Verizon’s false sense of security with Fios installations.

This post returns here: https://gigamike.wordpress.com/2008/07/09/verizons-false-sense-of-security-returns/ with some other info. Read below then the follow-up for a good laugh.

Today (6/6/2008 ) I was politely asked by someone claiming to be working on the Verizon security issue to take my article down. I suppose that the impact of my findings could be severe if the information got into the wrong hands.

Personally, I think my original article was a little too cryptic and probably went over most people’s heads that read it. Anyway, I have decided out of good conscience to remove the article. I would hate for something so horrible to happen to Verizon to somehow make me (or everyone) lose my Fios.

But the bottom line is that phone companies (or any company) shouldnt pretend to be something that they are not. Maybe many of the Verizon peeps that head up the fios team still think they are dealing with voice. It wouldnt hurt to have a professional security adviser to say “WEP, are you kidding me?? You’re fired” to the newb that thought of the idea in the first place. But I guess we were all newbs at one point in our lives.

I was just about to publish a step-by-step “how-to” but this anonymous source contacted me just in time.

The original article is available to security experts upon request. Just post a comment to this blog. I will be notified and try to see if you are legit. If you are then you might get a copy.

Advertisements

6 Responses to Verizon’s false sense of security with Fios installations.

  1. Anonymous says:

    This guy’s comment was also removed because it explains a piece of the vulnerability. Sorry to squash your freedom of speech dude, but the issue being taken care of and thats all I wanted.

    mike

    This comment also returns on 7/9/2008

    Also, the default ESSID is just the last six hex digits of the wireless MAC address converted to base-36 (0-9A-Z). However, this base-36 value is backwards, that is, the least signifigant digit comes first.

    So, the default ESSID name could be used to find the last six digits of the wireless MAC address. The first six digits of the MAC address will be one of Actiontec’s OUIs. Once you know the wireless MAC address, you can then use the last ten digits as the default WEP key.

  2. Fred Williams says:

    Oh, but its NOT being taken care of. The last comment above are from May 2008. Its now Feb 2009, and the latest Actiontec routers (Rev d) are still being installed by Verizon FiOS with the default WEP Key set to the wired side MAC address, and the SSID name set to the base-36 string of that MAC address as explained above. They’ve had plenty of time to fix this for new customer installations, and instruct existing customers on the essentials of security.

    • gigamike says:

      You are right, that is why I put the write-up back online. I truly dont think this guy ever really thought VZ was working on it. Like I said in my follow up, I think he was just trying to get me to silence my blog post so that he could take credit for the discovery. I fell for it and took it off line for a while. It wasnt until I did some more research on the guy that I realized I was given a line of crap and put it online.

      I am not as outraged as I used to be, but its just real disappointing to see this kind of behavior from VZ.

  3. Fred Williams says:

    Here’s an example, to show how easy it is.

    You don’t need a network sniffer, aircrack, or access to see the sticker on the bottom of the router.

    The 5-character SSID name is a base-36 number of the lower 48 bits (6 hex digits) of the WEP key. The string is reversed, with the most significant digit on the right.

    Base-36 numbers uses 0-9 followed A-Z to represent 36 digits (0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ)
    It maps out like this:
    0=00, 1=01, 2=02, 3=03, 4=04, 5=05,
    6=06, 7=07, 8=08, 9=09, A=10, B=11,
    C=12, D=13, E=14, F=15, G=16, H=17,
    I=18, J=19, K=20, L=21, M=22, N=23,
    O=24, P=25, Q=26, R=27, S=28, T=29,
    U=30, V=31, W=32, X=33, Y=34, Z=35

    To go through an example, the SSID name of “E3X12″ comes out as follows.

    E*(36^0) is 14 * 1 = 14
    3*(36^1) is 03 * 36 = 108
    X*(36^2) is 33 * 1296 = 42,768
    1*(36^3) is 01 * 46656 = 46,656
    2*(36^4) is 02 * 1679616 = 3,359,232
    Add these up, and you get 3,448,778 decimal which is 349FCA in Hexadecimal notation.
    The first 4 hex digits of the WEP key are the 2nd and 3rd byte from the MAC address as indicated in the original post above.

    The Wired side and Wireless side MAC addresses are generally from the same Actiontec pool of MAC addresses (and of those, I’ve only seen 001801 and 001F90 used so far in their manufacturing).

    NetStumbler will show you the BSSID (wireless MAC) is 00-18-01-EA-3D-99, but you don’t even need NetStumbler… just assume it’s either 18-01 or 1F-90.

