I just got to this today, but it is more about insight than anything remarkable. The other day I was sitting around, staring at my 2Wire router from my service provider, and I realized the provided passwords never contained any letters. Today, I finally got around to looking at everything.

I found that the keys (wireless and system) were a 10 digit string. This means that the potential key space is 10^10 (10,000,000). My first question for the security engineers is why no letters, special characters,

So looking at this from an attacker standpoint, this would present this self as a challenge more or less if the access point is WPA or WPA2. So if an attacker can create a pre-computed dictionary using pyrit and the fact that 2wire hosts names are “2wire”+< 2-3 digits>, he suggested the key might be cracked in or around 115 days with 1000 connections per second. But there is also pre-computation time and space requirements for the 10 billion or so possibilities. We kicked around some ideas about reducing the key space, but it was only heuristical given the fact we are working with a sample of 1, which is myself.

Some open questions I had:

1. Can a relationship be drawn between the system key, the network key, or the mac address?

2. Are the digits random, or are they derived by xor’ing a common value to make them look random? I looked at the possibility of them being printable ascii, but when I combined two digits to form a decimal value for the ascii characters, they were not all printable.

3. Is there relationship between the number on the SSID and the derivation of keys? Meaning the random number on the end of the 2wire name are used to create the keys, or unobfuscate them to find a key value.

The questions are intended to help reduce the key space or quickly guess the default network or system password. Just some thoughts….