Security researchers at software house IndigoFuzz have discovered a security flaw in the implementation of the WPS feature of the TalkTalk Super Router that can be exploited to compromise to steal the gateway’s wireless network password and take over them.
Experts reported the issue to TalkTalk ISP back in 2014, but currently the vulnerability is still present.
The routers implement a WPS pairing option that is turned on by default, but due to the security issues affecting WPS protocol an attacker within range can easily extract the Wi-Fi password of the device by using hacking tools available online.
“The vulnerability discovered allows the attacker to discover the Super Router’s WiFi Password by attacking the WPS feature in the router which is always switched on, even if the WPS pairing button is not used.” reads the blog post published by Indigofuzz.
According to IndigoFuzz’s advisory on Monday, the routers provide a WPS pairing option that is always turned on. Because that WPS connection is insecure, an attacker within range can exploit it using readily available hacking tools (i.e. Software ‘Dumpper’ available on Sourceforge (Tested with v.91.2)), and thus extract the router’s Wi-Fi password.
Attackers just need to be in the range of a TalkTalk Super Router, then probe it for the Wi-Fi password exploiting the insecure WPS feature and gain the gateway’s password.
Below the procedure described by the experts to compromise a network using the TalkTalk Super Router and obtain the WiFi access key.
The experts explained that this attack is scalable to a broad range of TalkTalk Super Routers.
“This method has proven successful on multiple TalkTalk Super Routers belonging to consenting parties which is enough to suggest that this vulnerability affects all TalkTalk Super Routers of this particular model/version,” concluded the IndigoFuzz experts.
“TalkTalk have been notified of this vulnerability in the past and have failed to patch it many years later.”
Below the Timeline shared by the experts:
IndigoFuzz decided to immediately publicly disclose the issue because TalkTalk hasn’t taken any action since its first reports in 2014.
“The purpose of this article is to encourage TalkTalk to immediately patch this vulnerability in order to protect their customers,” concluded the experts.