Verizon Fios Wireless Insecurities
by phishphreek
As usual, this information is provided for educational purposes only.
I was a long time customer of Comcast High Speed Internet. As soon as Verizon Fios became available in my area, I immediately signed up for their Internet service. I opted to go with their highest package at the time, which was an impressive 15 Mbps/15 Mbps. I opted to use the 15/15 because I've always leeched torrents, due to my subpar connections, and I was finally in a position to give back to the community. I seed mostly various open-source projects that are large in size, such as distros or similar. Verizon has since come out with a much faster package of 50 Mbps/20 Mbps.
During the install, the tech didn't seem to know much more than how to hook up the standard connections. He had no idea how to connect my Linux box to the wireless router. He was only familiar with running their install program on a Windows OS. I asked him for the Wi-Fi info and told him not to worry about it. I could easily connect without his help. When I started to look over the info he provided, I saw something of concern. While they are giving out Wi-Fi routers to all Fios customers and enabling "security," they are using WEP. WEP has long been known to have poor security1.
I was amazed that they chose this as their default settings. They might as well as leave it wide open. If they left it wide open then at least some people would realize that it was insecure and might enable a WPA2 or a WPA2/802.x config. Of course, that's what I immediately wanted to do. I told the tech that they were implementing an insecure protocol for wireless protection. He said that he had never heard such a thing and couldn't believe that Verizon would do that. They "Took security very seriously." I then told him that if someone knew what they were doing, they could easily break the WEP encryption in minutes. He shrugged it off as though it wasn't his problem and told me to call customer service.
I got the default UID and PWD to change my security settings (UID: admin PWD: password1).
I quickly found the wireless settings, but was surprised by the user interface. Changing from a WEP to WPA2 setting was easy enough for me, but I think it would be confusing to a normal user. I've worked with many users in the past in a support role and it's very easy to confuse them. In order to enable WPA, you must first disable WEP under the menu "Basic Security Settings" which has a title/warning of "We recommend using WEP because it encrypts your wireless traffic." So to an end user, it may seem wrong to disable WEP. To enable WPA2, you have to go to another section titled "Advanced Security Settings."
Once there, you have to change it from "WEP (Recommended)" to "WPA2 (An enhanced revision of WPA providing stronger security settings)" which, again, to a normal user might seem wrong since WEP is "Recommended." Nonetheless, I changed from WEP to WPA2 with the maximum length random shared key, because I knew better.
I later decided to survey wireless connections my neighborhood.
I live in a rather large apartment complex. The complex is marketed as "Luxury" and is more upscale than most other complexes in my area. A lot of people have Wi-Fi and other high-tech devices. Firing up Kismet from my office on my laptop reveals over 75 wireless routers. If I walk the perimeter of my apartment, over 125 access points show up. A quick drive around the development reveals over 500 access points. When I first moved in, there were not nearly as many (about half) and many of them were not protected at all. Two years later, I'm happy to see that most are at least using WEP. Increasingly, I've been seeing people deploy WPA2.
It's pretty easy to find a Verizon Fios wireless connection.
They tend to use pretty decent routers from Actiontec2. The specific model that I have is a MI424WR3. The OUI for the models in my area are 00:1F:90 and 00:18:01. Maybe more could be found by searching ieee.org. The SSID is normally random looking and stands out in the list. It is always five characters and is comprised of letters and numbers.
As it turns out they use the last 40-bits of the WAN MAC address of the router as the default WEP key!
They put it right on the router with the SSID information for consumer convenience. So, in order to attach to one of these devices, we should only need the WEP key. We already have a couple important pieces of information. We know that we can drop the first octet and keep the next two of the WLAN MAC address towards our 40-bit WEP key.
That means that if the device starts with 00:1F:90, the WEP key will always start with 1F90 and I've only got to figure out for myself the last three octets. Well, since the octets are in hex, that gives me 16 possible combinations for each octet or approximately: 163 = 4096
It should be pretty easy to brute force that through a script, right?
But wait, just like a cheesy infomercial, it gets better.
Enter Kismet4.
After a short survey, you can simply listen passively to this traffic and select the Verizon Fios wireless access point of your choice. Then use the c option on the AP to view the clients. What do we have here? It looks like a client with a MAC that starts with the same three octets of the device's WLAN MAC! Could that be the WAN MAC address? Yep, it is! That's right, you have the WEP key. Just drop the first octet of the WAN MAC.
More than likely, you'll be able to connect to the device easily.
If they were not smart enough to change from WEP to WPA2, then you still have a good chance of logging into the router with the default username and password above. I've always seen these devices on 192.168.1.1 by default. I've only tried to access a couple of them (with my neighbor's permission, of course) and I've been able to get right on. None of them had changed their default settings and I helped them to better secure their connections using WPA2 and changing the default settings.
The whole point of this article is to bring attention to the gross insecurities of Verizon Fios router default settings.
These insecurities are not insignificant. An attacker can gain complete control of the router, which, in my opinion, is worse than the hosts directly on the network. It's simple to modify the firewall to allow remote administration. Configuring Dynamic DNS features will increase the likelihood of finding and controlling of these devices. You don't have to be in the immediate proximity after initial compromise of the device.
Seeing as many people use these devices as a firewall for their home computers, it's also easier to gain remote access to the computers because security is more lax behind a so-called firewall. Not to mention that it's easy to modify the DNS server that the router is using, which means that you can redirect just about any traffic you want (when clients are using the router as a DHCP server) pretty easily by setting host entries in the router or by redirecting to your own DNS server.
The Actiontec MI424WR firmware is GPL'd5, so it would be pretty simple to modify the source for your own needs, recompile and then load.
Let's not also forget all the fun that could be had by modifying routing tables or loading a custom firmware such as DD-WRT6.
It might even be conceivable to write a wireless worm of sorts which uses the routers as a Kismet drone7 to identify neighbor Verizon Fios routers and then break into them, uploading custom firmwares or settings and creating a botnet of very high-bandwidth endpoints distributing their firmware via FTP, TFTP, torrent, or even running Tor8 endpoints!
The possibilities are vast.
Resources