www.rodneybeede.com "I would love to change the world, but they won't give me the source code" - unknown
 Navigation

2WIRE router and strange default password choice - Last Modified 2013-01-22 18:51 UTC - Created 2012-12-21 02:31 UTC

So I was recently upgraded for free from AT&T HSI DSL to AT&T U-Verse. They were discontinuing regular ADSL service in my area so I got a free equipment and upgrade to their VDSL at the same price with no contract (and no $100 equipment fee). Good deal and faster Internet upload speed :)

I received my new AT&T U-verse device, a 2WIRE 3600HGV. I was surprised at how big the thing is!

I noticed some interesting things about the default security settings:

  1. The default wireless encryption mode is WPA/WPA2 PSK with TKIP AND CCMP (AES)
    • I prefer just WPA2 CCMP (AES), but this is much improved over a default of Open or WEP
  2. WPS is disabled be default which is a great benefit to avoid known vulnerabilities with it
  3. The router admin password is random for each device
    • BUT it only consists of ten characters with values of 0-9
    • Resulting in only 10^10 combinations
    • Granted to brute force you have to hit the web interface, but if you could get 1,000/sec it would take you around 116 days
  4. The wireless password is random for each device
    • BUT it only consists of ten characters with values of 0-9 (again!)
    • Resulting in only 10^10 combinations
    • Using off-line brute force you can just capture some packets and go at this thing fast
    • This script author claims to have a setup that can do 35,000 keys / second. That's just about 80 hours (~3.3 days) to brute force the wireless key on modest hardware
  5. The password reset mechanism for the admin part of the modem just requires the default admin key
    • If someone saw the default password changing it would not help. They could always reset whatever you program remotely.
    • It would have been better if they required the reset button to have been pressed and held down instead

The forgot your password process: