

Anon549646

@les.net 4 recommendations Anon549646 Anon Bell Home Hub 2000: Backdoor Security vulnerability I choose to remain anonymous.



I just happened to discover a serious bug with Bell's Home Hub 2000.



There seems to be some sort of "backdoor" access pathway to retrieve the WPA2-PSK regardless of how complex the code is or of the settings set on the router.



It's done using WPS, EVEN IF WPS IS DISABLED.



With WPS disabled, the access point appropriately identifies its lack of WPS support in it's beacon frames.



However, the Access Point still responds to WPS requests, and worse, responds to a PIN of "1234567890" thereby releasing the WPA2 passphrase, despite WPS being manually disabled!



Nitra

join:2011-09-15

Montreal 2 recommendations Nitra Member Wow.

I don't have a HH2000, nor would I run ISP provided hardware, but that asinine.

eelw

join:2015-06-07 eelw to Anon549646

Member to Anon549646

WiFi and the WPS Vulnerability

By JR On March 12, 2013 · Add Comment · In Uncategorized

The WiFi WPS vulnerability has been known for over a year so it hardly qualifies as news. On the other hand, Im willing to bet that, even a year later, 99.99% of the general population has no idea that their home or small office WiFi router is potentially vulnerable to an easy hack!



Even smart folks who use strong WPA/WPA2 passwords are at risk. I was even caught out by this one! I started to feel bad that I missed it, but then I asked a few of my tech friends about it and discovered they knew even less than I did! I never looked into this before, but a quite google search found this issue with many routers since 2012So this isn't just a Sagemcom/Bell HH2000 thing.



Loginbroken

@bell.ca 2 recommendations Loginbroken Anon Wow, just tested this myself... Confirmed!



The article eelw posted isn't related: WPS has been known to be vulnerable for some time. However, it's vulnerable to a brute force attack, because the 8 numbers are verified as two pairs, meaning it only takes 11k tries to break in. Most routers get around this by introducing a delay on each attempt or outright blocking wireless clients that guess the wrong code a few too many times.



However, the HH2000 I was able to penetrate even with WPS turned off, by using the pin OP mentioned. Using Wireshark, the HH2000 does indicate WPS is disabled in the Beacon frame, however manually crafting a WPS authentication request reveals the paraphrase.



Steps to reproduce:



1. Turn WPS off.

2. Using reaver or another packet crafting utility, request WPS authentication using a pin of 12345678

3. HH2000 sends you the WPA2 passphrase.

4. Use this passphrase to connect.



I have to wonder if CSIS made Bell put this in as a backdoor. Tinfoilhat here sure, but the NSA made Verizon do something similar.

Loginbroken 4 recommendations Loginbroken Anon Oh, right. Just to be clear, this isn't a brute force attack, those can take days.



Literally, all this takes is just under a dozen packets and the access point gives away it's passphrase. Seconds.

mr weather

Premium Member

join:2002-02-27

Mississauga, ON 2 recommendations mr weather Premium Member I turned the wifi off on my modem. Problem solved.

btech805

join:2013-08-01

Canada 1 recommendation btech805 Member Problem not solved. Our remote access software and applications still allows Bell or the ISP to view device tables, WPA2 password and SSID as well as the GUI in order to test remotely. Nothing on the internet is secure and people need to get the idea that they can be anonymous and secure on the internet out of their heads. If you want to be unidentified don't use telecommunications.

Garep

join:2015-01-08 3 recommendations Garep Member its not about privacy, its about people using your wifi.

urbang33k

join:2010-02-13

Canada urbang33k to Anon549646

Member to Anon549646

are you disabling with the button on the front, or in the firmware user settings?

btech805

join:2013-08-01

Canada btech805 to Garep

Member to Garep

Your wifi is being broadcast publicly and will always be vulnerable to unwanted access.



vitesse

join:2002-12-17

Saint-Philippe, QC vitesse Member said by btech805: Your wifi is being broadcast publicly and will always be vulnerable to unwanted access.



If a customer get overage fee for that reason is Bell will credit him? No, so this is a real problem. Yes but it's not logical that the modem still answer to WPS if it has been put to off. Regardeless of the WPS security, when a feature is off it should be really off.If a customer get overage fee for that reason is Bell will credit him? No, so this is a real problem.



shrugs

@videotron.ca shrugs Anon Has anyone contacted bell?



What did they say?



adisor19

join:2004-10-11 adisor19 to Anon549646

Member to Anon549646

I can't believe my eyes. This just reinforces the idea that I have to get rid of that crap asap.



