Default key algorithm in Thomson and BT Home Hub routers
Yes, we’re back with more embedded devices vulnerability research! And yes, we’re also back with more security attacks against the BT Home Hub (most popular DSL router in the UK)!
As you know, we encourage folks in the community to team up with GNUCITIZEN in different projects as we’ve had very successful experiences doing so. This time it was Kevin Devine’s turn. Kevin, who is an independent senior security researcher, did an awesome job at reverse engineering the default WEP/WPA key algorithm used by some Thomson Speedtouch routers including the BT Home Hub. Kevin noticed that all the public vulnerability research conducted in the past for the BT Home Hub had been released by GNUCITIZEN, so he decided to share his findings and work with us in this fascinating project. As you might already know, at GNUCITIZEN we’re committed members of the white-hat community who feel that it’s our responsibility to inform the public when a security issue exists.
Confirmed suspicions
Many of us involved researching the security of wireless home routers have always suspected that routers that come with default WEP/WPA keys follow predictable algorithms for practical reasons. Yes, I’m talking about routers that come with those stickers that include info such as S/N, default SSID, and default WEP/WPA key. Chances are that if you own a wireless router which uses a default WEP or WPA key, such key can be predicted based on publicly-available information such as the router’s MAC address or SSID. In other words: it’s quite likely that the bad guys can break into your network if you’re using the default encryption key. Thanks to Kevin, our suspicion that such issue exists on the BT Home Hub has been confirmed (keep reading for more details!). Our advice is: use WPA rather than WEP and change the default encryption key now!
Brief history of default WEP/WPA key algorithms research
As far as I know, Kevin and james67 were the first researchers to publicly crack a default encryption key algorithm of a Wi-FI home router. Kevin cracked the algorithm used by Netopia routers which are shipped Eircom in Ireland and AT&T in the US (the second ISP was never reported, 0day!). On the other hand james67 targeted the Netgear DG834GT router shipped by SKY in the UK. Unfortunately, james67 did not publish the details of the algorithm he cracked which is a shame as it means that we cannot learn from his research.
The Thomson Speedtouch default WEP/WPA algorithm
Unlike james67, Kevin’s strategy to crack default WEP/WPA algorithms involve debugging setup wizards shipped by some ISPs, as opposed to debugging the router which uses the default key algorithm. Kevin obtained a copy of such wizard (”stInstall.exe”) provided by Orange in Spain - which can be found on broadband customers’ installation CDs. Such setup utility allowed him to figure out the default key algorithm.
In short we have: S/N -> hash -> default SSID and encryption key which can be read as: a hashed version of the router’s serial number is generated which is then used to derive both, the default SSID and the default encryption key. This is just a high-level overview of the algorithm. More specifically we have (quoted from Kevin’s stkeys tool source code comments):
Take as example: “CP0615JT109 (53)”
Remove the CC and PP values: CP0615109
Convert the “XXX” values to hexadecimal: CP0615313039
Process with SHA-1: 742da831d2b657fa53d347301ec610e1ebf8a3d0
The last 3 bytes are converted to 6 byte string, and appended to the word “SpeedTouch” which becomes the default SSID: SpeedTouchF8A3D0
The first 5 bytes are converted to a 10 byte string which becomes the default WEP/WPA key: 742DA831D2
In the case of the BT Home Hub, the only difference that is we only take the last two bytes (rather than 3 bytes) from the SHA1 hash to derive the SSID:
S/N: CP0647EH6DM(BF)
Remove CC and PP values: CP06476DM
"XXX" values hex-encoded: CP064736444D
SHA1-ed: 06f48a28eba1ab896a396077d772fd65503b8df3
Default SSID: BTHomeHub-8DF3
Default encryption key: 06f48a28ebBy brute-forcing possible serial numbers and deriving the default SSID and encryption key, we can find possible keys for a given default SSID, which is exactly what Kevin’s stkeys tool does.
The bigger the number of hexadecimal digits the target SSID has, the smaller the number of generated possible keys is. For instance, if the target SSID is “SpeedTouchF8A3D0″, we can narrow down the number of possible keys to only two. On the other side, a target SSID with only 4 hex digits (2 bytes) such as “BTHomeHub-20E3″ would give us 80 possible keys on average.
We’ve tested ST585v6 which is shipped by Orange in Spain. Thomson Speedtouch routers provided by Orange in Spain come with WPA enabled by default. Being able to narrow down the number of possible default WPA keys to only two using Kevin’s tool is quite remarkable.
In the case of the BT Home Hub in the UK (which only comes with 40 bits WEP encryption by default by the way), we can narrow down the number of possible keys to about 80. In order to avoid the brute-forcing computation time required by the “stkeys” tool, I created “BTHHkeygen” which looks up the possible keys for a given SSID from a pre-generated “SSID->keys” table. Think of it as a rainbow table for cracking the BT Home Hub’s default WEP encryption key. Once the list of around 80 keys is obtained, the second step in the attack is to try each of them automatically, until the valid key is identified. For this purpose I created “BTHHkeybf” which is a fancy wrapper around the “iwconfig” Linux tool. Unfortunately, in order to prevent abuse, we’re not publishing such tools. We tested three different BT Home Hubs, and the the attack seems to work fine.
