A COSMORED Configuration Flaw
by elite bulbe
The COSMORED V-SOL Optical Network Unilt (ONU) Wi-Fi unit default Wi-Fi Pre-Shared Key (PSK) is based on the MAC address of Wi-Fi.
COSMORED (cosmored.net) is a TV and Internet provider in Puerto Vallarta, Mexico. They have set up the factory default configuration for their current residential ONU Wi-Fi cable television box to use the MAC address of the Wi-Fi device to be part of the PSK on the default Wi-Fi network. Any person who has a Wi-Fi device which lists MAC addresses for Wi-Fi networks in range would thus be able to connect to a Wi-Fi network that most end users would expect they should not have access to.
The ONU I observed this configuration flaw in was located at my in-laws' condo in Puerto Vallarta, Mexico, a popular resort area on the west coast of Mexico. Using a Wi-Fi scanning tool on my wife's PC, I was able to find the MAC address for a neighbor's Wi-Fi. Using part of the MAC address, I was able to join that network without having physical access to the router. (I may be clueless, but I was not able to display the MAC address for unjoined networks on my iPhone. Good old Apple protecting me from anything outside of their little secret garden!)
COSMORED made it worse: six months after I changed the Wi-Fi SSID and shared key to something more secure, COSMORED pushed down a reset (probably a firmware update) that restored the insecure Wi-Fi network SSID/PSK. This, of course, was discovered by my less tech-savvy in-laws, and caused much grief all around as we tried to get them back onto the old network.
The ONU I witnessed this flaw on was made by V-SOL (vsolcn.com) - Guangzhou V-Solution Telecommunication Technology Co., Ltd. The particular model was their 1GE+1FE+Wi-Fi+CATV G/EPON ONU. If you have this particular model of ONU in your home, but it's provided by another ISP, I suggest you check to see if this type of security flaw is in place with your network as well.
I am curious as to whether this security flaw originated in how COSMORED specced out for delivery from their OEM wholesaler or V-SOL; or if a certain wholesaler or V-SOL tends to configure all of their devices for their ISP customers this way. This ONU looks like it is used worldwide by ISPs who use fiber for the last mile. V-SOL claims to have manufactured five million units in the EPON space, and they may be owned or had major investment from the Netherlands.
As a side note, I will comment that this unit is very small and super-lightweight, and nothing like the large heavyweight gear provided by Comcast and Verizon in my area. It appears to pack way more function and I am pretty sure it is much cheaper as well. This unit provides 1 GB Ethernet port, Wi-Fi, CATV. No wonder Internet service costs so much in the US of A!
So here is the configuration flaw:
Take the MAC address for the Wi-Fi you want to use. Let's say it is C4:70:0B:CE:BB:C7 or C4700BCEBBC7.
Take the last six digits of the hex number (in this case CEBBC7) and add that on to the string GPON00, giving you a pre-shared key of: GPON00CEBBC7
As is found on many Wi-Fi routers, the default SSID also contains part of the MAC address as well, so I can tell in this case, the SSID would be CosmoredC7. You are in on your neighbor's Wi-Fi!
I've been out of the networking business for decades now, but having taken a brief look at the Wikipedia entry for EPON. I suspect that if I had a device that had an optical port and a protocol analyzer like Wireshark, I might have discovered that COSMORED also "cheated" on the encryption keys used on the downstream signals from the local station, allowing you to eavesdrop not only on neighboring Wi-Fi networks, but all of the ONUs on your branch of the optical network.