In Stickers We Trust: Breaking Naive ESSID/WPA2 Key Generation Algorithms


It’s 2016. WiFi is more widespread than ever. Every average household has one or several WiFi access points, often provided by their Internet Service Provider. Sadly, after many years.. many of these router/modem/access points ship with a default set of WiFi credentials (that is unique to the specific box) that can be recovered by clever attackers.

In this talk we’ll walk you through how the algorithm for generating ESSID and WPA2-PSK keys for a widespread modem was recovered and reimplemented in ~100 lines of C.

We’ll drill from the top, dumping the device’s SPI and NAND flash. We will detail into tricks how CFE’s (“Common Firmware Environment”) can be convinced in facilitating code execution and flash dumping for us.

Dealing with an enormous monolithic blob that is all MIPS code is tiring, so we’ll further explore the possibilities of hunting down the relevant routines in a big mess of code and logic. Next up, we’ll look into doing dynamic analysis of “alien code” using several methods (qemu-user and the fresh unicorn emulator) to verify some of our findings.

After all this hard work, we’ll round up our findings in a concise listing of basic formulas,  some magic numbers and code.

Have you ever wondered what weird logic is hiding in a modem/router box? Do you want to learn more about (MIPS) reverse engineering? Do you want to learn about convenient/state of the art dynamic analysis methods? Are you in for a chuckle or two? 😉

Then this talk is for you!

Location: Track 2 Date: May 27, 2016 Time: 4:30 pm - 5:30 pm Peter ‘blasty’ Geissler