Seems overnight I've found dozens of new APs in the area, all broadcasting the SSID ATT###, where ### is a 3-digit number. They all employ WPA2/CCMP encryption.

My office manager also received one of these units from AT&T.

I've known AT&T to employ horrible security on their default configs, notoriously shipping 2Wire modems with WEP up until just recently. I still pick up dozens of 2WIRE### networks everywhere, all "secured" with WEP. So, I decided to see how they've improved, if at all.

Here's what I know about them so far:

  • Based on my PSK and AT&T's website, they all use 10-digit numbers as PSKs.
  • According to the wash tool, my AP does not have WPS enabled.
  • According to AT&T's website, the three-digit number in the SSID is the last three digits of the unit's serial number.
  • According to wigle.net, there are thousands of these APs, and a search for several random ATT### SSIDs turned up hundreds of results. These things are everywhere.
  • The unit's serial number is the decimal form of the BSSID!


Very interesting. Take the BSSID, run it through hex2dec conversion:

Code:
# echo 'obase=10;BSSID without colons or spaces' | bc
...and voila, you have the unit's serial number. I verified this is true for at least 2 other APs in the area, because when I converted the BSSID to decimal, the last three digits equaled the three digits in the ESSID. I'm not sure how useful the serial number is to an attacker, perhaps in social engineering.

The traditional handshake attack leaves all default AT&T APs pretty vulnerable.

A 10-digit PSK gives us a keyspace of 10^10, or 10 billion keys. I currently compute PMKs at about 27,000/s with pyrit and a Radeon HD 4890 using Cal++. This exhausts keyspace in about 102 hours or just over 4 straight days. Not a trivial attack, but definitely feasible for a determined assailant, especially considering people have hardware capable of much faster attack than mine. Also, a 4-day attack time assumes the correct PSK is in the 99XXXXXXXX range, which seems unlikely.

My next thought was that if the serial number is derivative of the BSSID, could the default PSK be, too?

I know the PSK is printed on a sticker on the AP, which means it came out of the factory configured with it. It's not stored in NVRAM, or else a firmware reset would blank out the PSK. No, it's most likely stored in flash. It's possible the PSK is pseudo-randomly assigned during production, but such a process is actually pretty cumbersome, and an easier way (read: lazier way) is to just derive a PSK from the hardware address using some kind of algorithm.

I tried several mathematical operations on my serial number and PSK, and couldn't find a pattern. I converted my PSK to hex, but it's totally different than my BSSID. I'm not a skilled mathematician or programmer, so I'm a bit stuck. I wonder if anyone here knows an approach that may reveal a pattern between the default PSK and BSSID. Thoughts?

-ternarybit