The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Speedtouch: predictable WPA keys

Synthesis of the vulnerability 

An attacker can use the SSID to predict the default WPA key.
Impacted software: SpeedTouch.
Severity of this computer vulnerability: 1/4.
Creation date: 23/04/2008.
Références of this announce: BID-28893, VIGILANCE-VUL-7780.

Description of the vulnerability 

Thomson Speedtouch routers are provided with a WPA key depending on the serial number of their device.

The algorithm used to generate this key was published. If the serial number is "CP0615JT109 (53)":
 - the CP0615109 value is extracted
 - the last 3 characters are converted to hexadecimal: CP0615313039
 - a SHA-1 hash is applied on CP0615313039 to obtain 742da831d2b657fa53d347301ec610e1ebf8a3d0
 - the last 6 characters are used for the SSID: SpeedTouchF8A3D0
 - the first 8 characters are used for the WPA key: 742DA831D2

With the full range of serial numbers, the attacker correlates the SSID and the WPA. For example, the SpeedTouchF8A3D0 SSID is associated to only two keys.

An attacker can thus guess the WPA key to access to victim's data.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security bulletin impacts software or systems such as SpeedTouch.

Our Vigil@nce team determined that the severity of this cybersecurity announce is low.

The trust level is of type unique source, with an origin of radio connection.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat 

Speedtouch: workaround for WPA.
A workaround is to change the WPA key.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides software vulnerability analysis. The Vigil@nce vulnerability database contains several thousand vulnerabilities.