Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Offline bruteforce attack on WiFi Protected Setup 
Dominique Bongard 
Founder 
0xcite, Switzerland 
@reversity
IntroductiontoWPS 
WPS PIN ExternalRegistrarProtocol 
Online Bruteforceattackon WPS PIN 
Offline Bruteforceattackon WP...
Wi-FiProtectedSetup (WPS) orWi-FiSimple Configuration(WSC) 
„Aspecificationforeasy, securesetupandintroductionofdevicesi...
USB Flash Drive (Deprecated) 
Ethernet (Deprecated) 
StaticPIN on devicelabel 
Display 
NFC Token 
Push Button 
Key...
ToregisterwithWPS youdon‘tneedtoknowthePIN andpress theWPS button 
YouneedtoknowthePIN ORpress theWPS button
Enrollee: A deviceseekingtojoina WLAN domain 
Registrar: An entitywiththeauthoritytoissueWLAN credentials 
ExternalRegi...
An Enrolleecanbea stationoran AP 
A Registrarcanbea station(externalregistrar) oran AP 
A Registrardoesn‘tneedtobein th...
In themostcommoncase, theRegistrarisa stationoutside theWiFinetworkandtheEnrolleeistheAP, not theotherwayaround.
WPS PIN External Registrar Protocol
The recommended length for a manually entered device password is an 8-digit numeric PIN. This length does not provide a la...
PSK1PSK2
E ->R 
M1 
N1 ||Description ||PKE 
N1isa 128-bit randomnoncegeneratedbytheEnrollee 
PKEistheDH publickeyoftheEnrollee
Upon receptionofM1 theRegistrargeneratesPKR andN2 
The RegistrarcanthencomputetheDHKey: 
DHKey= SHA-256 (zeropad(gABmodp...
AuthKey: used to authenticate the Registration Protocol messages (256 bits) 
KeyWrapKey: used to encrypt secret noncesan...
R ->E 
M2 
N1 || N2 ||Desc. ||PKR || Auth 
N2isa 128-bit randomnoncegeneratedbytheRegistrar 
PKRistheDH publickeyoftheRe...
E ->R 
M3 
E-Hash1 || E-Hash2 
E-Hash1 = HMACAuthKey(E-S1 || PSK1 || PKE || PKR) 
E-Hash2 = HMACAuthKey(E-S2 || PSK2 || ...
R ->E 
M4 
R-Hash1 || R-Hash2 || EKwk(R-S1) 
R-Hash1 = HMACAuthKey(R-S1 || PSK1 || PKE || PKR) 
R-Hash2 = HMACAuthKey(R-...
The Enrollee decrypts R-S1 
The Enrollee verifies : 
HMACAuthKey(R-S1 || PSK1 || PKE || PKR) = R-Hash1 
?
E ->R 
M5 
Ekwk(E-S1) 
The Enrolleeopensitsfirstcommitment
The Registrar decrypts E-S1 
The Registrar verifies : 
HMACAuthKey(E-S1 || PSK1 || PKE || PKR) = E-Hash1 
?
R ->E 
M6 
EKwk(R-S2) 
The registraropensitssecondcommitment 
HMACAuthKey(R-S2 || PSK2 || PKE || PKR) = E-Hash2 ?
E ->R 
M7 
Ekwk(E-S2|| Credentials) 
The Enrolleeopensitssecondcommitmentandalso sendsthenetworkcredentials
WPS AP as Registrar attack
WhyistheAP theRegistrarresp.theStation theEnrolleeandnot theotherwayaround? 
The WiFiAlliance probablyfoundout thatthepr...
E ->R 
M1 
N1 ||Description ||PKE 
N1isa 128-bit randomnoncegeneratedbytheEnrollee 
PKEistheDH publickeyoftheEnrollee
R ->E 
M2 
N1 || N2 ||Desc. ||PKR || Auth 
N2isa 128-bit randomnoncegeneratedbytheRegistrar 
PKRistheDH publickeyoftheRe...
E ->R 
M3 
E-Hash1 || E-Hash2 
E-Hash1 = Random 
E-Hash2 = Random
R ->E 
M4 
R-Hash1 || R-Hash2 || EKwk(R-S1) 
The EnrolleecandecryptR-S1 andthenbruteforcePSK1 withR-Hash1 
The Enrolleet...
E ->R 
M5 
Ekwk(E-S1) 
In thesecondrunoftheprotocol, theEnrolleecansend valid valuessinceitknowsPSK1
R ->E 
M6 
EKwk(R-S2) 
The EnrolleecandecryptR-S2 andthenbruteforcePSK2 withR-Hash2 
The Enrolleethenrestartstheprotocol...
WPS online bruteforceattack
Looks OK aslongasthereisonlyonetryper PIN 
