Wi-Fi Protected Setup - Pixie Dust Attack. An offline bruteforce attack that leaves certain routers vulnerable. Works for Boardcom and Ralink chipset based Wi-Fi routers.
2. Myself
Sumit Shrivastava – Security Analyst @ Network Intelligence India Pvt. Ltd.
2.5+ years of work experience in the field of Digital Forensics and Assessment
Certifications
Computer Hacking and Forensics Investigator v8, EC-Council
Certified Professional Forensics Analyst, IIS Mumbai
Certified Professional Hacker NxG, IIS Mumbai
Certified Information Security Consultant, IIS Mumbai
Certified Information Security Expert – Level 1, Innobuzz Knowledge Solutions
Once upon a time Android and Web Developer
3. Today’s takeaway
Introduction to WPS
Terminology
WPS Pin Formats
WPS Negotiation Process
Types of attacks on WPS
Diving into Pixie Dust
P0wning the WiFi Router - Demonstration
4. Introduction to WPS
Wi-Fi Protected Setup (WPS, Wi-Fi Simple Config)
Uses PIN Method to secure wireless home network
Created by Wi-Fi Alliance, introduced in 2006
Goal – to allow the home users, who know very little about the wireless security, to add
new devices
Major security flaw revealed in December 2011
Allowed brute-force the WPS Pin
SEVERELY BROKEN PROTOCOL!!!
5. Terminology
Enrollee: A device seeking to join a WLAN domain
Registrar: An entity with the authority to issue WLAN credentials
External Registrar: A registrar that is separate from the AP
AP: An infrastructure mode 802.11 Access Point
Note:- AP and client device may change roles i.e. AP acts as Enrollee and Client Device acts
Registrar, when WPS is used to configure the access point
6. WPS Pin
A WPS Pin looks like
This is what your Wi-Fi Router has
at its back label
8. WPS Negotiation
Process
M1 – 128-bit random nounce
generated by Enrollee
(N1||PKE)
M2 – 128-bit random nounce
generated by Registrar
(N1||N2||PKR||Auth).
Auth = HMAC (M1||M2)
M3 – E-Hash1 (E-
S1||PSK1||PKE||PKR) OR E-
Hash2 (E-
S2||PSK2||PKE||PKR)
9. Type of Attacks on WPS
Online Brute-force
Offline Brute-force
Physical Attack
10. Diving into Pixie Dust
What you require?
Hashes -> E-Hash1 and E-Hash2
Public Keys -> PKE, PKR
Authkey
E-Nounce (Enrollee Nounce)
Flaw is in the E-S1 and E-S2 generation which are Psudo-Random Numbers
Dominique Bongard, found many AP use insecure PRNG
Broadlink -> c.rand()
Ralink -> E-S1 and E-S2 are never generated, hence they are always 0
If PRNG state is recovered, E-S1 and E-S2 can be calculated
PSK1 and PSK2 can be calculated from E-Hash1 and E-Hash2
To successfully complete this attack, negotiation should complete within 1 second