Name: RG-1000 default network name and WEP key exposure
Product: Orinoco RG-1000 (www.wavelan.com)
Severity: An attacker can determine the network name (SSID), and
current WEP encryption key-- allowing unrestricted
access to the LAN.
Author: William A. Arbaugh
[EMAIL PROTECTED]
http://www.cs.umd.edu/~waa
Vendor Status: Vendor informed of the problem on April 1, 2001 via
electronic mail. Vendor responded on April 2, 2001
that users should change their default password via
electronic mail.
Details:
The Orinoco RG-1000 residential gateway ships by
default with WEP enabled. Unfortunately, the default
WEP key is set to the default network name, SSID. The
SSID appears in several 802.11 management frames in
the clear-- even when WEP is enabled. Therefore, an
attacker with a sniffer capable of capturing
management frames can determine the current WEP key
which is the last five digits of the network name,
(provided the default has not been changed). Armed
with the network name, and the current WEP key the
attacker can easily gain access to the users wireless
LAN. Additionally, the default network name for the
unit studied was the last six nibbles of the MAC
address converted into ASCII [1]. As a result even if
the key were not the network name, an attacker could
determine it by sniffing the MAC address of the unit.
To Lucent/Ornioco's credit, the fact that the default
encryption key should be changed is strongly
encouraged in the manual. However, the fact that the
default key is disclosed in the clear as part of the
network name is unfortunate. The default encryption
key should be changed to a randomly generated value
set at the factory.
References:
[1] Lucent Technologies Inc., Orinoco Residential
Gateway Getting Started, February 2001.
