Purpose of this Article
This article demonstrates a vulnerability found in the ‘Super Router’ router provided by the internet service provider TalkTalk to its customers. The vulnerability discovered allows the attacker to discover the Super Router’s WiFi Password by attacking the WPS feature in the router which is always switched on, even if the WPS pairing button is not used.
The purpose of this article is to encourage TalkTalk to immediately patch this vulnerability in order to protect their customers.
- Windows Based Operating System
(Other tools on unix platforms may be just as effective, but for the purpose of this article we will focus on one)
- Wireless Network Adapter
- TalkTalk ‘Super Router’
- ‘Dumpper‘ available on Sourceforge here: https://sourceforge.net/projects/dumpper
(Tested with version v.91.2)
Steps to Reproduce
- Run Dumpper and navigate to the WPS tab, then select the target WiFi BSSD.
- Click ‘WpsWin’ to begin probing the access point.
- Wait a few seconds and the WiFI password for the access point will be shown in the bottom right of the window.
Scale of Vulnerability
This method has proven successful on multiple TalkTalk Super Routers belonging to consenting parties which is enough to suggest that this vulnerability affects all TalkTalk Super Routers of this particular model/version.
TalkTalk have been notified of this vulnerability in the past and have failed to patch it many years later. It is also documented across various community forums.
TalkTalk have been notified of this vulnerability on the day of the article being written (21 May 2018)
Typically a 30 day period from discovery to public release would be granted. However, in this case, as TalkTalk were made aware of this exploit back in 2014, public release is immediate.