How I got three months of free internet by hacking my own cable modem

TL;DR

I received a cable modem from my ISP which used the serial number as default WLAN passwort. This “password” could be brute-forced in about five minutes.

My internet service provider fixed the issue by notifying all affected customers and awarded me with three months of free internet. 🤓

How it all began

In summer of 2017 I moved into a new flat. I ordered an internet package from a local ISP and received a Ubee EVW32C Advanced Wireless Voice Gateway.

Since it was summer, my flat occasionally got really hot. I could live with the high temperatures, but my Ubee device suffered from great instability above 27°C. The WLAN connection would get really slow or just disconnect. I wrote my ISP about the issue and got the device replaced (it was the same model which suffered from the same problem).

I entered the WLAN password from the new device into my password manager and noticed something strange. The new password was almost the same as the previous password, only the last three digits were different. Upon closer inspection, it became clear that the password was not a random alphanumeric string, but the device serial number. Lets take a look into the Ubee user manual:

Source: http://www.ubeeinteractive.com/sites/default/files/file_resources/Ubee_EVW32C_Subscriber_User_Manual_032017.pdf

Do you notice the problem? No? Lets take a closer look:

Yes, it is explicitly stated in the manual that “The default WPA-PSD for both the 2.4 and 5GHz bands is the device serial number".

So why is this a problem?

The device serial number is not random at all. The WPA2 deauth attack lets us capture authentication handshakes which can easily be brute forced with aircrack-ng. I followed the Tutorial: How to Crack WPA/WPA2 , pre-generated a million possible serial numbers and could crack my own WPA2 network in under 5 minutes.

So this is bad. And it doesn’t get better. The Ubee administrative panel can be accessed from WLAN by default. And there are of course default admin credentials. On devices I previously owned, admin access was only possible via LAN.

Disclosure

After searching for an email address to contact my ISP (please consider using https://securitytxt.org/), I wrote them on their abuse@ address. (I proposed a 60-days responsible disclosure.)

I received a response the next day: the issue was forwarded to the cable modem team. The issue was confirmed about two weeks later.

A week before the end of my 60-days responsible disclosure deadline I wrote them another mail, asking about the current status and if they needed more time to address the issue.

Two days before the end of my 60-days responsible disclosure deadline I received a call from a very friendly CISO, explaining the current status. We agreed that I will wait with the disclosure until they handled the problem.

About three months after my initial mail the ISP sent out letters to all affected customers, telling them to change their WLAN passwords (with a nice step-by-step guide).

The communication was always professional and I think they handled the issue nicely.

Bounty

My ISP doesn’t run a bug bounty program, but I still received a little thank you (German only):

Sehr geehrter ▓▓▓▓▓,

vielen Dank für Ihre Mithilfe die Schwachstelle bei den werksmäßig standardvergebenen WLAN-Passwörtern des UBEE-EVW32C-Modems aufzudecken!

Wir haben den Hersteller des Ubee–EVW32C-Modems umgehend über die Schwachstelle bei den standardmäßig vergebenen WLAN-Passwörtern informiert und in weiterer Folge die Ausgabe dieses Modems gestoppt. Unsere Kunden, die dieses Modem in Verwendung haben, haben wir schriftlich per Brief informiert und auch Hilfestellung beim Umstellen des WLAN-Passwortes angeboten und gegeben. Weiters haben wir die betriebsinterne Qualitätssicherung bzw. den internen Freigabeprozess für betriebsfremde Hardware erweitert, um solche Fälle in Zukunft vermeiden zu können und sichere WLAN-Verbindungen gewährleisten zu können.

Als kleines Dankeschön erhalten Sie Ihren Internettarif 3 Monate gratis (Jänner 18-März 18).

Vielen Dank und Beste Grüße!

Timeline

01.09.2017: Noticed the weak default WLAN password in my modem
16.09.2017: Successfully exploited the issue on my own modem with aircrack-ng
18.09.2017: Disclosed issue to my ISP (which provided the modem)
19.09.2017: Received response that the issue was forwarded to the cable modem team
04.10.2017: Issue was confirmed by the ISP, they are working on resolving the issue
16.11.2017: Received a call from the (very friendly) CISO, telling me about the current status
12.12.2017: ISP sends out letter to all affected customers, telling them to change their passwords
17.12.2017: Received three months of free internet as a bounty 🤓