WPS Implementation Issue Exposes Wi-Fi Routers to Attack

A researcher discovered an issue with the random generation of WPS keys in a number of unnamed routers that could allow an attacker to guess the key in one try.

A number of popular home and small office routers suffer from an implementation problem that could lead an experienced hacker down the road toward learning the devices’ eight-digit Wi-Fi Protected Setup (WPS) PINs in one guess.

The attack, developed by Dominique Bongard, founder of 0xcite of Switzerland, is a spin-off of 2011 research done by Stefan Viehbock in which Viehbock could use a brute-force attack to arrive at the PIN in 11,000 tries.

Bongard said this morning he has notified the router vendors in question with little success. Some brushed off his findings, while with others he was unable to get an engineering contact with whom he could share more details. Bongard added that that he did share details with the Wi-Fi Alliance, which developed and certifies the WPS standard, but has yet to hear back from them.

Wi-Fi Protected Setup is a standard by which home users are able to add new devices to a home network, for example, without having to use a long random passphrase. Devices with the right PIN receive the longer WPA passphrase from the central access point. Viehbock’s research was the first major dent in WPS’ security and allowed a hacker to guess the shorter passphrase in a matter of a few hours, and ultimately the router’s WPA passphrase. Bongard’s research cuts that down to a matter of seconds because of a poor random number generator implementation.

“The random key in some models is not random,” Bongard said.

“The random key in some models is not random,” Bongard said.“The problem is that the random number needs to be really random and 128 bits. If you don’t know anything about security and use your standard random number generator, it’s not secure; it’s not meant to be secure.

“The guy at the manufacturer is not a security guy, he’s a router developer and he goes through the WPS specification and sees that you need 128-bit random numbers and he codes a random function in C,” Bongard said. “He doesn’t know it’s not secure; he doesn’t know he’s creating a problem. He needs a random number, he codes a random number. He doesn’t know there are different types of random numbers.”

Depending on the router brand and model, the key can be guessed through some offline calculations rather than via a brute-force attack as in Viehbock’s work.

“In one brand [the key] is always zero, so it’s easy. In an another, instead of being a 128-bit key, it’s only 32 bits so you can try every possibility,” Bongard said. “So you can get it in a few seconds, opposed to 128-bit which would be impossible.”

Bongard said he found the issue on July 19 and said someone who knows how to program would have a low barrier to exploit the problem, especially with Viehbock’s research as a building block.

“I found it by accident and really didn’t see how people would react to it,” Bongard said. “You just have to modify the 2011 attack, a few lines, it’s not really complicated.”

Bongard said he does a lot of embedded device security research, but not much on routers, more so smartphones and other embedded computers.

“This was really an accident. I was doing some penetration testing stuff and one of the programs to do Wi-Fi security testing was not working correctly,” Bongard said. “And when I started looking into it, I saw there was a problem. I was just trying to fix something.”

Suggested articles