Verizon MiFi Owned By Simple Attack

Trailrunner7 writes "Security researcher Joshua Wright has developed a simple attack that allows him to recover the passwords for any Verizon MiFi device. The MiFi is essentially a tiny, portable wireless AP, and Wright's attack uses a simple and effective technique to get default passwords by using the device's SSID and some existing password attacks on the encryption protocols the MiFi employs. Result: complete 0wnage of any MiFi."

Important Question

[wolrahnaes]

Is the choice of a predictable default password and a vulnerable encryption protocol specific to Verizon's branded version of this device or does it also affect the identical Sprint version and/or any GSM variants that may exist? As much as I dislike Verizon, I don't want to see the wrong name stuck on this if the problem is Novatel's, not Verizon's.

Re:Important Question

[querist]

This does NOT work on Sprint devices. I own one, and it came without any password by default, but with very clear instructions urging the user to set one and showing the user how to set one. (The MiFi device itself is great, by the way - please don't let Verizon's poor handling of the initial configuration turn you away from a wonderfully useful device.)

Dupe?

[sconeu]

http://mobile.slashdot.org/article.pl?sid=10/02/02/1632203

Re:Dupe?

[rhsanborn]

Not a dupe, just double embarrassment for Verizon. Femtocells are devices used to extend cellular coverage, usually in your home or office, generally via your own internet connection with a box you generally have to pay extra for. The MiFi device is a mini wireless access point that has a built in cellular access. It allows you to share your Verizon cellular internet service with friends or coworkers.

Re:Dupe?

[fibrewire]

No doubt that when the femtocell article was posted, someone was like "Hey, i can do that on a Verizon MiFI because it not only does it use the same technology, but allows me to get far more useful data than anyone would be doing over a phone"

Does this mean that Verizon should stop promoting the MiFi as a small business tool? Aren't small businesses without a clue the only ones purchasing the MiFi anyway? No clue = not security conscious

Slightly misleading title

[Scorpion_1169]

To clarify, this exploit is only for the configuration as shipped from the factory. Just like most consumer routers, you can reconfigure the SSID and WPA-PSK values via a web interface.

Re:Slightly misleading title

[Overzeetop]

To clarify, this exploit is only for the configuration as shipped from the factory. Just like most consumer routers, you can reconfigure the SSID and WPA-PSK values via a web interface, but almost nobody does.

Fixed that for you. Yes, yes, people are getting better with their home routers. For most people, if you mention SSID and WPA-PSK, it will probably be countered with a WTF?

Re:Slightly misleading title

[stoolpigeon]

They wont know what it's called but they have a good chance of knowing that they need to "give their wireless a name and password". I can see anywhere from 5 to 8 wireless networks from my home on any given day. All have non default ssids and passwords. I doubt they were all set up by IT professionals. My guess is a lot of 'regular' folks have clued in.

Re:Slightly misleading title

[darkmeridian]

New routers come with software that change the SSID and sets up encryption. Also, people are used to stealing wifi from others, when they get their own wifi, know to encrypt it.

Re:Slightly misleading title

[interkin3tic]

All have non default ssids and passwords.

Yes, for example in my neighborhood there is a "dontstealmyinternet," which doesn't require a password, and a "freewifi" which does. I find that odd.

Re:Slightly misleading title

[jandrese]

That freewifi one might be a guy who isn't even using wifi. If you've ever hung around airports looking for a wireless signal, there is always somebody broadcasting "Free Wireless Internet" or similar SSIDs in ad-hoc mode. Apparently this is a side effect of how some drivers deal with the situation where they can't find a usable access point. If they see an ad-hoc network, they'll "join" it as well, and then start broadcasting the ad-hoc ssid as their own. Thus, in crowded places where people are using Windows (like airport waiting areas), the Free Wifi bug will spread like a disease. It has been like this for years too.

