UPC Default Wireless Password Vulnerable to offline dictionary attack

Are you using UPC broadband in your home or business?  Still using the default wifi password?  Your business / home network is a potential target for hackers.

Back in November 2011, we blogged ( http://www.planitcomputing.ie/blog/?s=upc&submit=Search ) about the algorithm used by UPC and how it was particularly weak against an offline dictionary attack which could allow intruders onto your network if the wireless key was acquired.

We notified UPC about the problem in November 2011 yet UPC are still supplying customers with newer modems / horizon boxes that use this algorithm.
At the time, graphics cards were expensive and clustering several machines was not financially viable to the average hacker.

We recently purchased a used rig, comprising off:

  • Windows 7
  • I3 Processor
  • 4GB RAM
  • 2TB Drive
  • Radeon HD 5850

For a tidy sum of: €185.00 🙂

We generated 26 dictionary files using “mask processor” by ATOM, piping each letter out to its own file, for example:

  • A:  ./mp32 A?u?u?u?u?u?u?u > A.TXT = AAAAAAAA – AZZZZZZZ
  • B: ./mp32 B?u?u?u?u?u?u?u > B.TXT = BAAAAAAA – BZZZZZZZ
  • etc

Each .txt file weighed in at around 60GB’s each.  The 26 files took up about 1.6TB of storage.

We now had the complete key space, partitioned into 26 different files.  This allowed us to distribute the brute force attack amongst multiple computers.  There are other ways with ocl-hashcat but this was the simplest.

Using our Radeon HD5850 on standard settings, we were hitting 80,000 keys per second.  Breakdown below:

  • 26^8 = 208,827,064,576 ( 208 billion possible combinations )
  • 26^8 / 80,000 keys per second = 2,610,338 seconds
  • 2,610,338 / 60 seconds = 43,505 minutes
  • 43,505 / 60 minutes = 725 hours
  • 725 hours / 24 hours = 30 Days

For €185, we had built a computer that could crack the default UPC wireless password within 30 days.  The WPA-PSK handshake we used started with the letter D and was cracked within 96 hours.

We ended up getting a second machine for the same price which resulted in our maximum cracking time being reduced to 15 days.

If you’re using the default password on your UPC broadband connection, we recommend changing it immediately to a more secure password, using a mix of letters, numbers and symbols.

If you have any queries or questions on the above, please feel free to leave a comment.







7 thoughts on “UPC Default Wireless Password Vulnerable to offline dictionary attack

  1. This can be made portable in a cloud based solution where the dictionary files and processing can be based remotely and you can use your mobile to crack the password.

  2. Would just like to say that most passwords don’t have adjacent letters so a password isn’t going to be AAAABBBB, so with that in mind, you can generate a file with no adjacent letters, so e.g AOVNENAO. This will result in 158 billion passwords, which will be 1.33 TB. And with the prices of graphics cards today it will take 15 days.

Leave a Reply

Your email address will not be published. Required fields are marked *