Auditing the MiFi 2200
by pnorton
The Internet has become much more than a series of tubes to many of its users, providing near-instant access to a variety of information as well as remote access to services. The technology has extended beyond the conventional wired realm into wireless communication as well.
While access is ubiquitous to some, one runs into circumstances, hopefully temporary, where one is unable to connect successfully to an access point.
All too often, one's efforts to connect are frustrated by access control or encryption technologies. Circumventing WEP or MAC filtering will be left as an exercise to the reader. WPA is acknowledged to have a respectable level of strength, by contrast, when implemented successfully. The novice hacking enthusiast will be grateful for a little help.
What are the weak points of the WPA implementation process?
While perhaps technically and cryptographically sound, the weak link in the chain is the human implementing the security. The framers of WPA (and its successor WPA2) were relying on the implementer of the communication system not to write the password down and store it in a vulnerable location, to physically secure the access point, as well as to choose a cryptographically significant password. It is this last article which is perhaps the most vulnerable to attack.
A friend of mine who works in the infosec industry once speculated that something like 95 percent of humans, when choosing even an important password, will choose from a hypothetical list of perhaps one million passwords.
This plays right into one of the weaker points of the WPA family of encryption process, which is the handshake. In the case of one system that I audited, human error made things even worse. For this reason, the reader's attention should be drawn to one popular access point, the MiFi 2200 Mobile Hotspot, a portable 802.11b/g AP considered novel because it is a first generation IP over 3G. The 3G communication protocol will be familiar to most of our readers as the protocol that allows cellular telephone access to the Internet.
That's why I like the MiFi 2200, because the geniuses at Virgin Media have made it possible for me to have roaming Internet access pretty much anywhere that I can get a phone signal. Cheap. Pay As You Go. I love Sir Richard Branson.
So if I could fault the good people at V. Media for anything, it's that one of the default security settings on the MiFi 2200 is somewhat bad. The default setting for the WPA key does not take advantage of the full consortium-defined keyspace available to security implementers. It's an uncomplicated eleven-digit number. That means that there are less than one hundred trillion possible combinations. Does that seem like too many to try?
Perhaps we can narrow it down further.
On the original unit that I purchased, the default encryption key was an 11-digit number and the ESSID was a slight variant of "VirginMobile MiFi2200." I got a little curious and poked around a bit, discovering that the password was the same as the decimal representation of the ESN.
Of course, this made me even more curious and so I had a look at another two units, discovering the same coincidence. Could it be that OEM set all of the 2200 series encryption keys to the ESN? Only testing will tell, or confirmation from the vendor, heh.
Before you begin auditing anything, keep in mind that you need to have a solid background in counter forensics if you want to get away with anything.
Learn the law and how to avoid getting ensnared in it. Also, you'll need to create yourself a dictionary file with all of the conceivable numbers that might be used as default passwords. The manufacturer's code will be the first 8-bits of the ESN or the first three digits, which is 091 for my device. This leaves only 18-bits for the manufacturer to assign up to 262,144 codes in this batch, hence the vulnerability.
Software like Pyrit will tear through a small set of PMK, and even the Aircrack-ng suite should be able to accommodate this sort of attack.
I would like to outline the testing procedure in general terms:
Find all Windows installations in your laboratory, and format the hard drives. Install Linux. Maybe back up your older data, maybe not. Consider starting life fresh.
Install Linux on your attack laptop. Install the Aircrack-ng suite, either using your distribution package manager or compile from source to increase your credibility. Ubuntu is good. Gentoo is better. If you have trouble with these, you might want to use a Live CD such as Pentoo, or BackTrack if you are a noob.
Go someplace where a lot of people, particularly businessmen or traveling salespeople work. Perform a scan for Virgin Mobile named 802.11 wireless networks. The iwlist command from the iwtools suite works well in combination with a modified grep command if you are working in a target-rich environment.
Having obtained the ESSID of your target, next you will need to intercept the WPA handshake. As such, you may find it helpful to dissociate any connected clients using the aireplay-ng tool in the Aircrack-ng suite. This tool is remarkably effective. As the client disassociates, it will likely reassociate with the access point during which time you may intercept the handshake. The handshake is the weak point of the crypto process. Protip: Use two network cards so that you can send DEAUTH packets with one while listening in promiscuous mode with the second one for handshakes.
With the handshake successfully intercepted, use the Aircrack-ng forcing or the Pyrit forcing utility to find a collision. For this, you will need to specify your dictionary file (q.v.).
Please Note: I researched, discovered, and publicized this hack because I have abundant respect for the MiFi equipment marketed by the Broadband2Go service by Virgin Media. Although I won't admit to making a clandestine audit of their resources, at the least I feel comfortable saying that I was impressed by their security setup, and will continue to proudly be a Virgin customer, publicizing only a minor bug.
Along these lines, security enthusiasts should recognize that minor to moderate security bugs in technology products and services are no more egregious an error than when you order (patriot) fries from McDonald's and they don't have enough salt on them. In essence, security bugs should be accepted as a fact of life, and any security professional who gets publicly bent out of shape about them is likely insincere and is in most cases either a blowhard, a profiteer, or a gloryhound. If you're successful, you may have temporarily granted yourself free anonymous Internet access.
Also Note: I've worked professionally as an authorized pen-tester for the past five years, a job coveted by many of the younger security professionals that I meet. However, I'd like to be the first to disclose that among the many jobs I've held in my life, being a pen-tester is among the lamest jobs that I'm familiar with. If I were a bartender, at least I'd be getting paid in alcohol.
Shout outs to: D0, alexbobp, Kevin Mitnick, Stephen Watt.
No shout to: anyone with cissp, ceh, or other lame certs that only prove that you lack skills.