Posted: 15th Apr, 2008 By: MarkJ
The "
ethical" hacking website,
GNUCitizen, reports it has developed a new program that's capable of guessing a BT Home Hub's (Thomson) default Wired Equivalent Privacy (WEP) key:
In the case of the BT Home Hub in the UK (which only comes with 40 bits WEP encryption by default by the way), we can narrow down the number of possible keys to about 80. In order to avoid the brute-forcing computation time required by the stkeys tool, I created BTHHkeygen which looks up the possible keys for a given SSID from a pre-generated SSID->keys table. Think of it as a rainbow table for cracking the BT Home Hubs default WEP encryption key. Once the list of around 80 keys is obtained, the second step in the attack is to try each of them automatically, until the valid key is identified. For this purpose I created BTHHkeybf which is a fancy wrapper around the iwconfig Linux tool. Unfortunately, in order to prevent abuse, were not publishing such tools. We tested three different BT Home Hubs, and the the attack seems to work fine.
It's worth pointing out that the hack doesn't just affect BT's Home Hub routers, some of Thomson's Speedtouch routers (the basis for many Home Hub's) are also known to be vulnerable. Customers can secure their routers simply by changing the default WEP key to a random WPA one
here.