Friday, November 27, 2015



Security in Cyprus is bad. That is not a surprise.
Primetel uses insecure default passwords in their WIFI routers. A WPA password can be cracked in 4-5 seconds with a simple laptop. If you are interested in the details see below.
I used Primetel on the my previous apartment. The password was on the form of 12345678. 8 Digits, all integers. I thought that was strange, the password doesn’t have enough entropy, So I caclulated how must time someone needs to brute force the password.
At a rate of 900/passwords per second (a simple laptop) this can be brute forced in 30 hours. Its not that good but at least its not as bad as the whole Cyta/Thomson thing.
Soon I noticed some passwords containing a letter, like 1234567a 123456f8 sometimes 2. That is somewhat better, or so I thought. Clearly I didn’t have the whole story.
When I moved to another apartment I reconnected with PrimeTel. Then I noticed that the 4 first digits of the password were the same, only the latest 4 digits changed. That made me wonder. The first digits are clearly connected to the client. Are the latest 4 digits based on something else like mac or SSID ? There was a question bugging me, that needed to be answered.
That kids, is the garden variety programmer/hacker OCD. Sometimes useful, most times just annoying :)
Then I make a list of people I know, public places with Primetel routers, and aggregate their passwords, SSID (Wireless network name), bssid (The mac address of the router). All these information (excluding the password) are broadcasted for each router, you can easily see them.
I pushed the data to Dropbox for continue the research when I had time.
Then I forgot about the matter, until I was on an airplane for 2 hours with no internet. I opened my tablet, started reading a book. The of course I was bored from the first 5 minutes.
Then I saw the file in front of me staring at me: primetel.txt. Ok why not, lets take a look. I started looking at the numbers, and some patterns emerged. In all cases digits 3-4 of the password were the same as the password.
Mac: 00:21:96:2b:13:bc
Password     29 79 13 b4
  • If the last 2 digits of the mac address is an odd number then the latest 2 digits had a difference of one. If lets say the last 2 digits of the mac are 11, then the last 2 digits of the password are 10
  • If the last 2 digits of the mac address is an even number, then the latest 2 digits of the password was the latest 2 digits of the mac – 8. If for example 12 will give 04.
  • The last 2 digits of the mac is bc (even number)
  • The latest 2 password digits are bc – 08 = b4
  • The latest 2 digits are 85 (odd number)
  • Latest 2 password numbers are 85 – 1 = 84

Also latest 2 digits had some similarity. After some more intense number watching I noticed the second pattern.
In our example 00:21:96:2b:13:bc:
Another example is: 2c:ab:25:b9:22:85
That drops the entropy a lot. All possible passwords are basically 9000 since the first part is always decimal. That can be cracked in about 10 seconds with a simple laptop.
Not bad at all.
So I introduce my tool: primeTeller. Using the logic described here, generates a wordlist with 9000 passwords, and one of them is the password of your router.
What most people don’t know is that these matters are not just a matter of “someone is using my wifi”. The password is used to encrypt data. If someone has your password, then he is able to monitor your online activities wirelessly, from a great distance.

No comments:

Post a Comment