Verizons False Sense of Security (returns)

As I wrote previously someone (“J”) emailed me about my original post. He said it wasnt a good idea to put things on the internet like this and if I took it down he would take care of it, as in get the vulnerability resolved. I complied and “J” has been giving me updates on his so-called progress. He said that when his company contacted Verizon they pretty much said “ya, so” or something to that effect. Its been quite a while since I heard anything from him so I wonder if there ever was a plan to get it fixed. Some of my friends and colleagues think the guy was trying to steal my article for his own personal gain. I am not that paranoid but I guess it could be possible. Especially since he wrote an article on writing articles that pay. (I had to use google cache because his article mysteriously disappeared shortly after i posted this) I shouldnt be so naive.

Anyway, I decided to put the article back online so here it is:

(originally posted on 5/6/2008)

I got a Verizon Fios internet connection a little over a year ago. When the installer came he brought with him an Actiontec MI424-WR wireless router. The router is pretty decent but Verizon’s opinion of wireless security scares me.

After the tech installed the unit he proceeded to setup my PCs. He showed me a sticker on the bottom of the Actiontec router that had the “wireless security key” along with the ESSID and MAC adddress of the router. The key is a 10 character 64bit WEP key and I noticed it looked very similar to the router MAC address.

In fact the WEP key just happens to be the last 10 characters of the MAC address. This just seems lazy in my opinion. A couple of my neighbors also have Fios internet and I wanted to see if this WEP key = last 10 of MAC address principal was true on all of these Verizon/Actiontec routers. They didn’t change their ESSID so I figured I give it a try. In only a few seconds I was able to sniff the air and find a packet containing their access point’s mac address. I sniffed for a few more seconds to grab some encrypted packets and was able to test decryption of these packets using the last 10 characters of the source MAC that I found in one of the packets.

One of my Fios neighbors doesn’t even use the wireless part of the router but I was still able to grab his AP’s MAC (and WEP key) without any associated wireless clients because the Actiontec sends out an ‘IGMP Membership Report’ and ‘Spanning Tree Protocol’ update about once every second. These packets are sent over the air with the wireless access-point as a source MAC Address.

Sure, WEP has already been proven to be insecure and cracked in minutes using some free wireless cracking tools but thanks to Verizon/Actiontec you don’t need to go through all of that when the router is handing you the WEP key over the air.

What is even more disturbing is that Verizon is deploying this same setup to businesses. Doctors offices, lawyers, etc.

For anyone using the Actiontec with the default settings all of this can be fixed by switching to WPA. Here is a link to the PDF manual for the Actiontec MI424WR. Go to page 32.

Make sure you use a strong Pre-shared key of several alpha-numeric characters.


6 Responses to Verizons False Sense of Security (returns)

  1. Troy says:

    Either Verizon has started fixing this problem, or I’m misunderstanding the issue. My router came with WEP enabled and the WEP key was based of the router’s MAC address. However, it was using the LAN MAC address, not the wireless MAC address. It looks like the five internal MAC addresses are all sequential, but the wireless is different. It still is only WEP, but it’s better than broadcasting the key in plain text.

    Then again, it looks like the ESSID still gives the key away. At least it’s a step in the right direction, and even unsecure WEP is better than an open network.

  2. gigamike says:

    Actually the WEP key had been the LAN MAC this whole time. All you have to do is use a sniffer to discover the MAC address.

    You said that WEP is better than an open network. I tend to disagree. While WEP might be harder for the average neighbor to break into it give you a FALSE sense of security that may cause you to do something stupid like open a file share or something.

  3. Troy says:

    I see. I misunderstood the original article. In any case, if somebody is able to use a sniffer to get the LAN MAC address, they’d also be able (and willing) to crack WEP, regardless of the key, so it’s not really much less secure than WEP with a random key. I think the bigger problem is the fact that the ESSID gives away the key, so even people running Windows with a standard wifi device can get the key very easily. Well, that and the fact that it’s WEP.

  4. solark says:

    I wrote a javascript calculator to ease the calculation of the key. Just stick in the SSID:

  5. Don Jon says:

    Anyone interested in this issue might want to see my comment made at this blog post’s companion “thread”:

    It appears I’m living in a Verizon FIOS area where absolutely none of the above methodology works (wired MAC address != WEP key, ESSID != base36 of WEP key).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: