N450 Model F9K1105V2

The following device uses a variation of the algorithm and the password
consists of uppercase hex digits. When using our algorithm with the wlan
mac of the device, the first 5 digits of the password are calculated
correctly. It is likely that the algorithm differs only in the tables used.

Belkin N300 Model F7D2301v1

It is likely that other Belkin devices are affected as well.
Unfortunately, Belkin has not yet cooperated with us to fix the
vulnerability and/or confirm a list of other affected devices. If you
own a Belkin wireless router and want to know whether it is vulnerable
as well, you should change the passphrase and then send me the relevant
data (model number, wan/wlan mac address and original, default WPA2
passphrase).

V. Solution

Users of potentially affected wireless routers should change the
wireless passphrase to something more secure.

VI. Timeline

6.1.2012: Vendor contacted
27.1.2012: Escalated
29.10.2012: Another contact attempt, still no response
19.11.2012: Public disclosure

VII. Credits

Jakob Lell
Jörg Schneider

VIII. References

Advisory location: http://www.jakoblell.com/blog/?p=15

CVE-2012-4366:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4366

[1] http://hashcat.net/oclhashcat-plus/
[2] http://en-us-support.belkin.com/app/answers/detail/a_id/6989
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close