Eircom WEP key-generation algorithm reversed

Over the weekend, this really hit the Irish blogosphere — several Irish guys have apparently figured out the algorithm used by Eircom to generate WEP keys.

I blogged that page in the link-blog this morning, but it’s worth writing about a little more. WEP is apparently easy to crack nowadays, so in a way all those wifi users were insecure anyway — but this is interesting as a case study of how not to write a key generator:

  • Compiled code != secret: the first mistake Eircom made was to generate the WEP key entirely from a little “secret” text, some “secret” shuffles, and the serial number of the hardware. There should always be some randomness in there. Compiled code running on a user’s desktop, is not secret.

  • Don’t share secrets: Secondly, it’s a good demo of why you don’t generate two separate key values from the same source data. In this case, both the WEP key and the SSID are generated from the Netopia router’s serial number — and sufficient bits are accidentally exposed in the SSID to enable computation of the WEP key. (This is kind of moot in many cases, since the serial number is also exposed in the MAC address, in even more detail.)

As far as I can tell — although it’s not quite clear who did what — that guy Kevin Devine did a pretty great job of reversing this code. Nice one.

I’m impressed that there’s now an app which detects the static tables (S-boxes, constants etc.) used in crypto algorithms — that idea seems very clever in retrospect, hadn’t occurred to me.

Here’s a boards.ie thread where this exploit was discussed; there are plenty more details there, if you’re curious. It seems this has been quietly floating around back-channels since the start of September.

(By the way, am I missing something, or did Eircom ship unstripped binaries for the key generator library? I could swear that when I looked at the Boards thread earlier today, there was a cut-and-paste from IDA Pro listing a function prototype. Oh dear; if so, add that to the ‘case study’ list above. ;)

It seems Eircom are now recommending all customers switch to WPA — good luck with that, since it’ll break all those Nintendo DSes. That won’t be popular!

Update: the original page seems to be down, but here’s the source for the command-line decoder: dessid.c. See also EirWep.

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.


  1. Corion
    Posted October 2, 2007 at 11:03 | Permalink

    I think IDA-Pro simply has support for recognizing the compiler and runtime library used and autogenerates the necessary function prototypes etc. – I found it a very powerful and useful tool back when I used it.

  2. Posted October 2, 2007 at 12:36 | Permalink

    ah, I wasn’t aware of that. That’s pretty nifty!

  3. Kevin Devine
    Posted October 2, 2007 at 15:52 | Permalink


    The generate_ssid(int serialNumber, char *output) prototype function you saw on boards.ie was converted from assembly to C by hand, no decompiler was used. The assembly was disassembled of course by IDA Pro.

    Its also possible to identify compilers using PEiD which i also used to identify SHA-1.These applications were written with Visual C++ 6 according to PEiD signatures.

    if you have any questions, you can email me.

  4. David Malone
    Posted October 2, 2007 at 16:16 | Permalink

    Though, complex code can get you quite a long way, as some of the recent malware and Skype analysis shows. Some of the anti-debugger measures seem incredible.

    Do we know if the code was written by Eircom, Netopia or some third party? I can’t imagine it was Eircom, as they are unlikely to be interested in writing code to configure people’s routers. It seems more plausible to me that it was Netopia under contract from Eircom, in which case it is a problem that may not be limited to Eircom.

    Do DSes really not support WPA? Our Wii does it quite happily. Even ancient Orinoco cards can do WPA with recent drivers, so I don’t know what the DS’s excuse is (unless it is export/legal-restriction related or available-CPU-cycles related).

  5. Posted October 2, 2007 at 16:51 | Permalink

    thanks for the comment, Kevin.

    @David: I’m told that DSes don’t support WPA; I haven’t got one myself ;)

  6. Malware Analyst
    Posted October 2, 2007 at 21:28 | Permalink

    Complex code won’t get you far against reverse engineering. This is why so much software (especially games) with commercial anti-debugging tools and obfuscation usually get cracked within a day of release. Malware is reverse engineered quite quickly too, some are just difficult to detect.

    Bottom line, if a secret is important, don’t hide it in a program you distribute

  7. David Malone
    Posted October 2, 2007 at 22:03 | Permalink

    @Malware Analyst: Agreed – if you want to hide something, putting it in public code is a bad thing to do, and I wouldn’t consider it myself. OTOH, the amount of reverse engineering effort that people have subject Skype to seems to have produced detailed, but somewhat incomplete results, suggesting that obfuscation is not a complete waste of effort.

  8. Kevin Devine
    Posted October 2, 2007 at 22:21 | Permalink

    Hi David

    The software for eircom routers appears to be written by Netopia Inc.

    I think the article on defeating HyperUnpackMe2 ( http://www.openrce.org/articles/full_view/28 ) (by the authors ( http://www.rolfrolles.info/ ) of libraries used in the award winning bindiff utility) is an excellent example of how complex obfuscation code can be removed with the right tools and skills.

    I’m pretty sure there are people in the world that have successfully reversed Skype and found numerous exploitable bugs – but whether they’ll ever disclose the problems, i don’t know.

    For hiding secrets in a program you want to distribute, PKC or ECC provides a good measure of security against even the best crackers in the world.

    WiteG, a very talented reverse engineer, wrote an incredibly simple, yet uncrackable (for the moment) crackme-keygen some 6 years ago. it still has its secret to this day.


  9. Bert O Shea
    Posted October 3, 2007 at 00:06 | Permalink

    Ummm, just saw this on the news and I really don’t understand what the big deal is. It’s not like the eircom routers WEP was hard to break anyways, it take about 15 minutes under worst conditions to break one of those routers WEPs in tests I’ve performed on my own hardware. They don’t even filter the weak packets from WEP. There are other Irish ISPs out there with similar lax wireless security but that doesn’t seem to have come out yet.

    At least with this coming out some of those vulnerable eircom customere may switch to WPA

  10. Kevin Devine
    Posted October 3, 2007 at 09:09 | Permalink

    Hi Bert

    Alot of people, including some security professionals have completely missed the issue here.Deciding to focus on the weaknesses of WEP, rather than the poor algorithm used to generate the keys which were supposed protect the routers from unauthorised use in the first place.

    What if the same algorithm had been used in 12 months time to ship the routers with WPA switched on? would it be a big deal then?

    Switching WPA on, or any other protocol for that matter wouldn’t make a bit of difference if eircom were going to employ this weak key generation algorithm.

    Even an unskilled computer user can now access a router in a few seconds using something like damo or s4dds keygen apps.

    it takes a bit more skill to use wep cracking tools, especially if you’ve never used linux before.

  11. David Malone
    Posted October 3, 2007 at 09:39 | Permalink

    Hi Kevin,

    Thanks for the details. The link for the HyperUnpackMe2 stuff didn’t work though. Is there any write up of the WiteG key generator? It seems to just come with a short readme in Polish and I don’t have a windows machine to try the exe on…

    I guess the PKC stuff here wouldn’t have helped unless they injected some randomness into the key generation. I don’t think a respectable one-way-hash would have been any better than PKC without randomness, would it? (And with randomness, I suspect the PKC would degenerate into a respectable one way hash?)

    Most of what I know about reverse engineering of Skype has come from links off http://www1.cs.columbia.edu/~salman/skype/ – and while they’ve made a lot of progress (including enough to write exploits), I haven’t seen a description that is anywhere near good enough for someone to write their own client from.

  12. Bert O Shea
    Posted October 3, 2007 at 11:09 | Permalink

    Hi David,

    That’s a valid point, it has made it much easier for someone to break their WEPs now, How hard would it have been if when selling their product they swithed WPA on as default for anyone with XP or above (obviously without the poor key generation). Only themselves to blame and interesting how eircom is defending WEP as a valid protocol to use.


  13. Posted October 3, 2007 at 11:10 | Permalink

    Dave —

    Skype is an interesting example — it doesn’t have to keep all of its code out “in the open” on the user’s PC. Skype can run parts of its code on secure servers at Skype HQ. If you can move critical parts of the computation to hardware you control, require communication with those servers over the net, and can track and block clients based on their success or failure in communicating with those “safe” servers (preferably with a little PKE), you make it a lot harder to hack, since key parts of the computation can become effectively “black boxes” to reverse engineers.

    This is the model behind the Quake 3 activation servers, Half-life, Steam, Windows, and countless others. (I think id were the first people to come up with it in a desktop PC product, for Q3).

  14. David Malone
    Posted October 3, 2007 at 11:25 | Permalink

    Justin –

    Based on what I’ve read, I don’t think Skype does anything on servers at Skype HQ except login validation and signing of user credentials. I think this bit of Sykpe is now pretty well understood. (I guess Skype Out is also done through boxes at Skype HQ…) The impression I’ve got is that all the code is in the open, though I’m open to correction, as I’ve just been passively reading the literature.

    I guess if someone does finally make enough progress to write their own client, Skype could do some magic to move some computation to their own servers. Then we’re in a Turing-test type race, except it is a Genuine-Skype-Test race ;-)

  15. test or tell
    Posted October 3, 2007 at 16:50 | Permalink

    pparently these aer at http;//s4dd.yore.ma/eircom

    and http://damohere.bravehost.com/eircom

  16. Kevin Devine
    Posted October 4, 2007 at 02:47 | Permalink

    hey Dave, no idea what happened to openRCE – it seemed to be working fine, but then disappeared! maybe the site is undergoing some maintenance? hopefully it’ll be back up soon.

    generating the SSID based on the MAC is fine if you ask me, the problem was that they also generated the default wep key from it, without any randomness..as we all know now. a key generated using a hash algorithm and from random values would have been sufficient solution.

    also, implementing a small configuration tool which did a read/write of configuration data would have been simple enough.

    some windows GUI, the user just generates 4 random keys and hits “write” and the keys are sent to the router, then just have a “read” button to do the reverse..(adding optional parameters for username/password/protocol)

    the only analysis of the crackme#5 is written by Tymon in polish :| source code in asm used to be available on WGs old site, but seems to have been removed..

    I highly recommend checking jB’s solution to crackme#11 though, which i thought was excellent reading :) -> http://jardinezchezjb.free.fr/keygens/witeg-crackme11.zip

    jB’s solutions are pretty impressive overall and he knows his crypto very well :)


  17. Kevin Devine
    Posted October 4, 2007 at 09:47 | Permalink

    generating the SSID based on the MAC is fine if you ask me, the problem was that they also generated the default wep key from it, without any randomness

    i meant to say, the default wep key was based on serial number, and most, sometimes all of the serial number is in the MAC – was half asleep when i wrote that.

  18. Nikola
    Posted January 17, 2009 at 14:48 | Permalink

    Kevin can you do some other code for me, pls send mail, ill pay you if you do it

  19. Posted June 28, 2011 at 10:12 | Permalink

    And 4 years later my neighbour is still using WEP to secure their wifi network. I hope they’ve changed their password if nothing else…

  20. Posted June 28, 2011 at 11:21 | Permalink

    wow. I haven’t seen a WEP network in a while ;)