Cracking the Default Password For Huawei 4G MiFi Wireless Network

If your range of randomness is predictable and can be easily computed with less effort, it makes “random” useless.

This article is not about the basics of cracking WPA/WPA2 Wi-Fi network. I assume you know how to break WPA/WPA2 wireless networks. The article is a more specific analysis of cracking Huawei 4G MiFi Internet Router default password with 100% success.

The Huawei 4G MiFi default password (WPA/WPA2) is generated in a not so random approach. I bought this device just a month ago, and I noticed the default password is easy to crack.

The default password for the device Wi-Fi is numerical (only) with a length of eight digits. There are only ten different digits (0–9) to produce different random eight digits length passwords. Where given a set of n elements, the permutations with repetition are different groups formed by the k elements of a subset such that:

  • The order of the elements does matter,
  • The elements are repeated,
  • The permutations with repetition are denoted by PR(n,k) = n^k.

So, n = 10 (0–9 digits) and k = 8, therefore, PR(10,8) = 10⁸ which is equal to 100,000,000. In other words, the maximum range of passwords, in this case, is 10 to the power of 8. The calculation results in 100,000,000 for all the possible passwords that can ever exist for the given set, generating a file with these passwords results to a size of about 860 MB.

For a Proof of Concept (POC), I have written a Python script to generate all the possible passwords (10⁸).

Python Script to generate the possible output of permutations with repetition of numbers — PR(n,k)

To shuffle the generated password-list, use the following command:

Use the final password file huawei_passwordlist.txt in your password cracking. To crack a WPA/2 network, you’ll need to capture a four-way handshake during a client authentication using a tool like Aircrack-ng suite you can read this article — about WPA cracking.

Putting the Logic to the Test

There are different brands of the Huawei 4G MiFi Internet Router; some are Mobile Network Operator (MNO) branded and others generic. I got both.

Image 1. Non-MNO branded
Image 2. Default Password for my non-MNO branded router
Image 3. MNO branded router

1. Using a non-shuffled password-list

After capturing the WPA2 handshake, it took me about 50 minutes to crack the password using the sequentially generated password-list. Note, the found password is the same as the one in Image 2.

Image 4. Password found using non-shuffled password-list.

2. Using a shuffled password-list

Cracking the same captured WPA Handshake, it took me about 14 minutes using the shuffled password-list.

Image 5. Password found using a shuffled password-list.

Conclusion and Recommendation

People who own this gadget use it in public places as an alternative to using public Wi-Fi. Most use it (off-the-shelf) as it is, without changing the default password. As demonstrated above, in less than 15 min, an attacker can crack the default password of this gadget and perform local network attacks (MITM) against the user.

What to put in mind is the trust level the users have with this device, especially when in a public place. The assumption is, only the owner knows the password so they can even do a critical transaction or access confidential data while in a public setting.

There are threes ways to address this issue:

  1. Huawei should generate a stronger default password for the devices,
  2. Huawei can remind or force the user to change the password in first use by redirecting all traffic to the management web console,
  3. Users can monitor how many gadgets are connected in the Wi-Fi using the management web console.

Huawei Response

In a couple of exchange with the Huawei security team, I ran through some load of responses, and I’ll filter out the answer I was looking for:

In subsequent new Huawei products, the default password of Wi-Fi is changed to 11-digit + letter combination, which improves the default password complexity.

A password with 11 digits plus a letter combination improves the complexity of the default password. An attacker will need more power and time to crack the password.

~ ciao

If I was a writer I’d have nice words to put here :) Purple Teamer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store