The UAE’s internet is pretty much provided by two ISP’s: Etisalat and Du who provide broadband services to its customers.
Focusing on the largest of the two, Etisalat, they provide a eLife program that allows triple play services into the homes of their customer base, which include a WiFi network. The problem though is that many of these wireless access points are setup by Etisalat’s technicians themselves, sporting a certain convention for encryption keys; the client’s mobile phone number.
This mobile number convention is a limited keyspace, with just a few numbers short of 36 million possibilities. (8999999 * 4 prefixes). Knowing a possible key, helps tremendously in brute forcing the keys of a Wireless network. To create a list that creates all these numbers in a list, one could write that in Perl:
#!/usr/bin/perl
# generates 05[0256][1-9][0-9]{6} numbers
$| = 1;
foreach my $a (0, 2, 5, 6){
foreach my $b (1000000..9999999){ print "05".$a.$b."\n"; }
}
*Note: this script can be optimized of course, since it will be unlikely that you’ll have networks with several repetitive numbers having a default eLife installation.
Another handy fact is that “default” eLife setups have their SSID configured as etisalat-XXXXX where XXXXX is a “random” number.
Aside from “having free Internet access” to load balance your torrent web surfing traffic, there’s a much greater risk here.
eLife is delivered with a Aztech HW550 3G wireless router. These devices have an embedded version of Linux available, and Aztech was so kind to have make the source code available. Alternatively, you can resort to OpenWRT’s efforts, but the latter might raise some suspicion if the original owners decide to change something about their WiFi network.
Now, the danger lies in the following scenario:
- Attacker adds a backdoor into the HW550’s firmware.
- Attacker cracks your wireless keys and accesses your network
- Attacker accesses your wireless router (assuming you didn’t change the admin password)
- Attacker uploads the new firmware
- Attacker has access to your connection at all times, can use it to launch attacks and tunnel connections
Since the HW550 has a MIPS CPU of “only” 384 Mhz, and only 32 Megabytes of RAM, it can’t be used for heavy load network traffic, but you get the basic idea. Aside from creating “AP zombies”, one could redirect your traffic to do a MITM attack, etc …
So, to prevent this scenario from happening, choose a strong Wireless encryption key and change it regularly. Or, install OpenWRT yourself, or just get an other (better) Access Point.
That, and living inside a Faraday cage, so nobody picks up your wireless signals.
Leave a Reply