    Therefore the default WEP key for this router is: 1801349FCA
    (On the off chance the wired and wireless side MAC address differ, just try 1F90349FCA instead)

    To make life easier, you can use a macro formula in Excel to help out.
    Put the 5-character SSID in the 1st cell (A1), and paste in this formula in A2.
    =IF(A1=””,”0″,SUMPRODUCT( POWER(36,ROW(INDIRECT(”1:5″))-1),
    (CODE(UPPER(MID(A1,ROW(INDIRECT(”1:5″)),1)))
    – 48*(CODE(MID(A1,ROW(INDIRECT(”1:5″)),1))64))))
    The result is the decimal value of the lower 48-bits of the WEP Key.

    If you have the Analysis Toolpack (See Tools->Add-Ins…), this formula in A3:
    =DEC2HEX(A2,6)
    will convert the above number to hexadecimal.
    Or use Windows Calculator (in Scientific mode) to convert decimal to hexadecimal.

    Btw, all the Actiontec Electronics, Inc. registered MAC prefixes are:
    001801, 001F90, 0020E0, 001EA7, 000FB3, 001505, 00247B
    (But I’ve only seen the first two of them used on the MI424WR routers)

  4. Don Jon says:

    I’m wondering if perhaps Verizon or Actiontec has corrected this blunder in the recent versions of their Actiontec FIOS routers.

    I live in an area where FIOS was only recently lit up (January of this year). Here’s what my neighborhood looks like courtesy NetStumbler:

    As you can see, there are plenty of FIOS routers around. But I immediately noticed several problems:

    (1) Look at the MAC prefixes of all the identifiable Actiontec routers (the ones with five-character base36 SSIDs). All are 00:21:63. That’s entirely different from the ones Fred gives above.

    (2) Almost all the base36 SSIDs shown in my screen capture, if run through your conversion process, produce a result that’s one digit too long. E.g., http://xkyle.com/2009/03/03/verizon-fios-wireless-key-calculator/
    turns “P75QA” into “18 01 11 2E 6E 5” and “1F 90 11 2E 6E 5”. I suppose this could only be possible if *these* SSIDs were being based on something entirely different than MACs. (?)

    (3) Regarding the alternate way of obtaining these routers’ WEP keys (sniffing their wireless traffic for MAC addresses). Unless I’m grossly misinterpreting it, the blog post at https://gigamike.wordpress.com/2008/07/09/verizons-false-sense-of-security-returns/ seems to be saying that these Actiontecs’ WEP keys originate from their wired LAN MAC addresses, *not* from their wireless MAC addresses. If that’s correct, then going further, it also appears to be saying that there are two places to find their wired LAN MACs when sniffing their wireless traffic: (a) in their frequently-occurring ‘IGMP Membership Report’ and ‘Spanning Tree Protocol’ update packets (sent every second), and (b) in the “source address” header fields of their encrypted_data packets. Well, I opened up CommView for Wi-Fi 6.0.581 and sniffed my nearest neighbor (“P75QA”). From him, I saw nothing from category (a). Just beacon packet after beacon packet (in which the “source address” MAC and “BSSID” MAC header fields were both 00:21:63:48:8D:A5). On the other hand, when it came to category (b), there were in fact differences between the encrypted data packets’ BSSID fields (always 00:21:63:48:8D:A5) and their “source address” fields (varied between 00:21:1E:73:73:4B, 00:21:1E:07:5D:63, and 00:1F:C4:94:4C:48). I wasn’t sure why the source MAC fields were varying between three different addresses, but since all of these encrypted_data packets *were* coming from his router (BSSID 00:21:63:48:8D:A5 + destination MAC FF:FF:FF:FF:FF:FF), I assumed that *one* of those three source MACs had to contain the WEP key. Alas, neither 211E73734B nor 211E075D63 nor 1FC4944C48 would authenticate as the WEP key for P75QA. I even tried replacing their first two chunks (211E) with the corresponding chunks from the BSSID MACs, but those (216373734B, 2163075D63, and 2163944C48) wouldn’t authenticate either.

    Any thoughts? I’m not much into raiding others’ wireless APs, but after encountering this report about Actiontec’s (and/or Verizon’s) carelessness, I simply couldn’t resist trying it out for myself.

    • gigamike says:

      A quick search on coffer shows that the MAC addresses you list belong to Motorola, not actiontec. These fios installs must be using Motorola routers. So it looks like Motorola doesn’t put the combination to the lock right on the lock, but if they default with WEP they are still using a key that a 2 year old can open.

      http://www.coffer.com/mac_find/?string=00%3A21%3A1E

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: