----------------------------------------------------------------------------
Advisory ID: HCA0005 - http://hackingcorp.ch/advisories/HCA0005.pdf
Product: Horizon HD / WiFi
Vendor: Liberty Global plc companies (Unitymedia GmbH, UPC Cablecom, ...)
Affected Version(s): unknown
Tested Version(s): current
Vulnerability Type: Weak WiFi passphrase generation
Risk Level: Medium
Vendor Notification: 2015-05-14
Public Disclosure: 2016-01-25, patch ready (and validated by HC)
CVE Reference: Not assigned
Author of Advisory: Iván Almuiña <ivan.almuina and domain hackingcorp.ch>
Document date: 2015-05-14 initial version sent to Liberty Global plc
Document update: 2016-01-14 censored version for public disclosure
Credits: Iván Almuiña for finding the vulnerability and developing the PoC
Special Thanks: Nicolas Oberli for cleaning up the Proof-of-Concept
----------------------------------------------------------------------------

Description
----------------------------------------------------------------------------
The current model of the Horizon HD device sold by Liberty Global companies
(Unitymedia GmbH, UPC Cablecom, etc. We are not aware of all their companies
that sell this Set-Top Box around the world.) uses a weak default SSID/WPA2
passphrase generator. This vulnerability allows an attacker to predict – in
a matter of seconds and offline – the default WPA2 passphrase based on the
default SSID. By default, the latter is set as UPC24 or UPC50 followed by 7
digits (i.e. UPC241234567).

Technical details
----------------------------------------------------------------------------
During the boot process the script "/etc/init.d/XXXX" executes the binary
file named "/usr/sbin/XXXX". This executable checks if it has to setup the
default WiFi configuration, the following function manages the process:

----------------------------------------------------------------------------
| Due to legal restrictions and to limit potential damage this information |
| has been removed.                                                        |
----------------------------------------------------------------------------

As we can see in the previous excerpt the SSID and WPA2 passphrase
generation is based on the Cable Modem MAC address. The XXXX_* functions are
imported from the lib "/lib/XXXX.so" and contains the PRNG algorithm, in the
following excerpt we can see that the PRNG is fairly weak:

----------------------------------------------------------------------------
| Due to legal restrictions and to limit potential damage this information |
| has been removed.                                                        |
----------------------------------------------------------------------------

Based on the previous information we now know how to bruteforce the key
space to find the PRNG’s seed, which is the MAC address. An important detail
here is that the MAC addresses are 6 bytes long, with the first 3 bytes
representing the manufacturer (OUI).
This means that we are left with only 3 bytes (24 bits) to bruteforce,
greatly reducing the required time to explore all the key space.

The exploit works like this:

- Start with the MAC address XX:XX:XX:00:00:00 until XX:XX:XX:ff:ff:ff
- Generate the SSIDs based on the MAC address, try to match it
- If the SSID matches, generate the passphrase -> potential candidate

This process only takes a couple of seconds and has been implemented in a
Proof-of-Concept to verify the feasibility of the attack.

Proof of Concept
----------------------------------------------------------------------------
A weaponized exploit that takes advantage of this vulnerability named
'Horizon-WiFi.c' has been provided to the right persons.
The exploit takes a default SSID as input and outputs (in 2-3 seconds) some
passphrase candidates usually between 1 and 4.

If for some reason you consider that you should have access to the exploit
and/or the uncensored advisory, feel free to send your demand to 'contact'
followed by the domain hackingcorp.ch.

Recommendations
----------------------------------------------------------------------------
The SSID should not allow to reconstruct the PRNG seed. A solution would be
to divert the SSID from a different PRNG and/or use a Cryptographic RNG.

For the end users the solution is quite easy, change the default SSID/WPA2
passphrase of your Horizon HD STB.

Update 2016/01/14: The new firmware fixes the vulnerability using
cryptographic algorithms and diverting the seeds from unpredictable sources.
At this point Hacking Corp. does not know if the new firmware has been
pushed to all the affected customers, thus we recommend to apply the end
users solutionpreviously described.

Disclaimer
----------------------------------------------------------------------------
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.