A security researcher who goes by the name of Craig has discovered a critical flaw affecting Belkin network devices. that could be exploited by attackers to calculate the WPS PINs. In October 2014 Craig wrote on /dev/ttyS0 a post on a similar bug affecting D-Link routers.
This time the expert explained that Belkin implements a vulnerable procedure to generate its WPS PINs, an attacker just needs of the MAC and the serial number of a device to calculate the PIN.
Being a known obfuscation method, using the Firmware Analysis Tool binwalk he was able to de-obfuscate and extract the compressed firmware image, then he started the analysis of the code searching for the flaw. The researcher tested 24 Belkin routers, 80% of them were found using the flawed algorithm for the generation of the WPS PINs.
“MAC addresses are easily gathered by a wireless attacker; serial numbers can be a bit more difficult. Although serial numbers aren’t particularly random, GenerateDefaultPin uses the least significant 4 digits of the serial number, which are unpredictable enough to prevent an external attacker from reliably calculating the WPS pin.” reported the blog post.
Craig discovered that vulnerable devices use a PIN-generating algorithm based on information easy to retrieve, the MAC address and serial number. In order to retrieve the MAC address of a vulnerable device Craig exploited an ordinary 802.11 probe request to which Belkin devices reply the serial number.
“Since WiFi probe request/response packets are not encrypted, an attacker can gather the MAC address (the MAC address used by the algorithm is the LAN MAC) and serial number of a target by sending a single probe request packet to a victim access point. We just need to reverse the GenerateDefaultPin code to determine how it is using the MAC address and serial number to create a unique WPS pin (download PoC here):” continues the post.
The models of the allegedly vulnerable devices are listed below:
(Security Affairs – Belkin WPS Pin Algorithm, hacking)