Default password on Thomson SpeedTouch wireless routers hacked.

Here's how to check if you need to tighten your network security:

The algorithm used by Alcatel to determine both the default SSID and corresponding WEP/WPA-PSK/WPA2-PSK passwords has been published on GNUcitizen.org: Default key algorithm in Thomson and BT Home Hub routers | GNUCITIZEN and there's another bit here: Dumping the admin password of the BT Home Hub | GNUCITIZEN or here's a Windows app reviewed
WEP/WPA sleutel SpeedTouch routers eenvoudig te kraken .

If you have a wireless router from Alcatel/Thomson, please use the tool below to determine if you are vulnerable. Though WPA and WPA2 are is by itself pretty secure, Thomsons implementation of generating default values has proven to be flawed. Unfortunately, some ISPs like KPN in the Netherlands are still distributing this router and allowing their customers to use the default (insecure) settings. Even on speedtouch.nl[DUTCH!] info on this security flaw is missing. Other providers like the internet provider Online (what's in a name? ;) ) distributes a password-locked ADSL modem with the same issue. In the UK, the BT Home Hub also seems affected (sometimes also called SpeedTouch BTHH, BTHomeHub, BT HomeHub or Home-Hub).

In 2008, KPN has informed their customers to change their passwords.
Most of their customers however lack the computer skills to change SSID and WPA password of their router themselves, and KPN has shown no steps to provide more than telephone support on this issue. Besides that, most customers likely underestimate the risk of data theft or theft/abuse of their internet connection.

Update 28-9-2009, thanks to an e-mail from a supporter:

Some Portuguese internet providers also distribute this SpeedTouch routers with default passwords
* MEO distributes the Thomson TG712 for triple play clients (iptv + adsl + voice)
* Vodafone distributes the ST585v7 for adsl clients and the Thomson TG712 for the triple play clients.
* Clix distributes the same routers as vodafone.


Update 11-11-2010
Another serious flaw in Thomson hardware.

The Thomson TWG870U has a hidden SSID 'UPC_Multimedia' with a default password 'UPC3532[omitted for security reasons]edAE'
Link: http://www.chelloo.com/upc/index.php?topic=35983.msg464727#msg464727

Update
SpeedTouch namechange: Thomson is now called Technicolor (and I'm sure they fixed this issue)

One of the affected SpeedTouch routers


Is your router affected?

If you have a wireless model of the SpeedTouch series of routers (sometimes sold as KPN Experia box), and you didn't change the default SSID and/or wireless access keys, you are probably vulnerable.
There's a sticker on the back of your Thomson SpeedTouch device on which the SSID and WEP and WPA PSK are printed, as can be seen in the picture on the left.


Some ADSL-2+ wireless Modem models (analog and ISDN) which may or may not be affected to default passwords lookup:

Current models, as of 28-9-2009:
Thomson ST122g Thomson TG123g SpeedTouch 516/546 and 516i/546i Thomson TG585 and TG585i (white-grey edition) (585i, 585n) SpeedTouch 605s SpeedTouch 608, 608i, 608 WL and 608i WL (R5) SpeedTouch 620 and 620i (620s, 620m) SpeedTouch 706, 706i, 706 WL and 706i WL SpeedTouch 780, 780i, 780 WL and 780i WL Thomson TG784 and TG784i (784, 784i) Thomson TG787 and TG787i (787, 787i)

Earlier models:
SpeedTouch 110 and 120 SpeedTouch 110g and 120g SpeedTouch 121g SpeedTouch Home and Home ISDN SpeedTouch USB and USB ISDN SpeedTouch 330 SpeedTouch 510 and 510i SpeedTouch 570 and 570i R2 (till jan 2004) SpeedTouch 570/545 and 570i/545i R4 (since jan 2004) SpeedTouch 580 and 580i SpeedTouch 585 and 585i (black edition) SpeedTouch 608 and 608i (R4) SpeedTouch 610, 610i and 610s SpeedTouch 716g R1.1 SpeedTouch 716v5, 716iv5, 716v5 WL and 716iv5 WL



To check if you need to change the SSID or the WPA PSK in the configuration panel your router, use the following check. Enter the SSID and production year and press the button. Please don't use an asterisk (*) in the year field, as this will search all production years:

[The script to calculate the SpeedTouch default passwords by just entering the SSID has been removed, as I think it might be used for illegitimate purposes (allowing someone to hack on another persons WPA2 key protected wifi).]

