Most default WiFi passwords are insecure

This is a follow up after my previous post that showed you can crack a default Bell Canada WiFi password very quickly. That post was completely ignored and I was told it’s not an issue. Soon after that I went traveling and I made sure to check out people’s routers whenever I got a chance. Below are some of the routers and ISPs I encountered. Many of them are vulnerable.

TLDR:
Vulnerable: AT&T (USA), Sonic.net (USA), Bell (Canada), unknown (Bulgaria)
Not vulnerable: TeleTu (Italy), Iskonovac (Croatia)

Cost

As we look at each of the routers I found, I evaluate how much it costs to crack the WiFi password in 1 hour. My calculations are based on the following benchmark.

I used cuda Hashcat on two AWS GPU instances and calculated how fast they can crack passwords and how much it costs. My results are as follows:

Instance type: g2.2xlarge
Cost: $0.65/hr
Hashing speed: 42 khash/s
Cost per 1 Ghash: $4.30

Instance type: g2.8xlarge
Cost: $2.60/hr
Hashing speed: 170 khash/s
Cost per 1 Ghash: $4.25

An attacker can launch one of these and wait for it to crack the password, or they can launch as many as they need and run them for 1 hour until they crack it. This is why I’ll be calculating the cost of cracking the hash and not the time.

Routers

Let’s look at each router one at a time and calculate how much it costs to crack the default WiFi password. All characters in SSIDs and passwords in the photos have been replaced with placeholders representing the type of character.

A = upper case letter
a = lower case letter
0 = number

Bell (Canada)

From my previous post we know that the size of the pool of possible passwords is 16^8 = 4.3 Ghash.

4.3 Ghash * 4.25 $/Ghash = $18.28

AT&T (USA)

AT&T

The SSID is predictable, so it’s easy to see these everywhere around major US cities if you just open your phone. The password has 10^10 possible combinations which is 10 Ghash.

10 Ghash * 4.25 $/Ghash = $42.50

Sonic.net (USA)

Sonic.net

Sonic.net seems to follow the same pattern as AT&T. The same calculation applies to the WiFi password:

10 Ghash * 4.25 $/Ghash = $42.50

Bonus: The router’s admin password also follows the same pattern. That one is much slower to brute force because it requires an online attack against the router’s web interface, so it’s probably not a problem.

TeleTu (Italy)

TeleTu

This password is much stronger than any of the North American ones. It appears to be mixed letters and numbers, so we have 36^16 = 7958661109946401 Ghash

7958661109946401 Ghash * 4.25 $/Ghash = $3382430971727220 or $3 quadrillion

Iskonovac (Croatia)

Iskonovac

This one is similar to the previous one but shorter, so the number of possible keys is 36^12 = 4738381338 Ghash

4738381338 Ghash * 4.25 $/Ghash = $20138120687 or $20 billion

Unknown (Bulgaria)

Unknown

Sorry, I don’t know which ISP this is. This password is all digits, so it’s the weakest I’ve seen so far: 10**8 = 0.1 Ghash

0.1 Ghash * 4.25 $/Ghash = $0.43

Conclusion

As you can see, many ISPs have really bad default WiFi passwords on their routers. If you are reading this and your ISP has a weak default password policy, email me a photo of your router and I’ll make another post with additional results.

Next time you look through the access points list on your phone and you see ATTXXX, Sonic-XXX or BELLXXX you can probably assume they haven’t changed the default password and this is practically an (almost) free WiFi access point.

P.S.

Speaking of practically free WiFi, all Comcast/Xfinity users can be trivially phished for free WiFi credentials, but that’s a story for another time.

Advertisements