CVE-2019-12941
Description
AutoPi Wi-Fi/NB and 4G/LTE devices before 2019-10-15 allows an attacker to perform a brute-force attack or dictionary attack to gain access to the WiFi network, which provides root access to the device. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AutoPi Wi-Fi/NB and 4G/LTE devices before 2019-10-15 have weak default WiFi credentials derived from an 8-character hash, enabling brute-force attacks to gain root access.
Vulnerability
The vulnerability affects AutoPi Wi-Fi/NB and 4G/LTE devices prior to 2019-10-15, as reported by researchers at KTH [1]. The default WiFi password and SSID are both derived from the same hash function whose input is only 8 characters. This weak derivation allows an attacker to deduce the WiFi password from the WiFi SSID. The device provides root access once connected to the WiFi network.
Exploitation
An attacker can perform a brute-force or dictionary attack against the WiFi network. Because the password is derived from a short 8-character input, the keyspace is limited. The attacker can obtain the WiFi SSID (which is broadcast) and then compute possible passwords offline or online. No authentication or prior access is required; the attacker only needs to be within wireless range of the device.
Impact
Successful exploitation grants the attacker access to the WiFi network, which in turn provides root access to the AutoPi device. This allows full compromise of the device, including the ability to read, modify, or disrupt its operations. The impact is high as the device may be used in critical automotive or IoT applications.
Mitigation
The vendor released a fix on 2019-10-15. Users should update their devices to the latest firmware version. No workaround is available if the device cannot be updated. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- AutoPi/AutoPi Wi-Fi/NB and 4G/LTEdescription
- Range: <2019-10-15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.diva-portal.org/smash/get/diva2:1334244/FULLTEXT01.pdfmitrex_refsource_MISC
- www.kth.se/nse/research/software-systems-architecture-and-security/mitrex_refsource_MISC
- www.kth.se/polopoly_fs/1.931922.1571071632%21/Burdzovic_Matsson_dongle_v2.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.