Purpose of this Article This article demonstrates a vulnerability found in the 'Super Router' router provided by the internet service provider TalkTalk to its customers. The vulnerability discovered allows the attacker to discover the Super Router's WiFi Password by attacking the WPS feature in the router which is always switched on, even if the WPS pairing button is not used. The purpose of this article is to encourage TalkTalk to immediately patch this vulnerability in order to protect their customers.

Tools Used Windows Based Computer

(Other tools on unix platforms may be just as effective, but for the purpose of this article we will focus on one)

Wireless Network Adapter

TalkTalk Router within Wireless Network Adapter Range

Software 'Dumpper' available on Sourceforge (Tested with v.91.2)

Steps to Reproduce Step 1: Run Dumpper and navigate to the WPS tab and select the target WiFi BSSID.



Step 2: Click 'WpsWin' to begin probing the BSSID for the WPS pin.



Step 3: After a couple of seconds, the WiFi access key to this network will be displayed bottom right.





Scale of Vulnerability This method has proven successful on multiple TalkTalk Super Routers belonging to consenting parties which is enough to suggest that this vulnerability affects all TalkTalk Super Routers of this particular model/version. TalkTalk have been notified of this vulnerability in the past and have failed to patch it many years later. It is also documented across various community forums. Links: 2014 TalkTalk Forum Post: D-Link RT2860 [Security issue]

2014 BroadbandBanter Forum Post: TalkTalk DSL-3680 WPS security vulnerability

2016 Hashkiller Forum Post: WPA Packet Cracking - TalkTalk