Multiple vulnerabilities on Sitecom devices

Authors: Roberto Paleari (@rpaleari) and Alessandro Di Pinto (@adipinto)

One of our main activities at Emaze consists in analyzing embedded devices to identify security vulnerabilities that could be exploited by attacker to threaten end-users. In this blog post we focus on some issues that affect Sitecom N300/N600 devices, more precisely models WLM-3500 and WLM-5500 (...and possibly others).


The first vulnerability concerns the Wi-Fi network. Modern routers typically allow users to access the Internet also through a wireless connection. Obviously, Wi-Fi is crucial from a security perspective, as could allow nearby attackers (i.e., attackers located within the Wi-Fi network range) to access the user's local network. Unfortunately, in the past embedded devices have often been found to be affected by security vulnerabilities that allow attackers to access the Wi-Fi network, as we also demonstrated in previous blog posts. In the specific case of Sitecom devices, one of the issue we identified permits attackers to obtain the default wireless passphrase configured on the device. As many users don't change the predefined wireless key and keep using the default one, attackers can exploit this vulnerability to connect to the Wi-Fi network and access the victim's LAN.

In addition, we describe two vulnerabilities that permit remote attackers (i.e., attackers located anywhere on the Internet) to activate and access the Telnet service on the device, thus gaining full control over any aspect of the router.

Wireless key generation

Affected Sitecom devices are shipped with a 8-letter WPA/WPA2 passphase, printed on a stick attached under the device. The very same passphrase can  be also used to authenticate to the router web interface, with administrative privileges. At a first glance, this key seems just like a random sequence of eight lowercase and uppercase letters. However, our analysis revealed that this 8-letter key is not random at all, as it can be generated from publicly-accessible information, namely the MAC address of the wireless interface card.

Generating the WPA/admin passphrase from publicly-accessible information

This kind of issue is not new: in the past several other device models were shown to derive the wireless passphrase from the MAC address and/or the Wi-Fi SSID (e.g., Thomson, Huawei and many others). To the best of our knowledge, this is the first time Sitecom devices are also proved to be vulnerable.

More in detail, attackers can connect to a vulnerable Sitecom Wi-Fi network through a simple 3-step procedure:
  1. Move inside the wireless network range and intercept the router Wi-Fi MAC address.
  2. Apply the Sitecom key generation algorithm. This algorithm, starting from the Wi-Fi MAC address, generates the default WPA passphrase.
  3. The generated WPA key can be used to access the victim's wireless network, unless the user has changed it configuring a different Wi-Fi passphrase.
Of course, the challenge for the attacker is to determine which algorithm was used to generate the WPA key starting from the Wi-Fi MAC address. In the case of the affected Sitecom routers, the key generation algorithm was included right inside the device firmware, and was used during a "factory reset" procedure to re-generate the default WPA passphrase.

To demonstrate this attack, we reconstructed the WPA key generation algorithm and implemented it in a Python script, available here. Usage is very simple: just invoke the script passing the MAC address of the target Wi-Fi network, as shown in the example below. The script outputs both the key for the WLM-3500 and the two passphrases for the dual-band WLM-5500.

$ python sitecomkeygen.py aa:bb:cc:dd:ee:ff
==== Single-band (N300/WLM-3500) ====
KEY 2.4GHz: DqzskECV

==== Dual-band (N600/WLM-5500) ====
KEY 5GHz:   1ju5YcPQ
KEY 2.4GHz: 1jgFz11Q

Unauthorized Telnet access

We also realized that unauthenticated remote users can enable the Telnet server by accessing the following (undocumented) URL:
http://<target-ip>/cgi-bin/telnetControl.cgi
This URL is accessible on the WAN side, i.e., it can be invoked by Internet-facing attackers. As soon as the URL is accessed, the Telnet server is enabled also on the WAN interface. In addition, attackers don't have to guess a valid username/password combination to login: Sitecom devices embed a hard-coded credential, "admin:1234", that can be used to authenticate to the Telnet service, with administrative (i.e., root) privileges. As this administrative account is hard-coded, it cannot be disabled nor changed by a normal user.

