Long story short, Bell’s residential modem/routers have weak default passwords that can be cracked in under a day. Few people change them, so tens of thousands of their customers are exposed to risk. To the best of my knowledge, they are not interested in fixing it.

Timeline

March 5 – Tweeted at @Bell and @Bell_News

March 6 – Contacted Bell Media Relations because there is no other relevant public contact information I could find

March 13 – Response from Bell Media Relations: “We strongly encourage our customers to choose their own secure password and, in fact, our technicians explain how to do this as part of the installation process.”

March 15 – Found an email address for Bell security through a friend; sent an email – no response

March 24 – Sent another email to Bell security – no response

March 30 – Tweeted at @Bell

March 31 – Brief conversation with @Bell_Support; radio silence

April 6 – Blog post published

You may also be interested in my follow up blog post: Most default WiFi passwords are insecure

Background

Bell is one of the biggest internet service providers in Canada. Their residential modems have router features and come pre-configured with wifi enabled (using WPA) and a sticker on them that tells you the SSID and password. The SSID is BELLXXX where XXX is a three digit number. The password is 8 hex characters (16 possibilities each).

Ease of exploitation

It’s easy to calculate the total possible passwords. They are 16 ^ 8 ~= 4 billion.

Naturally, I fired up hashcat to see how many WPA passwords I could guess per second. Based on a 4 year old article 100,000 hashes/second is the speed a reasonable attacker could guess hashes at. This means that it would take less than 12 hours to crack with a good graphics card. My mid-range graphics card can guess 13,000 hashes per second. In theory, it should take up to 4 days to guess the password. In practice, it took me three days.

Prevalence

I apologize for using outdated numbers, but I think the following Fermi estimate is within the right order of magnitude.

The 2011 census counted that there are 13,320,615 households in Canada. Let’s round down to 13,300,000 to make our math easier.

Bell had 18% market share in 2013

At least 90% of Canadians have an Internet connection

Let’s say 1% of users use default settings. I’m not sure if this estimate is too high or too low, but feel free to make your own guess about this number.

13,300,000 * 0.18 * 0.9 * 0.01 = 21,546

From this, we suspect that about 21,546 households are affected.

Canada’s population as of 2014 is 35.5 million, which (using our previous numbers) is around 2.6 people per household.

21,656 * 2.6 = 56,305

Our guess is that 56 thousand people are affected. In practice, if you look at any random residential area in Canada using WiGLE you will see at least a few vulnerable routers.

Post-exploitation

Once an attacker has gotten onto the wifi network, they can do a number of things with their new access:

They can use the free Internet connection to download large files instead of downloading them on their own network.

They can use the target’s source IP address to launch attacks against websites or, in general, for their own anonymity.

They can download illegal content or post threats, implicating the owners of the Bell router and potentially causing a police raid against the owner’s property.

They can log into the router in most cases because the default username/password on the router management interface is usually admin/admin. If they log into the router, these attacks are also possible:

They can change the DNS servers.

They can flash the firmware.

They can change any other settings including the wifi password.

With some imagination, many more things are possible.

They can perform man-in-the-middle attacks using ARP spoofing or various methods available if they have the username and password for the router. These are some possibilities if they do a man-in-the-middle attack:

They can backdoor any executable downloaded from the Internet and take over any of the machines connected to the network.

They can downgrade HTTPS connections to HTTP.

They can replace TLS certificates and intercept traffic if the user clicks through the error.

Again, with some imagination, a lot more is possible.

Conclusion and Recommendations

Let all your Canadian friends who use Bell know that unless they’ve configured the router themselves, their network is wide open.

To Bell:

I hope you fix this insecure default. I don’t think there is any cheap way to do that at this point. Maybe you have omniscient backdoor access into the routers. If so, you can use that to get a list of customers who are using the default passwords and call them to make them set their own SSIDs and passwords. For new routers you need to increase the character set from 16 to 62 (upper case, lower case, numbers) and the length to 10 to get 62 ^ 10 = 800 quadrillion possible passwords. While you are at it, make sure you have a good source of entropy when generating the passwords.