OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bill Arbaugh (waaCS.UMD.EDU)
Date: Mon Apr 02 2001 - 19:36:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Name: RG-1000 default network name and WEP key exposure

    Product: Orinoco RG-1000 (www.wavelan.com)

    Severity: An attacker can determine the network name (SSID), and
                    current WEP encryption key-- allowing unrestricted
                    access to the LAN.

    Author: William A. Arbaugh
                    waacs.umd.edu
                    http://www.cs.umd.edu/~waa

    Vendor Status: Vendor informed of the problem on April 1, 2001 via
                    electronic mail. Vendor responded on April 2, 2001
                    that users should change their default password via
                    electronic mail.

    Details:
                    The Orinoco RG-1000 residential gateway ships by
                    default with WEP enabled. Unfortunately, the default
                    WEP key is set to the default network name, SSID. The
                    SSID appears in several 802.11 management frames in
                    the clear-- even when WEP is enabled. Therefore, an
                    attacker with a sniffer capable of capturing
                    management frames can determine the current WEP key
                    which is the last five digits of the network name,
                    (provided the default has not been changed). Armed
                    with the network name, and the current WEP key the
                    attacker can easily gain access to the users wireless
                    LAN. Additionally, the default network name for the
                    unit studied was the last six nibbles of the MAC
                    address converted into ASCII [1]. As a result even if
                    the key were not the network name, an attacker could
                    determine it by sniffing the MAC address of the unit.

                    To Lucent/Ornioco's credit, the fact that the default
                    encryption key should be changed is strongly
                    encouraged in the manual. However, the fact that the
                    default key is disclosed in the clear as part of the
                    network name is unfortunate. The default encryption
                    key should be changed to a randomly generated value
                    set at the factory.

    References:

                    [1] Lucent Technologies Inc., Orinoco Residential
                        Gateway Getting Started, February 2001.