ProofofpossessionallowsdetectionofrogueAPs andstations 
The DH keyexchangepr...
Attackpublishedin 2011 byStefan Viehböck 
The ideaistobruteforcePSK1 andthenPSK2 
Takes atmost11‘000 trialsforstickerPI...
Changes in the specification 
2.0.2 Public release version 
-Change Headless Devices section to mandate implementation of...
AP reboot scripts (mdk3, ReVdK3) 
EAPOL-Start flood attack 
DeauthDDoS
The initialusecaseseemstoberandomPIN on displaywithonetry 
The specificationcontainscontradictorystatementsaboutPIN reus...
WPS offline bruteforceattack
E ->R 
M1 
N1 ||Description ||PKE 
N1isa 128-bit randomnoncegeneratedbytheEnrollee 
PKEistheDH publickeyoftheEnrollee
E ->R 
M3 
E-Hash1 || E-Hash2 
E-Hash1 = HMACAuthKey(E-S1 || PSK1 || PKE || PKR) 
E-Hash2 = HMACAuthKey(E-S2 || PSK2 || ...
Ifwecanfind E-S1 andE-S2, wecanthebruteforcePSK1 andPSK2 offline!
Usuallywithpseudo-randomgenerators(PRNG) 
OfteninsecurePRNG 
Noorlowentropy 
Small state(32 bits) 
Can thePRNG stateb...
reg_proto_create_m1(RegData*regInfo, BufferObj*msg) 
{ 
uint32 ret = WPS_SUCCESS; 
uint8 message; 
DevInfo*enrollee = regI...
#if (defined(__ECOS) || defined(TARGETOS_nucleus) || defined(TARGETOS_symbian)) 
void generic_random(uint8 * random, intle...
intrand_r( unsigned int*seed ){ 
unsigned ints=*seed; 
unsigned inturet; 
s = (s * 1103515245) + 12345; // permutateseed 
...
Linear CongruentialGenerator 
32 bitsstate 
Noexternalentropy 
E-S1 andE-S2 generatedrightafter N1 
Optimization: 7 b...
Do theWPS protocoluptomessageM3 
GettheNoncefromM1 
BruteforcethestateofthePRNG 
ComputeE-S1 andE-S2 fromthestate 
Br...
32 bitLinear Feedback ShiftRegister (LFSR) 
Polynomial= 0x80000057 
Trivial torecovertheLFSR statefromthenonce
E-S1 andE-S2 arenevergenerated 
E-S1 = E-S2 = 0x0
SomeAP havethesame stateateachboot 
Makea listofcommonstatesafter reboot 
AttacktheAP rightafter boot 
As shown, there...
Looks okay 
Uses/dev/random 
Usedin AtherosSDK 
But youneverknow 
SeveralpapersattacktheentropyofthelinuxPRNG in embe...
Marvell 
Realtek 
Intel 
Qualcomm 
...
It‘scomplicated 
Manyoftheimplementations arethereferencecodeforthechipset 
OnlytheGUI isreskinned 
Thereforemanybrand...
Vendor responses
Triedtofind a securityincidentcontact 
Triedtocontactthemon Twitter 
Triedtocontactthemthroughtheirwebsite
Dominique Bongard discovered that Broadcom chips are affected. Their random number generators apparently are so easy to gu...
Thanks for checking. This is not a chip issue. The issue you have identified can affect any Wi-Fi product. 
Vulnerabilitie...
We do use the Broadcom chipset in some of our offerings, and we're reaching out to Broadcom as we speak, to find out if an...
Triedtocontactthemvia theirwebsite
Thanks, Dominique. This is very helpful. 
In the future, I encourage you to report any Wi-Fi-related vulnerabilities direc...
WPS static pin generation attack
PIN values should be randomly generated, and they SHALL NOT be derivable from any information that can be obtained by an e...
Arrishttp://packetstormsecurity.com/files/123631/ARRIS-DG860A-WPS-PIN-Generator.html 
Belkin 
http://ednolo.alumnos.upv.es...
Conclusion
DisableWPS now! 
Reverse engineers: Check otherAP forbadPRNG 
Cryptographers: Check ifgoodPRNG areokay
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Prochain SlideShare
Chargement dans…5
×

