Hacking HomePlug Networks
I don’t know whether HomePlug networks are growing in use or not, but the following statements caught my attention:
“Officials at Intellon, the chip maker that developed the HomePlug spec, say that hacking into a HomePlug network would require cracking the government’s DES encryption standard.” - link
My favourite:
“HomePlug specification products also protect data by utilizing powerful DES encryption, which makes hacking into a HomePlug network virtually impossible.” - link
If you are not sure what a HomePlug network is then maybe the following diagram will help:
As you can see above, HomePlug’s in many cases can replace a Wireless infrastructure or work along side it (i.e. your house or office has thick walls weakening the signal). You simply plug it into your wall socket and attach a network lead to it.
Now I didn’t really spend ages on coming up with advanced hacking techniques for these things. It would be overkill me thinks. These devices are insecure in their default state. They are also insecure in their “secured” state.
So lets put our attack together:
1. HomePlug Detection & Enumeration
2. Exploitation in its default state
3. Exploitation in its “secured” state
4. Hacker Countermeasures
1. HomePlug Enumeration
You need a compatible HomePlug to start. A single plug can cost between £20 - £30. Ensure that the plug is HomePlug v1.0 certified or you will most likely fail in your endeavor.
You will then require a target, testing your own network is easy enough, attackers will most likely test your network from an outside wall socket.
Install the software that comes with the plug - this software was exactly same with both my HomePlug makes (other then a few logo changes). Plug your HomePlug into the wall socket of the network you what to connect to. Load up the software and simply click “Scan Powerlines Network”. You could also just load a sniffer and check if your rogue plug has already joined the network.
2. Exploitation in its default state
I couldn’t find the v1.0 specification rfc, but it was trivial to work out that all these devices use a default network key of “HomePlug” to start with. Obviously this was done to allow for plug and play. Load up your sniffer and monitor network traffic. If the default key is used you should see NetBIOS broadcasts etc. Job done.
3. Exploitation in its “secured” state
56-bit DES encryption may have been considered cryptographically strong in the stone ages but not today.
Even though 56-Bit DES encryption (2^56 possible keys) is breakable, it may take a fair chunk of time to crack - although Rainbowtables has made this alot easier. Personally, I would try some weak passwords to begin with.
4. Hacker Countermeasures
Do the obvious. Use a very strong key to secure your HomePlug’s. Ensure thats your network devices are firewalled. Hopefully the newer versions will provide stronger encryption options.
Good day,
This is definitively interesting.
The latest NetGear adaptors now run at 200 MBPS instead of the old 85 MBPS or 12 MBPS. I have just bought a pair of HDX 101 and will do more fiddling with it in the weeks to come. The netgear supports 3DES and DES.
Netgear uses 128 Bits Encryption on their device. Yes, they do have a default password as well. It must be changed or else just like having none.
There are other models today that uses AES with a key of 128 bits. See:
http://www.broadbandbuyer.co.uk/Shop/ShopDetail.asp?ProductID=3835
take care
Clement
Clement, I noticed with some devices that those using > 85Mg did not comply with the v1.0 standard. This also seems to be the case for your NetGear:
“Whilst HomePlug AV is incompatible with HomePlug 1.0, it will co-exist with 1.0″.
I am curious what they mean by co-exist :) Does this mean they can be set to use 56-bit DES?
How many of your neighbours house networks can you see? There are various distance limits quoted. It mainly depends where the transformers are I guess.
Darryl, unless you are in a shared-office or shared-house type situation it will usually require you to plug directly into your targets powerlines - usually a plug outside if there is one. It would also be interesting to know if powerline leakage can occur?