what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Horizon HD / WiFi Weak WiFi Passphrase Generation

Horizon HD / WiFi Weak WiFi Passphrase Generation
Posted Jan 28, 2016
Authored by Ivan Almuina

Horizon HD / WiFi suffers from a weak wifi passphrase generation vulnerability.

tags | exploit
SHA-256 | 078e609265d0354d2c20ab26b50fe6f37418e788f664f00ad8e155e3244bb7b5

Horizon HD / WiFi Weak WiFi Passphrase Generation

Change Mirror Download
----------------------------------------------------------------------------
Advisory ID: HCA0005 - http://hackingcorp.ch/advisories/HCA0005.pdf
Product: Horizon HD / WiFi
Vendor: Liberty Global plc companies (Unitymedia GmbH, UPC Cablecom, ...)
Affected Version(s): unknown
Tested Version(s): current
Vulnerability Type: Weak WiFi passphrase generation
Risk Level: Medium
Vendor Notification: 2015-05-14
Public Disclosure: 2016-01-25, patch ready (and validated by HC)
CVE Reference: Not assigned
Author of Advisory: Iván Almuiña <ivan.almuina and domain hackingcorp.ch>
Document date: 2015-05-14 initial version sent to Liberty Global plc
Document update: 2016-01-14 censored version for public disclosure
Credits: Iván Almuiña for finding the vulnerability and developing the PoC
Special Thanks: Nicolas Oberli for cleaning up the Proof-of-Concept
----------------------------------------------------------------------------

Description
----------------------------------------------------------------------------
The current model of the Horizon HD device sold by Liberty Global companies
(Unitymedia GmbH, UPC Cablecom, etc. We are not aware of all their companies
that sell this Set-Top Box around the world.) uses a weak default SSID/WPA2
passphrase generator. This vulnerability allows an attacker to predict – in
a matter of seconds and offline – the default WPA2 passphrase based on the
default SSID. By default, the latter is set as UPC24 or UPC50 followed by 7
digits (i.e. UPC241234567).

Technical details
----------------------------------------------------------------------------
During the boot process the script "/etc/init.d/XXXX" executes the binary
file named "/usr/sbin/XXXX". This executable checks if it has to setup the
default WiFi configuration, the following function manages the process:

----------------------------------------------------------------------------
| Due to legal restrictions and to limit potential damage this information |
| has been removed. |
----------------------------------------------------------------------------

As we can see in the previous excerpt the SSID and WPA2 passphrase
generation is based on the Cable Modem MAC address. The XXXX_* functions are
imported from the lib "/lib/XXXX.so" and contains the PRNG algorithm, in the
following excerpt we can see that the PRNG is fairly weak:

----------------------------------------------------------------------------
| Due to legal restrictions and to limit potential damage this information |
| has been removed. |
----------------------------------------------------------------------------

Based on the previous information we now know how to bruteforce the key
space to find the PRNG’s seed, which is the MAC address. An important detail
here is that the MAC addresses are 6 bytes long, with the first 3 bytes
representing the manufacturer (OUI).
This means that we are left with only 3 bytes (24 bits) to bruteforce,
greatly reducing the required time to explore all the key space.

The exploit works like this:

- Start with the MAC address XX:XX:XX:00:00:00 until XX:XX:XX:ff:ff:ff
- Generate the SSIDs based on the MAC address, try to match it
- If the SSID matches, generate the passphrase -> potential candidate

This process only takes a couple of seconds and has been implemented in a
Proof-of-Concept to verify the feasibility of the attack.

Proof of Concept
----------------------------------------------------------------------------
A weaponized exploit that takes advantage of this vulnerability named
'Horizon-WiFi.c' has been provided to the right persons.
The exploit takes a default SSID as input and outputs (in 2-3 seconds) some
passphrase candidates usually between 1 and 4.

If for some reason you consider that you should have access to the exploit
and/or the uncensored advisory, feel free to send your demand to 'contact'
followed by the domain hackingcorp.ch.

Recommendations
----------------------------------------------------------------------------
The SSID should not allow to reconstruct the PRNG seed. A solution would be
to divert the SSID from a different PRNG and/or use a Cryptographic RNG.

For the end users the solution is quite easy, change the default SSID/WPA2
passphrase of your Horizon HD STB.

Update 2016/01/14: The new firmware fixes the vulnerability using
cryptographic algorithms and diverting the seeds from unpredictable sources.
At this point Hacking Corp. does not know if the new firmware has been
pushed to all the affected customers, thus we recommend to apply the end
users solutionpreviously described.

Disclaimer
----------------------------------------------------------------------------
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close