back to article Hexing MAC address reveals Wifi passwords

The default WPA2-PSK passphrase used in some Belkin routers simply replaces a character of the device’s MAC address with another hecxadecimal character, according to security blogger Jakob Lell. Lell describes the situation as follows: Each of the eight characters of the default passphrase are created by substituting a …

COMMENTS

This topic is closed for new posts.
  1. J. R. Hartley

    Excellent!!! Mwahahahaha!!

  2. M Gale

    Just wondering

    Isn't a MAC address usually notated in hex anyway? Why would you need to convert it into hex unless your software is retarded and gives you decimal notation, or 64 1s and 0s?

    1. frank ly

      Re: Just wondering

      Yes, every MAC address I've ever seen has been in hex. However, it may be that some manufacturers have started using decimal notation; but that would be weird because surely MAC address entry fields all use hex?

    2. Stutter

      Re: Just wondering

      @M Gale

      Yeah I agree, but I was also confused when it said it takes a _few minutes_ to convert it into hex. this can't just mean converting a decimal number into hex, surely.

  3. Tom 35

    Some models even advertise their MAC address on the case of the device!

    The horror!

    1. Old Handle

      Re: Some models even advertise their MAC address on the case of the device!

      Yeah... I thought that was a bit of a silly complaint. Some routers also allow you to attach a wired network device with no authentication! Protecting a system from someone with physical access is damn hard. I think they did the sensible thing by not trying.

      The part where the password can be derived from the MAC address on the other hand... not so smart.

    2. Annihilator
      Holmes

      Re: Some models even advertise their MAC address on the case of the device!

      And those models with a helpful label showing the MAC address usually print the default WPA keys, so to ignore that, read the MAC address on the label and hashing it seems a bit of a strange task indeed...

      1. TeeCee Gold badge

        Re: Some models even advertise their MAC address on the case of the device!

        My thoughts entirely.

        Dunno why that was in the article as it's irrelevant. The important bit is that you can get the MAC from the device remotely so whether it's printed on the side or not makes no odds, you don't need physical access to get into it if the key can be deduced from the MAC.

    3. Anonymous Coward
      Anonymous Coward

      Re: Some models even advertise their MAC address on the case of the device!

      Every piece of equipment, with a network interface, I have ever seen has a label on it with the mac address.

      The reason for this is simple. It is so when you attach it to your network you can add the MAC address to any permission tables and/or DHCP servers needed to give the equipment access to your network.

      1. Anonymous Coward
        Linux

        Re: Some models even advertise their MAC address on the case of the device!

        Every piece of networking equipment has a MAC address, this is a public bit of info (meaning this is broadcasted if you are in range/plugged into that network)

        This is because network cards communicate to each other with their MAC addresses on a switched network. Not by their IP. OSI model..

        The Wireles MAC is broadcasted with the SSID, this is how your wireless device CAN (but usually doesn't) see the difference between two AP's with the same SSID.

  4. zemerick
    FAIL

    Well, at least the source article doesn't try to say you have to convert a mac address into hex.

    On the down side, it also brings up the fact that these passwords are also ridiculously easy to crack since they too remain in HEX.

    I can think of dozens of simple methods using even just the mac address that could result in very complex passwords involving any key on the keyboard.

    Instead, they have a total of just over 4 billion possible passwords ( 8.5 billion on some models )...making a brute force easy. A standard PC is looking at less than a single day in the worst case.

    1. Anonymous Coward
      Anonymous Coward

      > I can think of dozens of simple methods using even just the mac address that could result in very complex passwords involving any key on the keyboard.

      Any method you came up with that was based upon the mac address would be susceptible. Once the algorithm was known it would expose all password created with that method. For example, if your method involved an md5 hash of the MAC address with a key on the keyboard (although belkin's don't have keyboards) this would only result in 102 possibilities.

      > Instead, they have a total of just over 4 billion possible passwords ( 8.5 billion on some models ).

