Copied from Rizlas post
hereThe BT HomeHub in common with many ISP-supplied routers comes with the wireless security preconfigured. By that I mean there is a SSID and a WEP/WPA Key preconfigured in the router before it is shipped. There will usually be a sticker on the router with something like this on it :
Default SSID = BTHomeHub-8DF3
Default WEP/WPA Key = 06f48a28eb
Now neither the SSID or Key are chosen randomly or sequentially so the next router in the sequence wouldn't necessarily be BTHomeHub-8DF4
but it could be. Basically the ISPs use some sort of predictable algorithm to generate the Key and the SSID, both of which should hopefully be unique.
The only sensible way to generate the key is really from the router's serial number and that's what they generally do.
Now here's the bombshell.
The way that BT implemented this has a glaring vulnerability.This means that you can take a default SSID like BTHomeHub-8DF3 and derive a list of possible keys from the SSID and a knowledge of the serial number structure (eg CP0647EH6DM(BF)). In the case of the BTHomeHub there would be 80 possible keys which would take very little time to try.
This is so important it is worth shouting :
IF YOU USE THE DEFAULT SSID/KEY IT MAKES NO DIFFERENCE WHETHER YOU USE WEP OR WPA! YOU ARE VULNERABLEThis isn't unique to BT - Orange in Spain use ST585v6 routers preconfigured to use WPA. A tool exists which will narrow the choice of keys down to
two!
What should you do?Simply change the SSID and WEP/WPA key to something else.If you are using WEP then try using WPA instead as WEP is not secure.
More reading -
http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/Discussion in
this thread
