1. 28

    1. 6

      In Canada most home routers (well, from bell at least, which is one of two dominant ISPs) come with a long randomly generated wifi password stamped on them.

      Specifically 8 characters long. And for no apparent reason it is limited to hex ([0-9A-F]{8}). Creating about 4 billion passwords. It takes about a day on my gtx970m to try every single one against a captured handshake.

      The defaults ESSID’s (wifi network names) are of the form BELL###. So there are a thousand extremely common ESSID’s. Apparently WPA only salts the password with the ESSID before hashing it and publicly broadcasting it as part of the handshake. In a few years of computation time on a decent laptop (so far less if I rented some modern gpus from google…) I could make rainbow tables for every one of those IDs that included every possible default password.

      On the bright side it looks like this new method extracts a hash that includes the mac addresses acting as a unique salt, so at least the rainbow table method will still require capturing a handshake.

      1. 2

        Oh, ours from vodafone NZ are 16 chars 0-9a-zA-Z

        1. 1

          I never had this realization. Now my head has exploded.

          What tool do you use to try these combinations? And is it heavily parallelized? To me 4 billion should not take a whole day…

          1. 1

            I experimented with pyrit (24h runtime, builds some form of rainbow table, wrote a short program to pipe it all the passwords) and hashcat (20h runtime, no support for rainbow tables, supports generating the password combinations by itself via command line flags). They are both heavily parallelized, 100% utilization of my GPU.

            My GPU is a relatively old GPU in a laptop with shitty cooling, which may contribute to the runtime.

            Running on a CPU it said it would take the better part of a month.

            1. 1

              Interesting. While waiting for a reply, I thought to myself: I wonder how much it would cost to run it on Google Compute with the best hardware. Could be worth it to those who want wifi for a week or longer without paying anything. Spooky.

          2. 1

            In Luxembourg every (Fritz)box comes with a password written only on the notice (not on the box itself) that is 20 (5*4chars) in hexa. It’s a pain to type at first, but well, it’s seem like a good one.

          3. 4

            In New Zealand most home routers I have seen recently come with a long randomly generated (I hope) wifi password stamped on the bottom. It may have other problems, but blind dictionary based cracking is not going to work