Offline bruteforce attack on wi fi protected setup

Offline bruteforce attack on wi fi protected setup

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Offline bruteforce attack on wi fi protected setup

  1. 1. Offline bruteforce attack on WiFi Protected Setup Dominique Bongard Founder 0xcite, Switzerland @reversity
  2. 2. IntroductiontoWPS WPS PIN ExternalRegistrarProtocol Online Bruteforceattackon WPS PIN Offline Bruteforceattackon WPS PIN Vendorreponses Bonus
  3. 3. Wi-FiProtectedSetup (WPS) orWi-FiSimple Configuration(WSC) „Aspecificationforeasy, securesetupandintroductionofdevicesintoWPA2-enabled 802.11 networks" OffersseveralmethodsforIn-Band orOut-of-Band devicesetup Severelybrokenprotocol! The technicalspecificationcanbepurchasedonline for$99 Someoldversionscanbefoundfloatingon thenet
  4. 4. USB Flash Drive (Deprecated) Ethernet (Deprecated) StaticPIN on devicelabel Display NFC Token Push Button Keypad
  5. 5. ToregisterwithWPS youdon‘tneedtoknowthePIN andpress theWPS button YouneedtoknowthePIN ORpress theWPS button
  6. 6. Enrollee: A deviceseekingtojoina WLAN domain Registrar: An entitywiththeauthoritytoissueWLAN credentials ExternalRegistrar: A registrarthatisseparate fromtheAP AP: An infrastructure-mode 802.11 Access Point HeadlessDevice : A devicewithouta screenordisplay
  7. 7. An Enrolleecanbea stationoran AP A Registrarcanbea station(externalregistrar) oran AP A Registrardoesn‘tneedtobein theWiFinetwork A WiFinetworkcanhavemorethanoneWPS Registrar
  8. 8. In themostcommoncase, theRegistrarisa stationoutside theWiFinetworkandtheEnrolleeistheAP, not theotherwayaround.
  9. 9. WPS PIN External Registrar Protocol
  10. 10. The recommended length for a manually entered device password is an 8-digit numeric PIN. This length does not provide a large amount of entropy for strong mutual authentication, but the design of the Registration Protocol protects against dictionary attacks on PINs if a fresh PIN or a rekeying key is used each time the Registration Protocol is run. If the Registrar runs the Protocol multiple times using the same PIN an attacker will be able to discover the PIN through brute force. To address this vulnerability, if a PIN authentication error occurs, the Registrar SHALL warn the user and SHALL NOT automatically reuse the PIN. The [sticker] PIN contains approximately 23 bits of entropy… It is susceptible to active attack.
  11. 11. PSK1PSK2
  12. 12. E ->R M1 N1 ||Description ||PKE N1isa 128-bit randomnoncegeneratedbytheEnrollee PKEistheDH publickeyoftheEnrollee
  13. 13. Upon receptionofM1 theRegistrargeneratesPKR andN2 The RegistrarcanthencomputetheDHKey: DHKey= SHA-256 (zeropad(gABmodp, 192)) AndcalculatetheKey Derivation Key : KDK = HMAC-SHA-256DHKey (N1 || EnrolleeMAC|| N2) FinallyAuthKey, KeyWrapKey, andEMSK arederived: AuthKey|| KeyWrapKey|| EMSK = kdf(KDK, “Wi-FiEasy andSecure Key Derivation”, 640)
  14. 14. AuthKey: used to authenticate the Registration Protocol messages (256 bits) KeyWrapKey: used to encrypt secret noncesand ConfigData(128 bits) EMSK : Extended Master Session Key that is used to derive additional keys (256 bits)