There is one thing that I want to mention regarding this attack when launched against a BT Home Hub: breaking into a BT Home Hub Wi-Fi network which uses default settings (40 bits WEP) has always been possible in a matter of minutes (if packet injection attacks are used) since the Home Hub was released into the market. Therefore, this predictable-default-key attack doesn’t change the current state of the BT Home Hub’s Wi-Fi insecurity. It’s always been known that BT Home Hub Wi-Fi networks can be easily broken into by cracking the WEP key!
GNUCITIZEN is one of the most influential organizations of its kind, reaching thousands of users every day and having a strong relationship with numerous printed and web-based media outlets. Part of our mission is to let others succeed the same way GNUCITIZEN did. Therefore, if you have a research or an interesting information you would like to share, 
comments
Pretty interesting post, Adrian. Cryptography and encryption schemes are not my strong point, but I would imagine this took a lot of work, and is quite impressive.
I never fail to be amazed by the fact companies are willing to ship to millions of customers routers which have WEP rather than WPA by default, but it is even more astonishing that the default key (which lets face it most people will never change, knowing nothing about computer security) can be derived from the default SSID (which is public knowledge)!
Good work guys on continuing to keep the pressure on BT and other companies to wise up. I mean how hard can it be for them?
As always, a high quality post. Thank you very much for this information and thank you kevin for making this possible ;)
This information is dynamite, and brings to mind the info posted on http://www.rfidupdate.com/arti.....p;from=rss where rfids can be cloned, this is the basis of the UK Goverment ID cards!
Thanks a lot for your feedback guys. As you know we never hide anything at GNUCITIZEN. We truly believe this benefits everyone (including consumers) in the long run. And of course, thank you Kevin: this project wouldn’t have been possible without your help!
Stay tuned for HITB Dubai 2008!
Good Job! I tried with bot my new and old hub….Works perfectly!
Great article. I just tried this at home (several of my neighbours appear to have Home Hubs), and it works perfectly.
I might buy a BT Home Hub 1.5, see if I can’t beat you to the plate next time ;)
This works for my SpeedTouch!! I just checked it. My question is: I use an 128bit key, generated by my SpeedTouch. Can this be found out as well?
Sorry for my English.
Thanks very much, Ill continue evangelising WPA and non trivial passwords.
Wohoo, you guys have been getting very good results with this attack! As you can see it works quite wonderfully!
btw, I’m releasing BTHHkeygen with the rainbow tables tomorrow at HITB Dubai 2008: http://conference.hackinthebox.....age_id=186
Using such tool you’ll be able to generate the (about 80) possible keys for the BT Home Hub instantly, thus saving bruteforcing time. BTHHkeybf which allows you to identify the valid key *will* also be released with the rest of my presentation materials.
Additionally, I will also release “axis-defacer”: a PoC tool to demo video stream replacement attacks (hijacking surveillance video) for Axis IP cameras.
I have ported Kevin Devine’s stkeys.c to Python if anyone’s interested. My script uses Python 2.5’s hashlib for sha1. It’s a lot shorter than the C version.
Hey, I just found out the 128bit-key in my router wasn’t generated by my speedtouch.. Only the first characters are the ones from the 64bit key
Great tool, thanks!!
Adrian Pastor,
Again.. wonderful post!!!!
I am finishing a (how-to - step by step-) secure your wireless networks…
Using firewalls, Vpns, TKIP, corrects cryptos like WPA2, wireless IPS, fakeaps, and more…
This new kind of atack will be mentioned inside the how-to with all author´s credits!
Thx to gnucitizen and other independent research’s!
It will be available soon!
-If possible i will post something here.
@Marchiner: please let us know when you publish such article. It sounds interesting!
@Simon: if the key is the default one, then it’s quite likely that it will work. The vulnerability has nothing to do with the encryption type or strength, but rather with the fact that they key value is predictable. Your best bet is to simply try out the attack.
@Hubert: that sounds really cool. Can you please post the link to the python port please?
Hi dudes!
I hope it will help u!
http://weiss.u40.hosting.digiweb.ie/stech/
And this is KeyGen for SpeedTouch THOMSON!
http://www.mediafire.com/?svyenmddzm3
See u dudes! 8)
Def 69
thanks for the heads-up
Kevin has added my ssid2key.py Python script to http://weiss.u40.hosting.digiw.....stkeys.zip
For the script kiddie in all of us, I’ve created a Windows XP version of “BTHHkeybf”.
In the name of responsible disclosure, I’ll release it after Adrian has done his talk and makes his code available.
BTHHkeygen (including rainbow tables) and BTHHkeybf can be found here: http://conference.hitb.org/hit.....Beyond.zip
(located on the “\BT Home Hub\demo_exploits\Default WEP key cracking\” folder)
@Edward: you can now go ahead and post a link to your WinXP port :) Thanks for waiting for our release first.
@Hubert: thanks for letting us know!
hahaha, that’s a good work :).