If any of the results match the code on the sticker on the back of your SpeedTouch router, PLEASE CHANGE THE PASSWORDS A.S.A.P.! Login the configuration panel of your router at address http://10.0.0.138/ and follow the instructions in the manual.



Totally unrelated to the story above, here is a script that just searches a list of hexified SHA1-hashes of all possible combinations of CP0[45678][0-9]{2}[0-9A-Z]{3} for the first 6 or 4 hex-characters you input, and prints the last 10, either in uppercase (if you entered 6 characters, e.g. "971577"), or in lowercase (if you entered 4 characters). And I repeat, this is totally unrelated with the story on
SpeedTouch
BTHomeHub-


There's also a Symbian / Python script called 'touchspeedcalc' to run on the S60 mobile phone platform, so you can check your networks vulnerability quite easy. Because it uses some kind of smart lookup table to improve speed it's about 36 Mbytes big, but should install fine on any gsm running S60 (haven't tested it on S40 yet).
I couldn't find an easy way to pack these files in a single .SIS installation file. If you have any experience with .sis file creation, please please contact me so I can place a S60 Speedtouch mobile default password security checker SIS file here.
download here: TouchSpeedCalc

Update 28-9-2009:
A reader alerted me that some ISP's still (in 2009) distribute routers with default passwords.
Here's the python script to create the data files yourself. Please credit me at mentalpitstop, and the developers my work is based upon (see sourcecode):


Prerequisites:
PyS60 (correct version for your phone) installed on your Symbian phone, free download at http://sourceforge.net/projects/pys60 (don't download the SDK, you won't need that)

(I'm working on a version that supports Windows Mobile CE devices and Google Android App, contact me for more info or wait until I've put something online.)

Installation instructions:
1. Copy the TouchSpeedCalc folder from the zip file to your memmory card (file transfer). Lookup tables for the years 2004-2008 are already included in the .zip, you download the 2009 file below and put this in the same folder (rename it to 2009.dat) and edit the python script accordingly. Make sure you disconnect usb nicely (right click 'remove devices' in windows, etc.).
2. Starting it on your mobile phone:
 press the menu key, go to 'Installations', 'Python'.
In python shell, select 'Options', 'Run script', 'c:filebrowser.py'.
Browse to the drive that holds your memorycard data (E: in my case), go to the folder TouchSpeedCalc, select 'TouchSpeedCalc_v0_1.py' (version number may differ) and choose 'execfile()'.
3. Using it:
 Enter the SSID (6 hexadecimal digits) of the SpeedTouch router you want to find the default password for and press OK.
For every production year to search, it takes about 10 seconds to search through the database.

TouchSpeedCalc is a Python S60 version of the tool which uses lookup tables (for speed) to find any default SpeedTouch router password. Size of the .py script is a few bytes, but the tables currently take 36M of space. I've tested it on a Nokia E51 (Symbian S60 3rd edition FP1) and it works great! PS: you need 'pys60' installed on your device as I still haven't found the time to make a .SIS package out of it. http://www.mentalpitstop.com/touchspeedcalc/calculate_speedtouch_default_wep_wpa_wpa2_password_by_ssid.html You can also lookup the default password for your SpeedTouch router online, just enter the SSID and access is yours ;)

Please contact me at mentalpitstop if you have any problems using or installing, so I learn where problems occur and can improve this application. Article on hacking hashes using rainbow tables