Re:Slightly misleading title

[Coren22]

My wifis show up as "GetCurtainsISeeYou" and "ImDatingYourDaughter" Figured I would screw with the neighbors.

Re:Slightly misleading title

[tlhIngan]

That freewifi one might be a guy who isn't even using wifi. If you've ever hung around airports looking for a wireless signal, there is always somebody broadcasting "Free Wireless Internet" or similar SSIDs in ad-hoc mode. Apparently this is a side effect of how some drivers deal with the situation where they can't find a usable access point. If they see an ad-hoc network, they'll "join" it as well, and then start broadcasting the ad-hoc ssid as their own. Thus, in crowded places where people are using Windows (like airport waiting areas), the Free Wifi bug will spread like a disease. It has been like this for years too.

Actually, it's more of a Windows side effect.

User connects their laptop to "Free Wireless Internet" AP (a real, live accesspoint). User then leaves, and parks butt in another location. Windows again looks for a network with SSID "Free Wireless Internet" as well as doing scans for other networks (ad-hoc or otherwise). Inadvertently, it also broadcasts this as an ad-hoc SSID, so a second user doing a scan sees it and tries to connect. They fail (obviously), but now their laptop will look for an ad-hoc network called "Free Wireless Internet", to which others will try to connect, fail, and broadcast anew ad-hoc network.

It's spread to the point where you can see that SSID everywhere. A viral SSID, effectively.

http://www.wlanbook.com/free-public-wifi-ssid/
http://blogs.chron.com/techblog/archives/2006/09/free_public_wif.html

A bit more Googling will reveal a ton more of same. Of course, it's trivially simple for someone to really do set up a real MITM using tihs viral SSID, so beware.

Default settings

[Nickodeemus]

This article is pointless - it points out how to overcome the encryption on a MIFI that has the default settings in place.

If you deploy any networking device with default settings in place, you deserve to be compromised.

Take 30 minutes to reconfigure the device using default settings and this is a non-issue.

Re:Default settings

[querist]

This article is NOT pointless, especially when you consider that the password is the ESN. That greatly narrows down the possible values because the first part of the ESN is assigned by manufacturer. Also, it is NOT pointless because the average person will look at that long string of seemingly random numbers, and the strings are different for each unit because the string is the ESN of the chip, and will think that it is a secure, randomly generated number. The length of the password itself is good. It is the fact that several of the digits are predictable, thus significantly reducing the number of values you need to try, that makes this significant. The average person will not know this and will THINK that it is secure. My own testing: average time to break (on units that I had legal permission to scan, of course) was just over four minutes after forcing a reset. This article is a wake-up call to companies that are issuing these things that they need to fix those passwords.

Gotta love the article

[powerlord]

From The Fine Article:

Change the Default SSID: Change the default SSID from "Verizon MiFi2200 XXXX Secure" to another value that is not common, but not unique either (somewhere in the middle) to mitigate precomputed PSK attacks, as well as general wireless anonymity attacks.

I suggest using linksys or netgear. :D

Nothing like watching script kiddies THINK they know what the router is, and bashing their heads trying to figure out why they can't get into what MUST be an unconfigured network.

Only catch is if you're in an environment with lots of them pre-configured in which case 'FreeWiFi' is also good (with a nice strong random password of course :P ).

Re:Gotta love the article

Nothing like watching script kiddies THINK they know what the router is, and bashing their heads trying to figure out why they can't get into what MUST be an unconfigured network.

Even better - get a plain linksys router, set it to factory default settings, but don't connect it to internet.

Script kiddies keep trying to figure out why they can't connect to the internet...

The "Password" is the ESN

[querist]

The Password is the ESN of the CDMA chip.

