CVE-2023-40038

Vulnerability

The Arris DG860A and DG1670A devices generate their default WPA2 Pre-Shared Key (PSK) using a predictable algorithm: the first 6 characters of the SSID concatenated with the last 6 characters of the BSSID, then decrementing the last digit by one [1]. This affects all units with factory-default wireless settings. No firmware version is specified in the available reference, but the vulnerability applies to both models as shipped.

Exploitation

An attacker within Wi-Fi range can passively capture the SSID and BSSID from beacon frames broadcast by the device. Using the known algorithm, the attacker computes the PSK and authenticates to the wireless network without any additional credentials or user interaction [1]. No prior access or authentication is required.

Impact

Successful exploitation grants the attacker full access to the victim's Wi-Fi network. This can lead to interception of network traffic, compromise of connected devices, and further attacks on internal resources. The attacker gains the same level of network access as any legitimate user [1].

Mitigation

No official fix or firmware update has been disclosed in the available reference [1]. Users are advised to manually change the default WPA2 passphrase to a strong, random value. If the device is no longer supported by the vendor, replacement with a patched model is recommended.