[20002] in bugtraq

home help back first fref pref prev next nref lref last post

RG-1000 802.11 Residential Gateway default WEP key disclosure flaw

daemon@ATHENA.MIT.EDU (Bill Arbaugh)
Tue Apr 3 16:03:19 2001

MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.SOL.4.21.0104022035070.6061-100000@laffytaffy.cs.umd.edu>
Date:         Mon, 2 Apr 2001 20:36:29 -0400
Reply-To: Bill Arbaugh <waa@CS.UMD.EDU>
From: Bill Arbaugh <waa@CS.UMD.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM

Name:		RG-1000 default network name and WEP key exposure

Product:	Orinoco RG-1000 (www.wavelan.com)

Severity:	An attacker can determine the network name (SSID), and
		current WEP encryption key-- allowing unrestricted
		access to the LAN.

Author:		William A. Arbaugh
		waa@cs.umd.edu
		http://www.cs.umd.edu/~waa

Vendor Status:  Vendor informed of the problem on April 1, 2001 via
		electronic mail. Vendor responded on April 2, 2001
		that users should change their default password via
		electronic mail.

Details:
		The Orinoco RG-1000 residential gateway ships by
		default with WEP enabled. Unfortunately, the default
		WEP key is set to the default network name, SSID. The
		SSID appears in several 802.11 management frames in
		the clear-- even when WEP is enabled. Therefore, an
		attacker with a sniffer capable of capturing
		management frames can determine the current WEP key
		which is the last five digits of the network name,
		(provided the default has not been changed). Armed
		with the network name, and the current WEP key the
		attacker can easily gain access to the users wireless
		LAN. Additionally, the default network name for the
		unit studied was the last six nibbles of the MAC
		address converted into ASCII [1]. As a result even if
		the key were not the network name, an attacker could
		determine it by sniffing the MAC address of the unit.

		To Lucent/Ornioco's credit, the fact that the default
		encryption key should be changed is strongly
		encouraged in the manual. However, the fact that the
		default key is disclosed in the clear as part of the
		network name is unfortunate.  The default encryption
		key should be changed to a randomly generated value
		set at the factory.

References:

		[1] Lucent Technologies Inc., Orinoco Residential
		    Gateway Getting Started, February 2001.
home help back first fref pref prev next nref lref last post