      Where do you get the 4 billion from? 4 billion is 32 bits but a MAC address is 48 bits so it can't be the MAC address space. The first 24 bits of a MAC address are used to identify the manufacturer which means the search space would be 16.7 million for each address block assigned to Belkin.

  5. tony trolle
    FAIL

    Verzion routers same

    The westel DSL router 704wgb was the same: just change the last char for password.

    15 tries max. lol.

    And why not change the password.

    Verzion loved to reset the box so you gave up changing it and the SSID

    Twice in one day was the worst.

    Twice in one week normal.

    I have two in the junk box

    1. Anonymous Coward
      Anonymous Coward

      Re: Verzion routers same

      Which MAC?

      Wireless or Fixed? If it is wireless they this is a serious security flaw. If it is a the fixed Ethernet MAC on the home side its impact is nearly zero.

      1. This post has been deleted by its author

      2. ElReg!comments!Pierre
        Paris Hilton

        Re: Verzion routers same

        "Which MAC? Wireless or Fixed? If it is wireless they this is a serious security flaw. If it is a the fixed Ethernet MAC on the home side its impact is nearly zero."

        That can't be faulted. We usually call this kind of user/machine systems the "gorm-free zone" ("the zone" for short), for obvious reasons. IT professionnals of that grade are in constant demand. I wish I could make it to "the zone". I would get a higher salary, to start with.

      3. tony trolle

        Re: Verzion routers same

        Just looked in junk box . These are Actiontecs with the default WEP key made from the last 10 characters from the Wan MAC and seem to remember WEP sends the Wan MAC in the packet headers. Must be another Verzion router that changes the last character.......

        BTW a lot of RoadRunner modems (thats Time Warner) are open as default.

      4. pixl97

        Re: Verzion routers same

        >Wireless or Fixed? If it is wireless they this is a serious security flaw. If it is a the fixed Ethernet MAC on the home side its impact is nearly zero.

        A significant number of devices have only a single digit difference between wireless and ethernet interface. The AP I use (not a belkin), uses the same MAC for the wireless and ethernet interfaces. Only secondary (VLAN) wireless IDs have a totally different MAC assigned.

  6. colinm

    Simple fix, but...

    > The good news is that users need only change the password to make the poorly-coded default codes irrelevant.

    Well, yes, but it doesn't inspire confidence that they've not made other similar blunders that affect users' security.

  7. This post has been deleted by its author

  8. This post has been deleted by its author

  9. This post has been deleted by its author

  10. ElReg!comments!Pierre

    I put a HEX on you

    Behcohohohoz you're... MIIIIINE!

    Huhaha huhaha huaha

    (Apologies to "Screamin'" Jay Hawkins)

  11. Scarborough Dave
    Pint

    Security, what's that.

    Was at a mates house last week and he challenged me to get into his Wi-Fi network, had a domestic D-link router.

    No problem says I picking up the router and holding in the reset button....

    The simplest solutions are often the best....

    1. Anonymous Coward
      Anonymous Coward

      Re: Security, what's that.

      Any device an attacked has physical access to is already comprimised.

  12. Anonymous Coward
    Anonymous Coward

    Belkin, people still use their crap?

    1. Anonymous Coward
      Anonymous Coward

      I suppose you would rather use NetGear

      or D-LInk?

      1. pixl97

        Re: I suppose you would rather use NetGear

        I would rather use D-Link or NetGear then the total POS Belkin is. They are professionals at making gear that sucks. I have a DWL3200 AP that's served me well for years. Only real issue I've had with them is if they get too hot they lose their NVRAM settings.

  13. Anonymous Coward
    Anonymous Coward

    Uh, what default password?

    Admittedly, I've never worked with a Belkin router, but with every kind of WiFi device I've worked with, you have to specify the WPA2-PSK password when you tell the device to, well, use WPA2-PSK encryption. And, of course, it has to be the same both for the router and for the device you attach to it. So, it doesn't make sense to have some kind of default password that is a weird string of characters on the router - you have to know what the password is, in order to specify it for the device you're going to connect to it, so why not just specify it for the router, too?

