Aside from discussing the most obvious item (in the title), you also have the issue of why your average ISP isn’t helping out the security of the average consumer. In addition, the underlying theme here is that installation and implementation matters. You can have the best security/encryption on the planet and someone else can trash it in short order simply because they implement it wrong. Also note that while I won’t be publicly naming them, I will instead provide my emails with their CEO and high-level employees (redacted of course). With any luck, I’m hoping this will serve as a warning to others when they put their customers at risks… especially when they are warned about them.
So here’s a little background to catch you up to speed. Back in 2015, I discovered an ISP was using phone numbers for WiFi passwords. I did some testing and number crunching (albeit very little) and my initial thought was correct… This is an absolutely horrible way to set a WiFi password and I had the math to prove it. In addition, the ISP had just installed new routers/firewalls (with built-in WiFi to all of their customers and affiliate customers) during a fiber-to-the-premise (FTTP) rollout. To say it affected a number of customers was an understatement as the company in question provides internet to a good chunk of the community and surrounding communities. Ouch!
Aside from the fact someone could easily look up a phone number in a phone book (yes, they still exist) or even perform a quick internet search, the math makes it ridiculously easy to see how this oversight compromises security. If you just assume you don’t know any portion of the phone number and/or you take into account people who transplanted and subsequently brought their old phone numbers with them, you would have 10,000,000,000 (10^10) possibilities. 10 billion may sound like a lot, but it’s far less than ideal if you have any decent hardware to run the password cracking against.
While people who live in bigger cities might not understand this, when you live in a smaller community there are also only a handful of prefixes (not area codes, prefixes) your number can be. This significantly drops the 10 million possibilities and for our particular community it would limit you to approximately 90,000 numbers. 90K because the area code wouldn’t change and there were only 9 standard prefixes available. Multiple 9 by 10^4 and voila, you have the magical 90K.
No Tricks Up My Sleeve
The kicker is all I used was a default install of Kali along with airmon-ng, aircrack-ng, and crunch. I’ll spare the details because suffice to say there are numerous others who have figured this out without my help and that is not the point of this post.
|/usr/share/wordlists/phone_numbers# aircrack-ng /root/Desktop/02.cap -w XXXX.txt
Read 862 packets.# BSSID ESSID Encryption
1 10:6F:3F:XX:XX:XX Test WPA (1 handshake)
Choosing first network as target.Opening /root/Desktop/02.cap
Aircrack-ng 1.2 rc1
[00:00:44] 89991 keys tested (2038.13 k/s)
KEY FOUND! [ XXXXXXXXXX ]
Master Key : 6B 24 47 07 8E 25 49 43 BE 9F 80 BB C9 0D 70 A6
Transient Key : B8 6B 9E 3F CD 0D 79 7E F6 2D 3E 37 E9 C0 79 57
EAPOL HMAC : A1 59 38 82 EE C6 A0 93 11 C3 98 73 F0 07 82 BB
Anyway, during my testing, I was also able to determine that a simple virtual machine with absolutely no special hardware was able to force a de-auth of a wireless client and capture the handshake packets in less than 15 minutes… from initial boot. Truth be told, the 15 minute estimate was on the high side and only if you have problems capturing the re-auth. In fact, once the necessary packets were captured, I was able to crack the WPA2 key itself in under 44 seconds. Once again, this isn’t using some super secret, special cracking software/hardware; this was a single CPU VM with 2GB of RAM allocated to it, i.e. unimpressive to say the least and performed with the level of computing power that someone would have thrown away long ago if it were physical hardware.
I formatted a really polite email and alerted the CEO of the numerous flaws with this practice.
Based on the quick response from their CEO, I initially thought they would do the right thing.
I sent a follow-up to let them know I would be happy to help if they had any questions.
And then I waited. After about a week of no response I decided I would give them the benefit of the doubt and assume they were working on it. I put a calendar reminder for a month and a half later to remind myself to check in with them on the progress they had made if I hadn’t heard anything. All of a sudden, this isn’t looking as good. Nonetheless, I reached back out to them.
Instead, but they provided a ho hum response, which is abbreviated by saying we won’t do it anymore, we’ll fix it as routers break, etc.
I wasn’t exactly excited about that answer as I was hoping for something stronger and I eluded to this in my email response to them. Ultimately though, I decided I would play nice knowing I at least would make a significant security improvement over time for unknowing neighbors.
So Why the Change of Heart?
You’re obviously reading this so you are aware I decided not to let this issue just die. But why? Around the start of 2017, despite what they originally said, I discovered they were still following the same, crappy WiFi password practice for new customers. So I decided I was going to help right this ship. Not just for them, but as a warning of sorts to other ISPs (or IT companies) who may think it is OK to do this. At this point and based on other internet chatter, I’m fairly certain they are not the only ones doing this. Great! So now there are others with their heads up their backsides!
So let this be a challenge of sorts… Notify ISPs and IT companies doing this when you see it. Give them an opportunity to correct it. Feel free to cite this article if they don’t. It is up to us as IT and IT security folks to alert friends and family why this is beyond bad. More importantly, let’s help others less technically savvy fix it! We can help make sure they are all using 20+ character passwords for their WPA2/AES wireless keys. Also, take the time to explain how they could use passphrases, i.e. their password doesn’t need to be #$KF*&ghJkio9n>XzV01. Instead, TheSmith’ssecureWifi is a great password and it’s easy to remember too!
Clearly this ISP/company didn’t care about the security of the average customer and that’s just poor customer service regardless of how you look at it. Customers inherently respect them to some degree or at least believe they have a clue about technology and what they are doing. Unfortunately, the truth is they likely don’t know how to spell “security” and they don’t appear to have the desire to change. It reminds me of the old saying that “if you can’t do something well, then don’t do it at all.” Giving customers a false sense of security is almost as bad as not providing any security. Customers everywhere deserve better!