Adi

63141160 (banned)

join:2015-10-30 63141160 (banned) Member Wow, good thing I don't have this modem. Instead, I have the home hub 1000 so I guess i'm safe. Right?



wtfff

@rogers.com wtfff to Anon549646

Anon to Anon549646

lol i just did this to a CGN3ACSMR on Rogers' by someone in my apartment, posting from it now. 10 character upper/lower case password retrieved within a second of running the command.

eelw

join:2015-06-07 eelw Member As I said earlier, issue not unique to Sagemcom and Bell. But why hasn't issue from 4 years ago not been patched on some or is it most consumer based routers?



wtfff

@bell.ca wtfff to Anon549646

Anon to Anon549646

also works on a bell home hub 1000, posting from it now



rofl

hacked

join:2007-11-21 hacked to Anon549646

Member to Anon549646

... i use a hh2000 and wanted to try this on my own modem. how would one go about doing this on a galaxy s6 to get on a wifi network at work? or if i had to do on a pc is there like a step by step ..you mentioned running a command ? or is this for ppl with knowledge on the subject and not for n00bs like me... i use a hh2000 and wanted to try this on my own modem.



adisor19

join:2004-10-11 1 edit adisor19 to Anon549646

Member to Anon549646

Edit : I made a mistake. This is not pixie dust vuln but rather the SAME freaking WPS PIN on every single device. Still just as bad.



I'm currently working on bypassing the Sagemcomm with my Asus RT-66U using Merlin firmware. Fingers crossed.



Makaveli998

join:2002-04-23

Toronto, ON 1 edit Makaveli998 Member Going to check this on a R7000 with merlin firmware I would assume its not affected.



us3r

@umass.edu us3r to Anon549646

Anon to Anon549646

Hello, I have just tested this on many BELLXXX routers. The PIN is actually 12345670, not 12345678. I also tested if the devices are vulnerable to pixiewps, and I can confirm they are NOT.



loginbroken

@bell.ca loginbroken to adisor19

Anon to adisor19

said by adisor19: So those things are vulnerable to the WPS Pixie Dust attack. All one needs to do is request a WPS authentication with Reaver or simillar tool and voila ! The AES key is computed due to the piss poor iitialisation of the E-nonce. Instead of being a random value, it's some standard value for a bunch of routers including the HH 1000 and HH 2000.



This means that the key can be almost instantly retrieved. Honestly, the Sagemcoms should be thrown in the trash at this point cause I really don't expect Bell to issue a patch any time soon.



I'm currently working on bypassing the Sagemcomm with my Asus RT-66U using Merlin firmware. Fingers crossed. It's not even pixie dust in this case. Actually, it's not vulnerable to pixie dust, I checked. However, it responds to a pin of 12345678 even if WPS is turned off, which is a different vulnerability entirely.



us3r

@umass.edu us3r Anon The pin is 12345670. 12345678 does not follow the checksum that the WPS protocol uses. If you supply -p 1234567 to reaver or bully, it will automatically compute the last digit, 0, and recover the password.

63141160 (banned)

join:2015-10-30 63141160 (banned) Member what can I do in my modem to prevent this untill a fix is issued? can I turn off the WPS or change the WPS pass word to something harder to guess



adisor19

join:2004-10-11 1 recommendation adisor19 Member said by 63141160: what can I do in my modem to prevent this untill a fix is issued? can I turn off the WPS or change the WPS pass word to something harder to guess Turn off the Wifi. This thing responds to WPS auth requests even if WPS is disabled !!

eelw

join:2015-06-07 eelw to 63141160

Member to 63141160

Just keep an eye on all connected devices. If you notice a rogue device, boot them off your router.

Dcite

join:2006-05-12

Mississauga, ON Dcite to Anon549646

Member to Anon549646

You can either disable wifi entirely.., or try to have white listed MAC addresses?

It would cost more.. but you can always forward all ports and packets to another router, then have that one due your wireless and local network needs.



um no

@videotron.ca um no Anon said by Dcite: You can... I think you mean, "Bell can.... "

Tyggerbob

join:2015-12-09 1 edit Tyggerbob to Loginbroken

Member to Loginbroken

LB.. Can you confirm that you were able to obtain the passphrase on a HH2k with Reaver? I tried, and yes, the 1234567 PIN works, but I was unable to recover the password. Also, on my HH2K, when I disabled completely, I was not able to detect it with wash or use reaver for bruteforcing I was able to do that in either PIN or Push Button modes with WPS enabled though. If you were successful, could you post your firmware version so I can double check it with mine, pls? I want to know if I need to change my setup.

Thanks in advance