WiFi routers have predictable SSID and WPA keys
Adrian Pastor reports on the GNUCITIZEN blog that the SSID and default WEP/WPA encryption key for Thomson SpeedTouch and BT Home Hub WiFi routers can easily be calculated from the device serial number.
The mechanism is apparently the same for both routers. The serial number is stripped of two recognisable two-character fields – the "CC" and "PP" fields – then hexadecimal encoded and the resulting string is hashed using SHA-1. The first five bytes become the default encryption key, and the last two or three bytes are converted to a string and appended to the router model name to create the SSID. A tool by Kevin Devine called stkeys can be used to brute force serial numbers, the variable field of which is only seven characters long.
Devine was able to narrow the set of possible keys down to two for a Thomson router, and Pastor reduced it to around 80 for a BT router using a lookup system similar to rainbow tables. However, Pastor comments "breaking into a BT Home Hub Wi-Fi network which uses default settings (40 bits WEP) has always been possible in a matter of minutes (if packet injection attacks are used) since the Home Hub was released into the market. Therefore, this predictable-default-key attack doesn’t change the current state of the BT Home Hub’s Wi-Fi insecurity".