Thompson ST XXX WEP/WPA keys

Martyr

I may have found a potential security problem with the configuration of some wireless thompson routers..i was gonna research it more, but i can't get my hands on one of these routers to verify...

Its very similar to the eircom/netopia problem where the default wep key was based on serial number.

I can't say for sure it is a problem, because i don't have one of these routers to verify..some guys from spain sent me the install wizard program and i had a quick look, but no way for me to debug the code in realtime

The list of routers that could be affected:

• ST 510v6
• ST 585v6
• ST 780WL

from what i could tell, without debugging..
a user enters the serial number, (this is possibly UTF encoded..unsure)
the last 5 bytes of the serial are xor'd against the string 'ViveLaFrance'
the result of this xor is converted to ascii, then hashed with SHA-1
the result is converted to its ascii representation, and hashed again with sha-1
the result of this is the WEP/WPA key.

what i've said could be completely wrong, but i couldn't test any input/output results.

if anyone on the forum here has access to any of the routers mentioned in the list, or if you can give me one - even just a lend..i could investigate further and definitely say whether its a problem or not.

conor2007

umm yes

its hard to find a company who has a halfway decent security

Martyr

umm, thats a good point like.
i mean, you would totally freak out if some hacker broke into your thompson.
when i found this code, i was like..oh my god, this is terrible

FYI, these are used throughout the UK,Spain and France by both home and business users.
It would be silly to think that there aren't key generators out there for this.

conor2007

eircom has a wep code generator on the net
ppl will probally make one for this

best do wpa , at least