Default WPA2 password on Belkin routers is easily worked out
Jörg Schneider and Jakob Lell from TU Berlin have discovered that there is a simple means of working out the default WPA2-PSK password on some Belkin routers. They found that the default password can be calculated from the device's WAN MAC address using a substitution table.
The problem with this is that there is only a slight difference between the WAN MAC address and the publicly broadcast WLAN MAC address, allowing anyone within range of the router to work out the WPA2 password and log onto the network.
Wireless routers broadcast beacon frames at regular intervals to announce their presence to any wireless clients within range. These frames include the router's WLAN MAC address in plain text format – irrespective of whether the wireless network uses WPA2 encryption.
Belkin Surf N150 routers with model number F7D1301v1 are affected. Based on labels posted on the Belkin web site, the security specalists suspect that the N900 (F9K1104v1), N450 (F9K1105V2) and N300 (F7D2301v1) models may also use easily calculated WPA passwords. The researchers refused to rule out the possibility that other models could also be affected. Anyone using a Belkin router and who has not changed the WPA2-PSK password should do so as soon as possible.
The researchers say that they have informed the manufacturer of their findings on several occasions since January, but have received no response from the company. Belkin has also failed to respond to a press enquiry from The H's associates at heise Security.