In association with heise online

23 August 2010, 09:45

WPA key of Speedport routers too simple

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

While each of German Telekom's widely used Speedport W 700V ADSL Wi-Fi routers is delivered with an individual, device-specific WPA key, the device manufacturer appears to have been too unimaginative when creating the keys. A reader of heise online, The H's associates in Germany, found that most of the key information is readily available. All devices at the heise editorial office and in further tests were supplied with flawed keys. Reportedly, the Speedport W 500V model is also affected.

The factory-set WPA key of the Speedport W 700V always starts with "SP-" followed by nine hexadecimal digits. Five of these digits can apparently be derived from the network name (SSID) and the MAC address of the Wi-Fi interface. These two components can easily be extracted from the router's wireless traffic. Two of the remaining four digits always contain the same value, which leaves an attacker with a WPA key with only two unknown digits. As the key only contains hexadecimal values, the attacker only needs to try out 4096 (163) keys something which can be accomplished quickly by using a script.

To ensure Wi-Fi security, users can simply configure a different WPA key. The key should consist of at least 8, but preferably 12 to 16, characters and contain a mixture of letters (a-z, A-Z) and numbers (0-9). It must not contain words that can be found in dictionaries, first or last names, place names or similar components. Some browser interfaces interpret umlauts and other special characters incorrectly, which may prevent a user from accessing the router even when the WPA key was entered correctly.

Similar problems have previously existed in Thomson's SpeedTouch routers and in the Netgear routers adapted for UK provider Sky. In 2006 the Speedport W700V was previously found to be insecure in because of an undocumented method for remotely accessing its configuration via the internet.

The Speedport W 700V is made by Arcadyan, part of the Compal group since 2006. Although German Telekom no longer sells this router, the devices are still in widespread use because they were bundled with various T-DSL packages. The Speedport W701V supplied by AVM is not affected by this flaw.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit