
Reversing D-Link’s WPS Pin Algorithm - PaulSec
http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/
======
m-app
A while ago I found out that the D-Link router I had (655), had some XML
output available for DHCP Lease status and interface statistics. I also
noticed that these stats only became available after logging in initially from
a certain IP/MAC (no session state kept). The router gives a salt that is
valid for a while and on the client side that salt is used together with the
password to generate a hash which is used to login. You can then proceed to
retrieve the XML data.

In case anyone is interested, the (very hacky) scripts are on Github:
[https://github.com/michielappelman/router-
stats](https://github.com/michielappelman/router-stats)

~~~
PaulSec
Good job, that looks interesting.

------
drzaiusapelord
WPS is broken anyway. Its trivial to crack via brute force. Why its still
being shipped as a feature, let alone a feature that's on by default is beyond
me. The failings of the wifi consortium are pretty obvious, to the point where
I wonder if there's some NSA trickery involved in making sure these things are
insecure by default. I wish they took security more seriously.

[http://www.kb.cert.org/vuls/id/723755](http://www.kb.cert.org/vuls/id/723755)

~~~
mkehrt
For the same reason you have a bike lock, or a locker lock--to prevent
opportunistic theft. You can prevent people from driveby stealing your stuff,
but you're never going to stop a guy with an angle grinder.

~~~
kyboren
Except in this case, it wouldn't be hard to stop people with angle grinders.
The lock-maker just did a shitty job making the lock.

------
Moral_
Craig is so damn smart. I love how he went in looking to exploit some format
string vulnerability, or an incorrect escaping of arguments passed to
system(). But came out with a way to systematically grab WPA/2 keys from
D-link. Why would D-link roll their own WPS key generation scheme? All the in-
home routers i've seen come with the WPS pin set in NVRAM and written on the
bottom of the router.

~~~
eli
I think those labels are usually put there by the ISP who sold/leased you the
device, not the manufacturer.

------
jgrowl
Aren't WPS Pins completely flawed in their design anyway?

I seem to remember being able to use an exploit to break into my own router
that had WPS enabled about a year ago using a program called reaver.

The exploit had something to do with routers telling the attacker whether or
not they guessed the first 4 digits correctly and then it narrowed it down
enough to where bruteforcing was easy.

~~~
amckenna
Yup! Basically the problem boils down to:

 _" An attacker can derive information about the correctness of parts the PIN
from the AP´s responses.

> If the attacker receives an EAP-NACK message after sending M4, he knows that
> the 1st half of the PIN was incorrect.

> If the attacker receives an EAP-NACK message after sending M6, he knows that
> the 2nd half of the PIN was incorrect.

This form of authentication dramatically decreases the maximum possible
authentication attempts needed from 108 (=100.000.000) to 104 + 104 (=20.000).

As the 8th digit of the PIN is always a checksum of digit one to digit seven,
there are at most 104 + 103 (=11.000) attempts needed to find the correct
PIN."_

Reference -
[http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf](http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf)

------
Someone1234
Off the top of my head the only way to exploit this would be either by your
ISP or the security services (via your ISP, or the router manufacturer).

Since WAN mac addresses don't travel very far upstream. Typically only to the
local exchange. So in order for someone to utilise that to generate a WPS key
they would have to sit at the exchange (on your side of the connection) and do
it.

The manufacturer might also store the WAN mac addresses of each piece of
equipment they produce (along with serial, etc) and depending on the supply
chain you purchased the router down or if you registered it, they could figure
out your router's WAN/WPS pin that way.

In general PIN-based WPS is a bad idea. Turn it off and do button WPS only. Or
turn it on only as needed.

~~~
lunixbochs
> WAN mac addresses don't travel very far upstream

This doesn't matter, and it's addressed in the post. He mentions many devices
actually do use the BSSID (which is sent in every wireless frame), and the WAN
MAC is usually very close to the BSSID anyway so you can guess it in very few
tries.

~~~
Someone1234
Fair enough. I missed that line.

------
osivertsson
Funny thing is that I've been looking at D-Link's (actually Cameo's) /sbin/ncc
and other binaries the last couple of days (well actually nights...) on a
DIR-636L.

I even have a note here wondering where they read from NVRAM or similar
related to WPS because I couldn't spot it. Guess I have the answer now!

I doubt I will have the time to investigate it, but my feeling is that there
is a lot of funky stuff in /sbin/ncc and the companion binaries.

------
f2x
Question: I realize that the manufacturer has kind of dropped the ball, but
would flashing the firmware with dd-wrt allow the user to patch the gaping
security hole? Or does it go deeper?

~~~
jlgaddis
I haven't used a standard "consumer" router like this for ages, but ISTR that
WPS is something you can almost always disable.

To answer your question: yes, but that's not (typically) necessary.

------
tokenizerrr
Is there any reason at all the WPS pin would be derived from this kind of
information? I don't want to seem paranoid, but this sounds like a backdoor?

~~~
bcoates
I'm guessing the developer tasked with implementing this didn't have access to
any other device-unique state, and getting the hardware team to have a new
unpredictable value flashed onto each device was impractical.

~~~
lunixbochs
If an entire manufacturer couldn't solve this, I wouldn't be surprised if
others had a similar problem with a different generation algorithm.

~~~
mariuolo
It's nothing new, I fear.

Years ago I read about a similar predictability for ISP-supplied routers that
used the MAC as seed for the default WPA key and the SSID. Once someone
decoded the algorithm it was trivial to access many home networks.

At the end of the day, I believe it's cheaper to flash the same firmware image
on all of the boards and differentiate them during the first boot or even at
runtime like in this case.

