Huawei HG8245 / HG8247 WPA Generator
Huawei HG8245 & HG8247 ONT (firmware version V1R006C00S100) rely on a weak algorithm to calculate the WPA keys, keys can be predicted easily using the WiFi's MAC Address (BSSID).
CVSS Score
Severity
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N Advisory
| Devices | Huawei HG8245, Huawei HG8247 |
| Hardware | 130C4600 |
| Software | V1R006C00S100 |
| Impact | Default WPA pre-shared key is predictable from the BSSID |
Description
The factory WPA pre-shared key on these ONTs is an eight-character string derived entirely from the device's MAC address (BSSID), which is broadcast in every beacon frame. Anyone within Wi-Fi range can recover the MAC address passively, compute the key, and join the network.
Key Derivation
Given a BSSID such as 00:46:4B:D3:CE:5F, the eight-character WPA key is built as follows:
- Characters 1–2: the fourth pair of the BSSID —
D3. - Characters 3–4: the fifth pair of the BSSID, decremented by 1 if the last pair of the BSSID is less than
0x08; otherwise unchanged. Rolls from00toFF. - Character 5: the first character of the fifth BSSID pair, decremented by 1 if the second character of the last pair is less than
0x08; otherwise unchanged. - Character 6: the second character of the last BSSID pair, remapped by a fixed substitution table (
8→F, 9→0, A→1, B→2, …, 7→E). - Characters 7–8: the first pair of the BSSID, remapped by a fixed lookup table (e.g.
00→0D, 28→03, 08→05, 80→06, E0→0C, CC→12, …).
For the BSSID above the resulting key is D3CE560D. A second worked example with BSSID E0:24:7F:E5:80:01 yields E57FF80C.
Recommendation
Replace the factory WPA key with a long random passphrase immediately after provisioning. ISPs redistributing these units should avoid shipping them with the default BSSID-derived key.
Remediation
Change the default WPA pre-shared key to a value not derived from the BSSID.