{"id":417,"date":"2010-02-02T21:34:06","date_gmt":"2010-02-03T02:34:06","guid":{"rendered":"http:\/\/www.willhackforsushi.com\/?p=417"},"modified":"2010-02-03T11:31:34","modified_gmt":"2010-02-03T16:31:34","slug":"verizon-mifi-pwned-maybe-they-should-take-my-class","status":"publish","type":"post","link":"https:\/\/www.willhackforsushi.com\/?p=417","title":{"rendered":"Verizon MiFi Pwned (maybe they should take my class)"},"content":{"rendered":"

\"\"
\nUpdate<\/strong>: Please also see my post about the hidden page for advanced MiFi configuration settings<\/a>.<\/p>\n

Recently, I picked up a Verizon MiFi device for $50 and the extension of my service contract for another 2 years. The fun that I’ve had with the device so far has well made up for both costs.<\/p>\n

Background<\/h2>\n
\"Verizon<\/a>

Verizon MiFi 2200 - A Marvel of Engineering<\/p><\/div>\n

The MiFi is a battery-powered 802.11b\/g AP slightly smaller than an iPhone that features an integrated EV-DO uplink. This device replaced my former USB EV-DO WAN card*, allowing me to share the EV-DO connectivity with multiple devices over WiFi. It’s been immensely useful since I commonly travel with 3 laptops, not to mention additional mobile devices.<\/p>\n

From a security perspective, the MiFi device uses a unique WPA pre-shared key (PSK) for authentication with the TKIP cipher for encryption. It’s unclear why the device doesn’t use WPA2-PSK authentication with the AES-CCMP cipher; perhaps it was a security trade-off by the manufacturer to maintain the greatest possibility compatibility with legacy devices that only support WPA-PSK\/TKIP.<\/p>\n

\"Verizon<\/a>

Verizon - We Never Miss an Opportunity to Market<\/p><\/div>\n

On the reverse side of the MiFi is a label, identifying the default SSID and PSK used for authentication. Besides the obvious marketing angle Verizon gets from including its name in the SSID, this allows the user to quickly identify and connect to their personal WiFi network to leverage the EV-DO uplink.<\/p>\n

Reconnaissance<\/h2>\n

Like any good hacker, I turn to the tools that I know to be tried and true. Kismet<\/a> is a powerful assessment and evaluation tool for wireless networks, providing additional insight into the MiFi wireless LAN interface.<\/p>\n

\"Kismet<\/a>

Kismet - It's Like Fate, or Something<\/p><\/div>\n

Cursory analysis of the beacon information elements don’t reveal anything particularly interesting, though the Kismet screen-shot gives us a point of correlation. The MiFi SSID on my product is “Verizon MiFi DAD1 Secure”, slightly different than that of the MiFi device label (where Kismet reports the addition of ” Secure” to the SSID, and the mixed-case “MiFi”, which is important to us).<\/p>\n

Also, we can see that the “DAD1” in the SSID matches the last two bytes of the AP’s MAC address (or Basic Service Set Identifier – BSSID). From this we can determine that Verizon has no more than 65,536 unique SSID’s for MiFi devices (potentially less; more data is needed to determine if all 16-bits of the BSSID are evenly distributed among devices).<\/p>\n

The password on the back of the MiFi device also reveals some interesting information. From the photo above, the password on my MiFi device is:<\/p>\n

\n\n\n\n
09<\/td>\n11<\/td>\n19<\/td>\n00891<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/strong><\/h3>\n

This password value likely breaks down into four fields:<\/p>\n