In the case of the BT Home Hub in the UK (which only comes with 40 bits WEP encryption by default by the way), we can narrow down the number of possible keys to about 80. In order to avoid the brute-forcing computation time required by the “stkeys” tool, I created “BTHHkeygen” which looks up the possible keys for a given SSID from a pre-generated “SSID->keys” table. Think of it as a rainbow table for cracking the BT Home Hub’s default WEP encryption key. Once the list of around 80 keys is obtained, the second step in the attack is to try each of them automatically, until the valid key is identified. For this purpose I created “BTHHkeybf” which is a fancy wrapper around the “iwconfig” Linux tool. Unfortunately, in order to prevent abuse, we’re not publishing such tools. We tested three different BT Home Hubs, and the the attack seems to work fine.