Yet another Huawei weak password encryption scheme

Author: Roberto Paleari (@rpaleari)

Some months ago, we blogged about a weak password encryption scheme used by several Huawei products. In a nutshell, this scheme obfuscates and encrypts the password using DES with a hard-coded key.

After our notification, Huawei published a security advisory describing this issue. According to their advisory, Huawei solution was to "abandon DES algorithm and adopt AES256 algorithm". We were quite intrigued by this statement, also because the problem was not the adoption of DES per se, but the use of a hard-coded encryption key and no password salting. Thus, we decided to investigate the new AES256 scheme.

Unfortunately, we soon realized the new scheme is affected by security weaknesses very similar to those identified in the previous encryption scheme. Briefly, passwords encrypted with the new scheme can be recognized by the "%$%$" header and trailer. Decryption works as follows:
  1. Leading and trailing occurrences of string "%$%$" are removed.
  2. The ASCII encrypted text is translated into a binary string, using a custom algorithm.
  3. An AES key is derived by changing few bytes of a hard-coded password with a password salt (also stored with the encrypted text).
  4. AES 256 is applied, using the derived AES key and a hard-coded IV.
A Python procedure that implements this decryption algorithm is available here. Upon termination, procedure decrypt_password() returns the clear-text password.

We notified Huawei about this new weak encryption key on February 11th, 2013. As a countermeasure, we suggested to store only the cryptographic hash value of sensitive data (e.g., passwords and SNMP communities).

To the best of our knowledge, the only sensitive value currently stored using a hash is the console password. In this case, the device pads with NULLs the clear-text password to reach a length of 16 bytes, then computes a SHA-256 hash over the resulting string. Finally, the hash is encrypted using the custom "AES256" scheme described above. In all the other cases (e.g., user passwords and SNMP communities) the device simply encrypts the clear-text password using the "AES256" scheme.

19 comments:

  1. Can you confirm the model(s) tested on for this issue?

    ReplyDelete
    Replies
    1. Sorry for the (very) late reply: we tested this issue on a AR1220 router.

      Delete
  2. Could you provide a sample enciphered key as that decode method does not seem to work.

    ReplyDelete
    Replies
    1. Sure, the following string decodes to "emaze":
      %$%$E_$9/>PD%Y2/yE;j:W+>,0'{%$%$

      Delete
    2. Thats great thanks

      Delete
    3. Longer passwords change the cipher length to 48 (from 24). Then the Python script does not work anymore. What do I need to change to decode the following?
      %$%$2o_**!=WaP\X|uC)lU)C.&Z~uf.Q%gw=t<%$U^HdP{=N&ZB.%$%$

      Delete
  3. Longer passwords change the cipher length to 48 (from 24). Then the Python script does not work anymore. What do I need to change to decode the following?
    %$%$2o_**!=WaP\X|uC)lU)C.&Z~uf.Q%gw=t<%$U^HdP{=N&ZB.%$%$

    ReplyDelete
  4. I see that the newest Huawei firmware changed the encryption scheme. Ciphers are now enclosed by %@%@ instead of %$%$
    abcdefgh is encoded to
    %@%@h!d9FrDys$f4dX.tqrXI~`g3%@%@.
    abcedfghij0123456789 is encoded to %@%@N(!P0M6|OKues.9N~&VU~axRx[588c8f%L*y9$DcV=>KaxU~%@%@
    How is this done?

    ReplyDelete
  5. Why is this forum so quiet???
    Can someone please tell me how to generate the cipher. Especially with longer passwords. It seems that it works in blocks of 16 characters...

    ReplyDelete
  6. Can you decrypt cipher password below ?
    %$%$tPcu;1_m0>7]riEjnMMK,jaX%$%$
    Help me please. Thanks a lot !!!

    ReplyDelete
  7. Can You please decrypt this?:
    %$%$MG3c3an_o*[N1J/=P4b5,kbYJ1[($sBY2#K8:A:H

    ReplyDelete
  8. how to use your script? Thank you to make an example

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. hello,

    Can some help me decrypt this:-

    set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!

    ReplyDelete
  11. some help for an example

    ReplyDelete
  12. please decrypt this password
    %$%$<Cv)B\+1y:+M-r#jaX@0,jaX%$%$

    ReplyDelete
  13. Can you tell us how to decrypt below password?

    $13"HZMRd/S/8I=+/Q%D2W^g*!$

    This comes from a H8245H model

    ReplyDelete
  14. Any ideas for passwords like $1/yk*HM94P@l#h8AV<uAFNc-!$ ?

    ReplyDelete
  15. The absence of more specific bells and whistles also is a benefit because it allows TeenSafe to work more stable on the phone, have a glance at this weblink to find more

    ReplyDelete