  15. 15. R ->E M2 N1 || N2 ||Desc. ||PKR || Auth N2isa 128-bit randomnoncegeneratedbytheRegistrar PKRistheDH publickeyoftheRegistrar Auth= HMACAuthKey(M1 || M2)
  16. 16. E ->R M3 E-Hash1 || E-Hash2 E-Hash1 = HMACAuthKey(E-S1 || PSK1 || PKE || PKR) E-Hash2 = HMACAuthKey(E-S2 || PSK2 || PKE || PKR) PSK1ismadeofthefirst4 digitsofthePIN PSK2ismadeofthelast 4 digitsofthePIN E-S1 andE-S2 aretwo128 bitrandomnonces
  17. 17. R ->E M4 R-Hash1 || R-Hash2 || EKwk(R-S1) R-Hash1 = HMACAuthKey(R-S1 || PSK1 || PKE || PKR) R-Hash2 = HMACAuthKey(R-S2 || PSK2 || PKE || PKR) R-S1 andR-S2 aretwo128 bitrandomnonces
  18. 18. The Enrollee decrypts R-S1 The Enrollee verifies : HMACAuthKey(R-S1 || PSK1 || PKE || PKR) = R-Hash1 ?
  19. 19. E ->R M5 Ekwk(E-S1) The Enrolleeopensitsfirstcommitment
  20. 20. The Registrar decrypts E-S1 The Registrar verifies : HMACAuthKey(E-S1 || PSK1 || PKE || PKR) = E-Hash1 ?
  21. 21. R ->E M6 EKwk(R-S2) The registraropensitssecondcommitment HMACAuthKey(R-S2 || PSK2 || PKE || PKR) = E-Hash2 ?
  22. 22. E ->R M7 Ekwk(E-S2|| Credentials) The Enrolleeopensitssecondcommitmentandalso sendsthenetworkcredentials
  23. 23. WPS AP as Registrar attack
  24. 24. WhyistheAP theRegistrarresp.theStation theEnrolleeandnot theotherwayaround? The WiFiAlliance probablyfoundout thattheprotocolwouldotherwisebetotallyinsecurein thescenariowithHeadlessdevices
  25. 25. E ->R M1 N1 ||Description ||PKE N1isa 128-bit randomnoncegeneratedbytheEnrollee PKEistheDH publickeyoftheEnrollee
  26. 26. R ->E M2 N1 || N2 ||Desc. ||PKR || Auth N2isa 128-bit randomnoncegeneratedbytheRegistrar PKRistheDH publickeyoftheRegistrar Auth= HMACAuthKey(M1 || M2)
  27. 27. E ->R M3 E-Hash1 || E-Hash2 E-Hash1 = Random E-Hash2 = Random
  28. 28. R ->E M4 R-Hash1 || R-Hash2 || EKwk(R-S1) The EnrolleecandecryptR-S1 andthenbruteforcePSK1 withR-Hash1 The EnrolleethenrestartstheprotocolknowingPSK1
  29. 29. E ->R M5 Ekwk(E-S1) In thesecondrunoftheprotocol, theEnrolleecansend valid valuessinceitknowsPSK1
  30. 30. R ->E M6 EKwk(R-S2) The EnrolleecandecryptR-S2 andthenbruteforcePSK2 withR-Hash2 The Enrolleethenrestartstheprotocolonelast time knowingbothPSK1 andPSK2
  31. 31. WPS online bruteforceattack
  32. 32. Looks OK aslongasthereisonlyonetryper PIN ProofofpossessionallowsdetectionofrogueAPs andstations The DH keyexchangeprotectsagainsteavesdropping
  33. 33. Attackpublishedin 2011 byStefan Viehböck The ideaistobruteforcePSK1 andthenPSK2 Takes atmost11‘000 trialsforstickerPIN Atmost20‘000 trialsforuserselectedPIN FindsthePIN in a fewhours(dependson AP) Most AP implementednosecurityagainstBF Implementedin toolslikeReaverandBully
  34. 34. Changes in the specification 2.0.2 Public release version -Change Headless Devices section to mandate implementation of strong mitigation against a brute force attack on the AP that uses a static PIN. Some devices have a WPS lockout delay This only slows down the attack a bit Other lock WPS until the next reboot
  35. 35. AP reboot scripts (mdk3, ReVdK3) EAPOL-Start flood attack DeauthDDoS
  36. 36. The initialusecaseseemstoberandomPIN on displaywithonetry The specificationcontainscontradictorystatementsaboutPIN reuse The protocollookssecureenoughifPINs arenot reused Conclusion: HeadlessdeviceswithstaticPINs wereprobablya last minuteadditiontothespecification
  37. 37. WPS offline bruteforceattack
  38. 38. E ->R M1 N1 ||Description ||PKE N1isa 128-bit randomnoncegeneratedbytheEnrollee PKEistheDH publickeyoftheEnrollee
  39. 39. E ->R M3 E-Hash1 || E-Hash2 E-Hash1 = HMACAuthKey(E-S1 || PSK1 || PKE || PKR) E-Hash2 = HMACAuthKey(E-S2 || PSK2 || PKE || PKR) PSK1ismadeofthefirst4 digitsofthePIN PSK2ismadeofthelast 4 digitsofthePIN
  40. 40. Ifwecanfind E-S1 andE-S2, wecanthebruteforcePSK1 andPSK2 offline!
  41. 41. Usuallywithpseudo-randomgenerators(PRNG) OfteninsecurePRNG Noorlowentropy Small state(32 bits) Can thePRNG stateberecovered?
  42. 42. reg_proto_create_m1(RegData*regInfo, BufferObj*msg) { uint32 ret = WPS_SUCCESS; uint8 message; DevInfo*enrollee = regInfo->enrollee; /* First generate/gather all the required data. */ message = WPS_ID_MESSAGE_M1; /* Enrollee nonce */ /* * Hacking, do not generate new random enrollee nonce * in case of we have prebuild enrollee nonce. */ if (regInfo->e_lastMsgSent== MNONE) { RAND_bytes(regInfo->enrolleeNonce, SIZE_128_BITS); } /* It should not generate new key pair if we have prebuild enrollee nonce */ if (!enrollee->DHSecret) { ret = reg_proto_generate_dhkeypair(&enrollee->DHSecret); if (ret != WPS_SUCCESS) { return ret; } } ...
  43. 43. #if (defined(__ECOS) || defined(TARGETOS_nucleus) || defined(TARGETOS_symbian)) void generic_random(uint8 * random, intlen) { inttlen= len; while (tlen--) { *random = (uint8)rand(); *random++; } return; } #endif
  44. 44. intrand_r( unsigned int*seed ){ unsigned ints=*seed; unsigned inturet; s = (s * 1103515245) + 12345; // permutateseed uret= s & 0xffe00000;// Only use top 11 bits s = (s * 1103515245) + 12345; // permutateseed uret+= (s & 0xfffc0000) >> 11;// Only use top 14 bits s = (s * 1103515245) + 12345; // permutateseed uret+= (s & 0xfe000000) >> (11+14);// Only use top 7 bits retval= (int)(uret& RAND_MAX); *seed= s; return retval; }
  45. 45. Linear CongruentialGenerator 32 bitsstate Noexternalentropy E-S1 andE-S2 generatedrightafter N1 Optimization: 7 bitsoftheseedcanbededucedfromthelast outputbyte
  46. 46. Do theWPS protocoluptomessageM3 GettheNoncefromM1 BruteforcethestateofthePRNG ComputeE-S1 andE-S2 fromthestate BruteforcePSK1 / PSK2 fromE-Hash1 / E-Hash2 Do thefullWPS protocoltogetthecredentials
  47. 47. 32 bitLinear Feedback ShiftRegister (LFSR) Polynomial= 0x80000057 Trivial torecovertheLFSR statefromthenonce
  48. 48. E-S1 andE-S2 arenevergenerated E-S1 = E-S2 = 0x0
  49. 49. SomeAP havethesame stateateachboot Makea listofcommonstatesafter reboot AttacktheAP rightafter boot As shown, therearemanywaystoforcea reboot
  50. 50. Looks okay Uses/dev/random Usedin AtherosSDK But youneverknow SeveralpapersattacktheentropyofthelinuxPRNG in embeddedsystems
  51. 51. Marvell Realtek Intel Qualcomm ...
