2. § Protocol aiming at easily connecting to protected WiFi networks
§ Two main modes: Push-Button and 8 digit PIN code
§ Gives the WPA passphrase to stations providing the right PIN
§ Poor design and implementation
7. § Brute force each half of the PIN
§ Maximum 10‘000 tries + 1‘000 tries
§ No limitation on number of tries in many AP
§ Takes a few hours (depends on the AP)
§ Largely slowed down in new devices (lock-out)
§ Many AP still sold with WPS PIN activated
10. § If we can guess E-S1 and E-S2, we can the
brute force PIN1 and PIN2 offline!
§ Pixie dust attack!
11. § Usually with pseudo-random generators (PRNG)
§ Often insecure PRNG
§ No or low entropy
§ Small state (32 bits)
§ Can the PRNG state be recovered ?
12. int rand_r( unsigned int *seed ) {
unsigned int s=*seed;
unsigned int uret;
s = (s * 1103515245) + 12345; // permutate seed
uret = s & 0xffe00000;// Only use top 11 bits
s = (s * 1103515245) + 12345; // permutate seed
uret += (s & 0xfffc0000) >> 11;// Only use top 14 bits
s = (s * 1103515245) + 12345; // permutate seed
uret += (s & 0xfe000000) >> (11+14);// Only use top 7 bits
retval = (int)(uret & RAND_MAX);
*seed = s;
return retval; }
14. § Linear Congruential Generator
§ 32 bits state
§ No external entropy
§ E-S1 and E-S2 generated right after the Nonce
15. § Do the WPS protocol up to message M3
§ Get the Nonce from M1
§ Bruteforce the state of the PRNG
§ Compute E-S1 and E-S2 from the state
§ Decrypt E-Hash1 and E-Hash2
§ Bruteforce Pin1 and Pin2
§ Do the full WPS protocol and get the passphrase
16. § Linear Feedback Shift Register (LFSR)
§ Broken
§ Doesn‘t matter the keys are always NULL !!
17. § Some AP have the same state at each boot
§ Make a list of common states after reboot
§ Attack the AP right after boot
18. § Trigger the breakers
§ DDOS the AP
§ Jam the signal until the target reboots the AP
19. § Looks okay
§ Uses /dev/random
§ Found in Atheros SDK
§ But you never know
§ Several papers attack the entropy of the linux
PRNG in embedded systems
20. § It‘s complicated
§ Many of the implementations are the reference
code for the chipset
§ Only the GUI is reskinned
§ Therefore many brands are affected
§ Many vendors use different chipset
§ Even for the same model number
21. § Disable WPS now !
§ Reverse engineers: Check other AP for bad PRNG
§ Cryptographers: Check if good PRNG are okay