Attacks on the WPS Network Back Door

Someone once said that from security, convenience, low price you can only choose two items. Unfortunately, this observation must be unknown to the creators of the Protocol Wireless Protected Setup (WPS)Believe that wireless network security WPA2-PSK are too complicated for the average user  and that you need to make it easier. They did so simply by entering in 2008 to market a solution that literally allowed to authenticate client devices using PIN. As a few years later it turned out, introduced the same solution that resembled the incorporation in the wall next to the gate of steel doors with plywood.

Assumptions were interesting. Users with a variety of no-pc devices that connect to your home Wi-Fi type it is often a random access point name (SSID) and strong (i.e. long and complicated) password WPA/WPA2. Of course thought about completely new security mechanism moreover are the days when the force attacks accounted for no more than a curiosity. It was rather to come up with a method which would automatically upload data to access that connects to the access point device.

The new Protocol, which has received the name of Wireless Protected Setup, enabled it in practice in two ways-in-band and out-of-band. The first involves the use of 802 .11b radio network with the use of EAP the second use USB media or radio connections to the NFC, and in practice not apply. What is so the transfer after the Setup WPS? Connecting devices Exchange keys between them using the Diffie-Hellman algorithm.

Attacks on the WPS Network Back Door 1
WPS data exchange inside the wireless network.

Authentication involves the transfer of eight-digit PIN-on known an device (router), enter the device should be authenticated. Since, however, and entering the PIN could be too difficult for the average user, it was decided on for an even simpler method that is able to authenticate the client by pressing a button on the router (the so-called. PBC, Push-Button-Connect). It is a specific use of authentication by using a PIN.

PIN not so secure as PSK

Let’s take a closer look at what happens when you try to authenticate by using the PIN. On the access point usually find somewhere underneath the sticker with a string of eight digits. You must read this string and rewrite it in your WPS-enabled interface device. Comes with (somewhat controversial) assumptions that once you can read something with a sticker under your router, then you have probably the right to use it from over a wireless network.
wps pinSoon it was found that even the eight-digit PIN reintroduce may be too complicated, and it was decided to further simplify the entire procedure. On the router there is a new button, usually marked with the letters “WPS”, whose press makes the access point is activated for a moment the WPS Protocol. At the time of activation of both devices is the access point and the client is looking for equipment operating in configuration mode. When you detect, carry out the same as in the case of PIN authentication procedure, however that you do not need to type anything-used is the default PIN consisting of the string “00000000”.

What is an ordinary user prescribing PIN-on, for both devices is a bit more complicated. After the EAP session activation is exchanged between them eight messages designated as M1-M8. In turn they are:

M1-send by the client of your public key in the Diffie-Hellman algorithm

  • M2 message in response by the access point of your public key in the Diffie-Hellman algorithm
  • M4-M5 proving by the client having the correct first four digits PIN-on and obtain confirmation from the router
  • M6-M7 proving by the client having the correct last four digits of the PIN-on and obtain confirmation from the router from sending network configuration
  • M8 grant the client access to the network

Of course, to the M8, the previous steps must be correct. Otherwise, the access point sends an EAP-NACK (Negative Acknowledgement). Should after a certain number of incorrect attempts to disable the WPS Protocol for a period of time. It should, though usually doesn’t do that-unfortunately in most low-cost network equipment for some reason WPS implemented “basically” or not at all such counter mechanism is active, or it does not work. That is allowing for an unlimited number of attempts to force attack online.

basic wps reading

If you need to carry out such trials and that the strength to break the PIN? Since it consists of eight decimal digits is the number of combinations is 108-hundred million. It’s still very much, even if one test the PIN on the second, checking the entire space of possible strings, it would take more than three years. In reality, however, just a few hours. What went wrong?

The difference between the sum and the product

In 2011, the security of wireless networks work shook Stefan Viehböcka on Brute forcing the Wi-Fi Protected Setup: When poor design meets poor implementation. Until the surprising that it took so much time-it was enough with a total load in the specification of the Protocol, to note that it is simply tragic rushed.

First, used PIN-e eighth digit is determined provides a checksum of the previous seven digits. It was introduced to the router was sent incorrectly entered PIN device (because a normal user might not be able to enter the next eight digits). However this means that the number of combinations drops from 108 to 107, the last figure we can calculate from the formula.

The algorithm for the calculation of the eight digits of the WPS PIN is very simple. Assuming that the PIN is saved as A1A2A3A4A5A6A7A8,

Cost the sum of all odd numbers of seats multiplied by three (A1 + A3 × 3 × 3 + A5 + A7 × 3 × 3). Cost the sum of all the digits of the even-numbered positions (A2 + A4 + A6)
Add to each other the sum from step 1. and (2). We take the last digit of the obtained result and subtract it from 10 – the result is a control digit (A8).