  52. 52. It‘scomplicated Manyoftheimplementations arethereferencecodeforthechipset OnlytheGUI isreskinned Thereforemanybrandsareaffected Manyvendorsusedifferent chipset
  53. 53. Vendor responses
  54. 54. Triedtofind a securityincidentcontact Triedtocontactthemon Twitter Triedtocontactthemthroughtheirwebsite
  55. 55. Dominique Bongard discovered that Broadcom chips are affected. Their random number generators apparently are so easy to guess that an attacker can get your Wi-Fi access point to give up its PIN code in less than a second. ----------------------------------- This is the first we have heard of this. We’ll connect with your security team. Karen
  56. 56. Thanks for checking. This is not a chip issue. The issue you have identified can affect any Wi-Fi product. Vulnerabilities can depend on the Wi-Fi standard that is chosen for security. This may depend on the age of the product. Best regards, Jennifer B.| Senior Manager, Corporate Communications
  57. 57. We do use the Broadcom chipset in some of our offerings, and we're reaching out to Broadcom as we speak, to find out if any of the ones we use are affected by this issue. [...] Also, for your information -Cisco has a very limited number of wireless products with support for WPS. Most of them are Small and Medium business products, while others are sold to Service Providers (not to end users) to be used as cable modem CPEs. And some of those CPEs have wireless capabilities, and some support WPS. We'll investigate them all, make our results public by following our security policy.
  58. 58. Triedtocontactthemvia theirwebsite
  59. 59. Thanks, Dominique. This is very helpful. In the future, I encourage you to report any Wi-Fi-related vulnerabilities directly to us. Wi-Fi Alliance reviews all submitted reports of security vulnerabilities affecting Wi-Fi CERTIFIED programs. You can submit vulnerabilities to secure@wi-fi.orgor at https://www.wi-fi.org/secure . Thanks again. Regards, Kevin R. | Director of Program Marketing | Wi-Fi Alliance
  60. 60. WPS static pin generation attack
  61. 61. PIN values should be randomly generated, and they SHALL NOT be derivable from any information that can be obtained by an eavesdropper or active attacker. The device’s serial number and MAC address, for example, are easily eavesdropped by an attacker on the in-band channel.
  62. 62. Arrishttp://packetstormsecurity.com/files/123631/ARRIS-DG860A-WPS-PIN-Generator.html Belkin http://ednolo.alumnos.upv.es/?p=1295 Other http://www.hackforums.net/printthread.php?tid=4146055 … * Tenda,Sitecom, Linksys, FTE, Vodafone, ZTE, Zyxelhttp://www.crack-wifi.com/forum/topic-8793-wpspin- generateur-pin-wps-par-defaut-routeurs-huawei-belkin.html
  63. 63. Conclusion
  64. 64. DisableWPS now! Reverse engineers: Check otherAP forbadPRNG Cryptographers: Check ifgoodPRNG areokay

    Soyez le premier à commenter

    Identifiez-vous pour voir les commentaires

Offline bruteforce attack on wi fi protected setup

Vues

Nombre de vues

2 130

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

5

Actions

Téléchargements

38

Partages

0

Commentaires

0

Mentions J'aime

0

×