SMC screws up again - RoadRunner customers vulnerable
First, for regular readers of Natália's blog, this is a guest post from Jon. I don't have a blog of my own, and this info needs to get out there, so I'm borrowing Natália's.
I'm in New York City right now, and I needed some internet access without having to pay the exorbitant international roaming charges on my iPhone, so I did what any good geek would do: whip out the ol' aircrack-ng suite and crack some poor unsuspecting soul's wifi. There were (of course) numerous networks within range that only had WEP encryption, and I got down to business cracking the nearest one. It had a name that looked like it was randomly generated, so I figured it was some ISP's default configuration and would be nice and easy to crack.
(Let me stop here for a second and remind everyone that you should never, ever, ever use WEP encryption. It can be cracked in less than 5 minutes. WPA or WPA2 with a strong password is the way to go.)
Sure enough, the cracking went very smoothly, and I was online within minutes. But that's when I noticed something was terribly wrong.
I'm going to break off for a second here to explain a thing or two to any non-geeks reading this. Wifi networks broadcast their names over the air at regular intervals (several times a second). The name actually has two parts. The first is the ESSID, which is what you normally see when you connect to a network--it might be linksys, or Nick's Network, or anything else. It's meant to be something easy to remember/identify, so you know which network is which. The second is the BSSID, which is the actual identifier for the network. The BSSID is what actually identifies the network, and it might look something like this: 00:22:2D:38:B2:EE.
So why am I telling you this? The encryption key (password) for the network I cracked, unbelievably, turned out to be the same as the network's BSSID, with some zeros added to the end. I checked another one with a similar name, and it had the same problem. I can't possibly overstate how ridiculous this is: it's like if a home security company sold alarm systems to millions of homes across the country, then instead of asking their customers what they wanted to use as a PIN, they just used the house number. Except this is even worse, because most folks would notice if their PIN was the same as their house number and change it, whereas most folks have absolutely no clue what their BSSID is, or even what it is.
So why does the title of the post talk about SMC and RoadRunner? Well, you might remember about the massive security flaw in certain SMC modem/routers from a few weeks ago. Both of the routers I found with this problem were SMC, though I couldn't tell precisely what model of SMC device it is that's doing this, and both of the internet connections turned out to be RoadRunner DSL.
So I'm putting this out there right now, in the hopes that someone will read this and fix the problem: if you want to get free wifi and there aren't any open networks, just find an SMC router (both of the ones I found were RoadRunner DSL customers) and plug in the BSSID as the encryption key. Betcha it'll work.
p.s. There's a chance this is a coincidence, or that the people actually chose to use their BSSID as their encryption key for some reason, but I doubt it. We'd need some more data to know for sure, though.
I'm in New York City right now, and I needed some internet access without having to pay the exorbitant international roaming charges on my iPhone, so I did what any good geek would do: whip out the ol' aircrack-ng suite and crack some poor unsuspecting soul's wifi. There were (of course) numerous networks within range that only had WEP encryption, and I got down to business cracking the nearest one. It had a name that looked like it was randomly generated, so I figured it was some ISP's default configuration and would be nice and easy to crack.
(Let me stop here for a second and remind everyone that you should never, ever, ever use WEP encryption. It can be cracked in less than 5 minutes. WPA or WPA2 with a strong password is the way to go.)
Sure enough, the cracking went very smoothly, and I was online within minutes. But that's when I noticed something was terribly wrong.
I'm going to break off for a second here to explain a thing or two to any non-geeks reading this. Wifi networks broadcast their names over the air at regular intervals (several times a second). The name actually has two parts. The first is the ESSID, which is what you normally see when you connect to a network--it might be linksys, or Nick's Network, or anything else. It's meant to be something easy to remember/identify, so you know which network is which. The second is the BSSID, which is the actual identifier for the network. The BSSID is what actually identifies the network, and it might look something like this: 00:22:2D:38:B2:EE.
So why am I telling you this? The encryption key (password) for the network I cracked, unbelievably, turned out to be the same as the network's BSSID, with some zeros added to the end. I checked another one with a similar name, and it had the same problem. I can't possibly overstate how ridiculous this is: it's like if a home security company sold alarm systems to millions of homes across the country, then instead of asking their customers what they wanted to use as a PIN, they just used the house number. Except this is even worse, because most folks would notice if their PIN was the same as their house number and change it, whereas most folks have absolutely no clue what their BSSID is, or even what it is.
So why does the title of the post talk about SMC and RoadRunner? Well, you might remember about the massive security flaw in certain SMC modem/routers from a few weeks ago. Both of the routers I found with this problem were SMC, though I couldn't tell precisely what model of SMC device it is that's doing this, and both of the internet connections turned out to be RoadRunner DSL.
So I'm putting this out there right now, in the hopes that someone will read this and fix the problem: if you want to get free wifi and there aren't any open networks, just find an SMC router (both of the ones I found were RoadRunner DSL customers) and plug in the BSSID as the encryption key. Betcha it'll work.
p.s. There's a chance this is a coincidence, or that the people actually chose to use their BSSID as their encryption key for some reason, but I doubt it. We'd need some more data to know for sure, though.
Comentários