Re:The "Password" is the ESN

[Chris+Pimlott]

Worse yet, it appears that 14 of the 32 bits of the ESN are fixed for a given product (emphasis mine):

The Electronic Serial Number (ESN) is a 32-bit number assigned by the mobile station manufacturer which uniquely identifies the mobile station equipment. The rules to be followed by manufacturers for assigning the ESN are given in the IS-95 standard. Binary digits are allocated for a manufacturer's identity code (8 bits), the equipment serial number (18 bits), and 6 bits are reserved. ESN, and MIN1, along with other digital input, are used during the authentication process.

Source

Verizon FiOS routers allow login from WAN

[140Mandak262Jamuna]

I got a verizon FiOS service. The router they gave me runs a web server and throws a username/password dialog to the WAN side. That part can not be disabled by the user. They claim it is used to push firmware upgrades and other service settings changes. But instead of making the device make outbound calls to specific servers, they are relying on a simple username/password dialog. Hope they are using some randomly generated password stored in tables in a secure location. Thus even if a password is compromised, the damage is limited to that router. If it is a formula based password generator, there is potential for widespread pwning of verizon routers.

Re:Verizon FiOS routers allow login from WAN

[jandrese]

It's the same password on every device. No tech wants to go around looking up passwords for everything he connects to.

"Owned"

[N0Man74]

Really? Headlines with "owned" and summaries with "ownage"?

Did we go from "News for Nerds" to "News for Teenage Online Gamers" recently, or would that require taking it one step further and using the "Pwn" form of the word. Maybe we should sprinkle in a "MiFi Fail!" in there somewhere too.

Article summary is wrong.

[ptbarnett]

a simple attack that allows him to recover the passwords for any Verizon MiFi device.

The attack is based on searching through a limited set of default passwords.

Changing the password to something other than the default prevents this attack. I don't have a Verizon MiFi device, but I have one from Sprint. By default, it was an open access point. I quickly changed it to something else before I left the store, and changed it again later at a distant location over the (somewhat) secure connection.

It was literally the first one sold from the store where I bought it. Sprint may have since changed to something like Verizon has done, with a (non-) random password. But, I would have changed it anyway.

My Verizon router (for FIOS) had a similar setup, although I don't think it's a predictable SSID and password. However, it was WEP-64. Needless to say, it was the first thing I changed.

An aside: I made the initial connection and changed the password in the Sprint store with my iPhone. The staff was really amused by that, and asked how fast the connection was. I used the iPhone speedtest to tell them -- about the same as the PCMCIA Sprint AirCard I had before this.

Re:Submitter is clueless on what 0wnage is

[natehoy]

The funny part of this story is that Verizon routers take so much effort to hack based on their default configuration. I read it as a good move on Verizon's part.

It's just hard enough that someone thinks that "hacking" it is some form of accomplishment. That's pretty impressive given that this is a default configuration, which by definition has to use some form of predictable algorithm for their password. At least they are shipping them with OK encryption enabled by default and a password that takes 4 minutes to crack.

Now, if someone managed to hack into one of these gizmos and get free Internet after a user changed the password to a properly secure one, that would be news.

I was at my father's house once, setting up a new wireless router. This was a few years ago. The directions said to plug it into the Internet, power it up, connect to it, and set up wireless security (optional). The problem is, the wireless side comes on at first power-up, and it's an open access point. So I connected all the cables, plugged it in, went to go get a cup of coffee, and by the time I returned 15 minutes later the wireless light was blinking solid and someone had already changed the configuration password. I had to do a factory reset and beat the guy to the configuration screen when it powered up again. There was no way to tell the router to power up without wireless enabled, and the antenna was not removable. I was seriously considering wrapping the !@#$ thing in tin foil to give me enough time to get the admin password changed, but on the third try I beat the little bastard to it or he gave up.

I can imagine that 90% of Internet users at the time would simply have powered up their router, seen the access point name, connected to it, and gone on blissfully unaware that a script kiddie next door had set up port forwarding and was running a Torrent client or webserver off their connection.

I think the fact that it takes 4 minutes to hack into a default-configured router is a pretty good indication of how far we've come. Maybe not far enough, but still pretty far.