Combination of 10 million is still too much, as the online attack strength. However, as we’ve seen verification PIN-on takes place in two stages. First check the knowledge of his first four digits if the result proves to be correct, is knowledge of the last three. This means that we not have 107 combination but in the worst case in the first stage 104 and 103 in the second one-IE. only 11 thousands of combinations. For this size of strength attack online is quite trivial. Assuming after a second attempt check the entire space of possible pins in little more than three hours.

basic wps reading - dataUntil it is hard to imagine how it happened that the WPS protocol designers were not able to notice this petty and huge effect of the consequences of the replacement multiplication addition-and then not noticed that all those who have a few years of its implementation.

Shortly after the publication of the work was Viehböcka in some routers modify the firmware to disable checking the last digit, but not much is changing increases the number of combinations of 11 to 20 thousand.

To further worsen the situation, some manufacturers of routers came up with the idea to generate a PIN CODE … with the MAC address of the device (which, after all, anyone can read by scanning the network). A frequent situation in these devices, which in this way generate a unique default network name (SSID). Interested in details feel free to blog/dev/ttyS0, which shows the algorithms for enumerating the PIN-on popular models of routers, D-link and Belkina.

Reaver: Online Attack Strength

To attack the WPS player does not have any powerful cluster graphics cards, a good case could use even a cheap single board toy PC, such as Raspberry Pi 2. This equipment is used for the purposes of this article. Under attack was a D-Link router IT-RT-N150, simple device with WPS Enabled by default, very popular because of its low price (a new copy get for about $ 50) and a pretty good signal.

The 1.2 km (with attached USB Wi-Fi module that supports monitor mode) we have launched the Linux pre-installed already containing Kali Necessary Packages of basic tools for attacks, Reavera. We find it also in the repositories of many other distributions, or you can build it yourself, but Kali provides us with tools immediately ready to work.

We start from the Wi-Fi switch in monitor mode, the command airmon-ng start [interface name]. If you interfere with some processes, you must kill it with kill [process] and repeat the previous command. Sometimes, the Reaver can have trouble getting access to the network device, helps to run the tool for a while airodump, using airodump-ng [interface name in the monitoring mode-for example, wlan0mon].

Now check the list of networks, where access points are enabled WPS. In Reavera we get to this applet wash. Run it with wash-and [the name of the interface in monitor mode]-s-C-s option runs a scan, the option-C allows you to ignore messages about invalid checksums.

The result of the program, including a list of MAC addresses access points channels work, signal strength, security, the status of the WPS Protocol version of the WPS (Locked) and the name of your wireless network. The aim will be TakaSobieSiecWPS, created on the router. After you have saved its MAC address you are ready to attack.


Run the Reavera command reaver-and [the name of the interface in monitor mode]-b [the MAC address of router]-c [channel]-d 0–dh-small-vv. Parameter d is the length of the gaps between the various attempts to PIN (zero in this case, no spaces), flag of the dh-small use of Diffie-Hellman keys smaller, to speed up the attack, while vv is a verbose mode, or the display of all the information about the attack.

The Reaver has the advantage, that remembers the State of attack on a network, that is, that the value of the PIN is already checked, it begins to test the PIN popular (such as 12,345,670, 00005678, 01230000, etc.), allowing in many cases to make an attack. Allows you to spoof the MAC address of the network adapter is using a parameter-mac. With all the options you can Reavera see here.

In the course of their work will be further information make the Reaver PIN and be able to exchange messages M1-M4, usually ending in an NACK. After receiving a number of NACK-that we can get a warning that the access point WPS off. The program will wait 60 seconds to continue the attack. If you do not want to do this, you can force it to ignore locks using the-L flag.

After utrafieniu the first part of the PIN, the Reaver goes to messaging M5-M6. Now I will go fast – when you receive an M7 we get all the information about the network, along with the WPS key PSK.

An interesting alternative to Reavera can be a Bully. This tool, available in the Kali after installing (apt-get install bully) is very similar to the idea discussed but works a bit better, with less CPU overhead and many interesting options. Documentation can be found on some discussion.

Security procedure is simple: Turn Off WPS

In practice, there is no method was to protect themselves from attack of the great white dope-even if the router turns on the WPS lock after a certain number of failed attempts, for the patient, who can afford to carry out ongoing a few days of the attack does not constitute any obstacle. Worse still, in many cases do not need so much wait. The 2014 Swiss hacker Dominique Bongard presented attack of Pixie Dust (“magic dust”), which using the weakness of the pseudo-random number generator used when encrypting messages, allows you to attack the PIN, which in practice shortens the time of the attack to a few minutes. In the next episode we will present a Security Offensive attack this cycle in more detail.

The only thing we can recommend to you, as soon as possible to disable WPS in router settings from which you are using. If this is not possible (there are cheap models, which do not have such an option), you can try to reach for the alternate firmware such as OpenWRT or DD-WRT. If, and this is impossible (the device is too weak, there is no for it any better)-remains the router discarded and buy something better.