Tuesday, March 25, 2014

Vectra (Poland): the security (doesn't) matter

It's not a secret that telecom operators uses ruoter's mac addresses (often the WAN mac address or some hashed version of it) as a default wifi password. And some operators don't give you the ability to change it to something else.
This makes a big security hole for the end-user that often doesn't understands how much it's dangerous.

Now I'm living in Poland and I saw several Vectra wifi networks (vnet-XXXXXX) around me. My sister in law has a cable contract with Vectra operator so I seen that Vectra uses the WAN interface mac address (in that case was the upper-case version without ":") as wifi password and that password cannot be changed by user (the web-interface of the router is locked and you need an administrative user/password to log in).

So, what if an attacker wants to join your wifi network? Ok, the attacker has to know the mac address of the WAN interface, but it's possible to calculate it.

The procedure is simple.

Most of routers distribuited by operators uses the same vendor to buy internal network hardware. So the wifi interface is manifactured by the same vendor (and therefore has the same initial part of the mac-address) as the WAN inteface.

If you want to obtain the complete wifi password, you just need a simple wifi sniffer (even with a smartphone, just like Wifi Analyzer or others) to see the wifi interface mac-address of the router.

Once obtained the external mac-address, just try to use it as wifi password by subtracting (or adding) 1, 2 or 3 values. For example, if the WLAN mac address is 00aabb112233, just try 00aabb112232, 00aabb112231, 00aabb112230, 00aabb112234, 00aabb112235, 00aabb112236. Try these passwords in lower-case and upper-case versions. Infact, when mac addresses are assigned to the network interfaces of a device they are simply assigned sequentially.

In the case of Vectra, the procedure is even simplified. Once obtained the external mac-address, take just the first 3 bytes in hex (i.e. 00aabb112233 just take 00aabb), concatenate these three bytes with the name of the wifi network except "vnet-" (i.e. vnet-112231 just take 112231 only), upper-case it (if doesn't work try the lower-case version of the password) and you have the wifi password to access the wifi network (in the example the password should be 00AABB112231 ).

Just to be clear, another example:

SSID: vnet-800877
WIFI PASSWORD: 003DCB800877 or 003dcb800877

The upper-case or lower-case version depends only by the Vectra man who sets up the router and he can choose to use the upper case or the lower case version of the mac address as a password (he can choose to use any other password, but it's just a common thing for they to use the WAN mac address).

Anyway, sometimes router's internal and wifi mac-addresses differs because they are not made by the same vendor. In this case you must use some utilities and a dictionary based software (like aircrack-ng) to test the combination of all "vendors id" used by the router. So you have first to know which kind of router is used.

I tried this procedure with 3 different Vectra routers (all made by Arris, two provided by my sister and one provided by an her friend) and it worked in all cases.

The information above are just to explain how the security is often undervalued and treated like something that doesn't matter.
Of course I decline any responsibility of using the above information to get unauthorized access to Vectra wifi networks. Remeber that unauthorized access even to a wifi network is a crime. So be careful and honest. ;-)

This post is not written with the purpose to accuse Vectra operator of bad service, but is written to help people to take care of they security and protect themselves even in the electronic world.

Again, be careful and honest! Don't access to any wifi network if you don't have owner's authorization!!!

Let me know if this procedure worked on your Vectra wifi too!

If you want to change the password of your Vectra wifi network, call Vectra customer care service by phone and they will set a new password for you.