
Cracking Linksys “Encryption” - amboar
http://www.devttys0.com/2014/02/cracking-linksys-crypto/
======
georgemcbay
The more things change, the more they remain the same:

Back in 1995 I "cracked" Cisco's router password "encryption":

[https://groups.google.com/forum/#!original/comp.dcom.sys.cis...](https://groups.google.com/forum/#!original/comp.dcom.sys.cisco/WjuKAOQLfkI/HKJ18Osl7z4J)

Strikingly similar 'security', which is extra funny as Linksys is owned by
Cisco. (EDIT: Not anymore! Thanks for the correction)

Back then net admins would regularly post their configuration files (with
'encrypted' passwords left intact in most cases) to usenet to get help/tips on
how to better configure their routers, which was an unaddressed (by Cisco)
security nightmare.

~~~
rwg
FWIW, Cisco sold Linksys to Belkin. I guess slapping Cisco logos all over
poorly-designed Linksys home networking products didn't do anything especially
positive for people's perception of Cisco.

~~~
georgemcbay
You're right, it is Belkin now, somehow I missed this year old news!

~~~
lstamour
Wonderful. Either my WeMos will start working better or ...

Since we know about previous security issues for firmware updates on WeMo, and
since I had awful customer experiences with belkin.com ... Both WeMo and
Linksys products are off my "buy" list from now on, until I see some serious
improvements. It's a shame, really...

~~~
chaostheory
Yeah WeMo has been a disaster. Just wondering, did you replace yours? If so
with what? Z-Wave?

~~~
dangrossman
I'll take a WeMo I have to firewall from the internet any day over a Z-Wave
device that responds to commands 50% of the time, and then only after 20-30
seconds. Which is exactly how all the ones I already own work. The WeMo
switches always work, and always instantly.

~~~
chaostheory
Thanks for the heads up on Z-Wave, but you've also just inadvertently
described the WeMo product line as well, minus the ongoing security issues
they'll have and a lot of times they just go offline completely until you
manually reset them. Really horrible.

What do you recommend then? Zigbee?

~~~
dangrossman
I'm not sure an explicit description can't be inadvertent. I've had the WeMo
switches and sensors for months; they've never needed a reset and have always
responded and broadcast status changes instantly.

Maybe you have a problem with the phone app? I don't use it. They speak UPnP,
so I use that from a node.js server.

[http://i.imgur.com/aYOaB1e.jpg](http://i.imgur.com/aYOaB1e.jpg)

I have no problem with connected devices using WiFi. I'd rather talk to them
directly over TCP than have to use some hub to bridge different networks.

~~~
chaostheory
Ahh that may be it. Their iOS app is pretty bad. I've only had them for a
month and I just didn't have time to experiment. I just wanted them to work.

I've actually had a lot of problems connecting them to WiFi, since before the
firmware update they don't allow most special characters, and for some reason
they can't hit my router due to range. I had to actually get a WiFi repeater
to get everything up and running. Hmm it could have been the amount of UPnP
traffic as well. I got about four switches, four plugs, and four motion
sensors. Even when I didn't poll them with the iOS app, they would just
randomly fail to follow their rules or maybe the motion sensors would fail to
send messages.

Yeah I'm not keen on spending money for a hub with different radios but I
literally just finished packing up all my WeMos today for a return. Too bad. I
got them at a pretty decent discount too. I guess I'm willing to pay a little
more for something that just works. I probably should have just kept them and
got a Smartthings hub.

~~~
lstamour
Ah I see. I suspect my irritation with their use of wifi also came down to
their Android app. If you can believe it, it's even worse.

That said, it's not necessarily a bad thing for devices to have a hub. The hue
lights, for example, hook up to a zigbee base station with an ethernet jack.
So I never needed to enter a wifi password in the first place ;-)

That said, I had range issues too. The antennas must be microscopic. Maybe
we'll have pCell routers someday.

~~~
chaostheory
Yeah I feel that's why the WeMos were really flawed. They needed a hub. A
guaranteed place that keeps track of their status as well as a guaranteed
place to relay data.

~~~
dangrossman
Luckily for us hackers, since they use wifi any computer can be that hub. Just
give them static IP leases on your router so you don't have to re-discover
them after a power/network outage.

~~~
chaostheory
I wish I talked to you sooner. I just didnt' have the time to experiment. I
didn't have a spare computer either.

------
acqq
I don't understand why the author claims "This is truly atrocious."

It doesn't matter much which algorithm is used, every one that is used for the
given purpose and given circumstances can be reversed, it's just a question of
invested time. Who needs it would do it, and the following publication would
make his results usable to others no matter the algorithm.

~~~
Perdition
They could stick a hardware encryption chip into their products and with a
proper crypto system could enable secure encryption even against an active
attacker with control of the OS. Even a password hash using a decent hash like
bcrypt would be secure against an attacker with only user privileges.

Single byte XOR is just child's play, even if the "key" was only used once.
They may as well have used ROT-13.

~~~
lstamour
Hmm. To guard against an attacker with only user privileges, couldn't you
simply mark the file as accessible only by root? ;-)

That said, I'd say if you have user privileges in my router, I've bigger
issues than wifi passwords and config files...

~~~
Perdition
Many of the home router vendors have released firmware with stupid flaws like
allowing the inbuilt webserver (running as root) to traverse up directories
and thus allow the attacker to view config files.

If the passwords were stored properly hashed then the attacker has to do a lot
more work to recover the plain text.

------
userbinator
That's not even XOR, that's NOT!

The problem is not using XOR in itself, since virtually all good crypto is
based on it; it's what the XOR'ing is _with_.

~~~
nitrogen
To make it even clearer, bitwise XOR with 0xFF is equivalent to bitwise NOT.