    A much bigger problem is that many routers default to the insecure WEP encryption, or that they have a default password (specific for the model; I mean, it is the same for all devices of that model) for their settings - which most people never bother changing.

    1. Annihilator
      WTF?

      Re: Uh, what default password?

      Have you worked with *any* domestic router???

  14. mccp
    Holmes

    Eh?

    The _default_ password on a domestic router is easy to guess.

    Please could somebody let me know why this is news?

    1. Anonymous Coward
      Anonymous Coward

      Re: Eh?

      Encryption key, yeh they're not usually overly strong when shipped out but the fact you can mathmatically calculate the key from information being broadcasted to you means that this is broken.

    2. Gav
      Holmes

      oxymoron

      The phrase "default password" is an oxymoron. If it is default it it totally insecure. If it is totally insecure it is not performing the function of a password.

      1. Ben Tasker
        Headmaster

        Re: oxymoron

        I don't disagree with what you're saying, but it definitely isn't an oxymoron.

        To be an oxymoron the two words must have opposite meanings. The definition of password is a secret string for auth, the definition of default is not the opposite of that.

        </pedant>

  15. Anonymous Coward
    Anonymous Coward

    Your password is probably already in google's "cloud" in any case...

    ...if you use a google Nexus tablet and perhaps other Android devices, your (cleartext) WiFi password is uploaded and stored on google's servers - for your convenience, naturally - along with (presumably) other information such as the manufacturer (from MAC address), geographic location (from GPS) and so on. Quite a handy database, especially for hackers...

    1. Ben Tasker

      Re: Your password is probably already in google's "cloud" in any case...

      Link? Had a quick search but can't seem to find reference to that anywhere.

      Sure, the connection password is stored in plaintext on the phone/tablet (how do you plan to authenticate with a hash?) but I can't find any reference to it being sent to Google.

      Would make interesting reading if true, but I get the sense it's hyperbole

      1. Anonymous Coward
        Anonymous Coward

        Re: Your password is probably already in google's "cloud" in any case...

        This happens if you link your google account to the device. They are not hiding anything - it's mentioned somewhere in the small print of the options you are asked to approve during setup.

        There are many links online - search for "google account wifi password" or similar, for example:

        http://androidforums.com/android-applications/382763-wow-google-stores-your-saved-wi-fi-passwords-cloud.html

      2. Anonymous Coward
        Anonymous Coward

        Re: Your password is probably already in google's "cloud" in any case...

        If you choose to backup your Android device to Google it will store it , if you choose not to it won't. It asks you first. However whether it is stored in plaintext or not , i don't know.

  16. PeterM42
    Facepalm

    Ah - But.....

    ...Will the Belkin router stay working long enough for the hacker to work out the key?

    My last one (a free replacement for the first faulty one) only lasted about an hour. I did not bother installing the 2nd free replacement. Used a Netgear instead.

  17. Anonymous Coward
    Anonymous Coward

    Pwning someone else's network would be handy. My home broadband is shite.

    1. jon 72
      Pirate

      Your home broadband is probably shite because somebody has pwnd it.

      As far as domestic routers go only the newer Sky boxes and third generation BT hubs are putting up any resistance in the UK.

      1. Anonymous Coward
        Anonymous Coward

        ISP-provided, but WPA2 with non-default SSID and key.

  18. Anonymous Coward
    Facepalm

    Who's complaining?

    Basing a password on anything obvious-when-you-know-about-it is silly, but at least this is several obscurity steps beyond using the manufacturer's name. And how about "admin .. password" for the admin web login?

    The real security scandal is not changing default passwords, whatever they are. There is no-one to blame but ourselves.

  19. Ben Naylor
    Coffee/keyboard

    ROFLCOPTER

    what a joke of an article, i suggest the author "Simon Sharwood, APAC Editor" find a hole and jump into it, sharpish.

This topic is closed for new posts.

Other stories you might like