A similar algorihtm exist for the generation of the defaut WEP key in the Hitachi AH4021 and AH4222, used in France by Club-Internet and Alice.
In fact, the default WEP key is the beginning of the SHA-1 hash of the default SSID, which is derived from the serial number of the device (which is derived form the MAC address of the Wi-Fi interface).
We went on that conclusion thanks to the marvelous work of Club-Internet, who just released a Windows GUI tool named WEPtool. WEPtool takes a Club-Internet.box SSID and generate the corresponding WEP key (yes, our #@! government vote for fascit laws against the citizens while ISP help wardrivers and outlaws). What is really fun is that we did not need to perform any sort of reverse engineering to understand the generation process : the WEPtool relies entirely upon a DDL called FSHash (for File String Hash), and the source code of that library is open source !
What you need is a SHA-1 computing program, and you can hack into any of these.
The WEPtool binary and the source code of the FSHash DLL can be found on my humble website). A reverse engineering work has been made by a member of the FRET group, and all of this was originally published in the 2600 Lille meeting reports along the year 2007 and in this thread, thanks to my friend oxyde.
Edward Pearson when will u be releasing your win32 version of BTHHKeygen n BF Thanks
What are the CC, PP and XXX values? You lost me there…
@Ricky “Hexy” Small
Probably when I get home tonight. Last night I forgot.
Would be very interesting seeing the win32 version. Great job guys! BT Sucks!
Right. Sorry about the delay, I’ve had a very busy couple of days.
As requested, here is the Windows XP version of BTHHkeybf
http://facecrook.net/BTHHkeybf.zip
This code isn’t elegant, optimized, well written, or pretty, but it works well. It was 2am and I needed an Internet Connection, best practice wasn’t an issue.
There’s always a chance you’ll have to make a few changes to the script (different network auth type perhaps, higher DCHP timeout maybe.)
Please feel free to do whatever you want with this, use it, edit it, distribute it.
Look inside BTHHkeybf.vbs for additional help.
(P.S. This probably won’t work on Vista, for those interested, I suggest you investigate the built in “netsh” utility, by the looks of things it could be used as a drop in replacment for Engl’s zwlancfg.exe.)
Cannot get this the win32 version to work. Anyone fancy making a guide or step by step? Cheers x
Elfist,
One step-by-step, coming up.
For this example, we’re using BTHomeHub-CD07
First use stkeys to generate a list of possible keys, use the -o option to output these to a file:
stkeys -i CD07 -o keys.txt
Then, in command prompt, run my script against this file, thus:
cscript BTHHkeybf.vbs BTHomeHub-CD07 keys.txt
Provided you’re NOT connected to any wireless networks when you run it, and the Wireless Zero Config service is running and enabled, it’ll crack the password.
Lovely!
But abit of a problem. I know this isnt a support site or anything but i think alot of people would have the same problems as im having. So sorry if im annouying! I managed to output the keys file from the stkeys. Then I type cscript BTHHkeybf.vbs BTHomeHub-CD07 keys.txt and not alot happends… Is it meant to automatically connect to the network after i hit enter? or wait awhile until it finds the right key? And also it should be compatible with xp sp3? And in the outputted txt file are the 1st 10 digs 1 possible key? then the next 10 the next possible key etc etc? thanks again! x
I need more than “not a lot happens”. What does it say when you run BTHHkeybf.vbs?
You need WZC enabled as I said before. You also need to replace BTHomeHub-CD07 with the SSID you’re trying to crack.
Yes, the keys are what you used stkeys for. RTFA!!!
I was using the CD07 as an example ovi. WZC is enabled. When I run the BTHHkeybf.vbs its comes up with the Usuage and the the example (Example: cscript BTHHkeybf.vbs BTHomeHub-CD07.txt )in cmd but doesn’t actually crack it or does anything.
Any progress on the windows version of bthhkeygen?
I have made a WinXP version. I will email it to anyone interested.
-S
The win32 version is linked above…
It works perfectly for me, I can only assume Elfist is doing something wron.
Oh sorry, you want the keygen.
Adrian’s precomputes the keys into a Rainbow table type configuration. This allows the lookups to be instant.
You can use the stkeys program detailed above if you don’t care about the crypt speed (My Centrino does it in a matter of seconds)
RTFA!!
Slinx whats your email?
files.slinx (at) googlemail [dot] com
-S
ive got a ps3 and there’s a few bt home hubs around me is there any way to hack them
thx for much if u can help
plz email me the answer or post here
there are many ways but you are on your own in this business :)
For the third time: RTFA.
It’s not exactly cryptic, it’s practically a step by step.
It’s funny, when someone is so focused on breaking into a computer network and not interested in the learning experience, he will fail to see how it can be done even when the information is right in front of his eyes!
@Simon: this attack has only been tested with the factory-default keys used by Thomson Speedtouch/BTHH routers. In some cases (can depend on ISP) the default it’s a WPA key, in others, it’s a WEP key.
In the case of the BT Home Hub which is widely used in the UK, the default key is a a 40bits WEP key.
thx for the info