Verizon FIOS (and DSL?) wireless access point insecure default WEP key

2008.10.01
Credit: Paul
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

By default, the 40-bit WEP key for the wireless router provided by Verizon to FiOS (fiber optic) and possibly DSL customers is set to the last 40 bits of the router's 48-bit MAC address. This is significant because the router's MAC address (the MAC address of it's WAN-side ethernet port) is easily discoverable using kismet without even needing to know the WEP key. The MAC will usually be listed by kismet in the list of connected/associated clients (the 'c' key in kismet). You can tell it is the router's MAC because it will have the same first 3 octets as the BSSID (wifi-MAC) but different last 3 octets. This is true for every Actiontec router I've tested. In each case, the MAC was listed by kismet in the list of connected clients, and in every case the WEP key was the last 40 bits of this MAC. Verizon FIOS (and DSL?) access points are detectable due to their predictable default ESSID' which is a 5 character string of random letters and numbers (ie A1BC3 or AB123, etc).

References:

http://seclists.org/bugtraq/2008/Sep/0311.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top