Remediation

All the security issues discussed in this blog post have already been notified to Sitecom. Sitecom has now released updated firmware versions to address the Telnet issues (firmware versions WLM-3500v2001 v1.08 and WLM-5501v1001 v2.01). Besides manual upgrade, patched software images are also distributed to end-users through the automatic firmware upgrade feature. 

Regarding the wireless passphrase issue, obviously Sitecom cannot distribute a modified firmware that changes the Wi-Fi key with a true random one, as this approach would make several users unable to access their Wi-Fi network. For this reason, we strongly recommend Sitecom users to immediately change their Wi-Fi passphrase, avoiding to use the default one.

In addition, Sitecom confirmed that the algorithm for the generation of WPA/admin passphrase discussed above is valid only for WLM-3500 and WLM-5501 devices. New device models should not be affected by the same issue.

6 comments:

  1. If you need to hire a real hacker to help spy on your partner's cell phone remotely, change your grades or boost your credit score. Contact this helpline +1 347.857.7580 or the email address expressfoundations@gmail.com

    ReplyDelete
  2. I strongly recommend the service of a GREAT Hacker to you and his email is hackersolution89@gmail.com. I have used him quite a number of times and he has never disappointed me.

    He does all types of mobile hacks, get unrestricted and unnoticeable access to your partner/spouse, Skype, Facebook Account, Email(s), Whatsapp, Instagram, Text messages, Twitter, Bank accounts, office files etc. Getting the job done is as simple as sending an email to hackersolution89@gmail.com stating what you want to do.

    ReplyDelete
  3. Stop being scammed by fake hackers. Hire a Ethical Hacking group who are professional and real. You might be curious that what hacking group services can provide? .. If you hire a hacker, you always have worried of losing your money. We won't keep a cent if can't do our job. 100% refund if job is not completed. Hacking Services that you will find here at: hackethics008@gmail.com are custom to fit your hacking needs... A professional and experienced hacker providing hacking services for a variety of client needs. Specialize in many different Hacking Services some of my most popular hacking services are, Hack INTO ANY BANK WEBSITE Hack into any COMPANY WEBSITE HACK INTO ANY GOVERNMENT AGENCY WEBSITE HACK INTO SECURITY AGENCY WEBSITE AND ERASE CRIMINAL RECORDS Hack into CRAIGSLIST AND REMOVE FLAGGING HACK INTO ANY DATABASE SYSTEM HACK PAYPAL ACCOUNT HACK WORD-PRESS Blogs SERVER CRASHED hack HACK INTO ANY SCHOOL DATABASE AND CHANGE UNIVERSITY GRADES, no matter how secured HACK INTO CREDIT BUREAU DATABASE AND INCREASE YOUR CREDIT SCORE HACK ANY EMAIL OR SOCIAL NETWORK AND KNOW IF YOUR PARTNER IS CHEATING ON YOU HACK INTO YOUR PARTNER'S PHONE PICS, TEXT MESSAGE AND LISTEN TO CALLS TO KNOW IF HE IS CHEATING UNTRACEABLE INTERNET PROTOCOL HAVE YOU OR YOUR CHILD BEEN BULLIED ONLINE BEFORE AND WANT TO GET BACK AT THE PERSON, WE CAN HELP YOU TRACE THE ACTUAL LOCATION OF THE PERSON AND DO WHATEVER YOU REQUEST TO THE PERSONS COMPUTER IS ANYONE BLACKMAILING YOU ONLINE AND YOU WANT US TO GET INTO THEIR COMPUTER AND DESTROY DATA AND EVIDENCES AGAINST YOU? If you need a hacking service that is not listed, feel free to contact me at: hackethics008@gmail.com or text only - +1 (630) 755-8868. Contact me today about any of my hacking services

    ReplyDelete
  4. HEY GUYS,CONTACT GHOSTHACKER2351@GMAIL.COM FOR ALL TYPES OF HACKING JOBS(CELLPHONE HACK,CHANGE OF GRADE,BOOST YOUR CREDIT SCORE).IF YOU ARE INTERESTED TELL HIM I REFERRED YOU.

    ReplyDelete