Reverse Engineering the D-Link WPS Pin Algorithm

sub_4D56F8

A router with WPS requires a PIN to allow other devices to connect, and this PIN should be unique to every router and not derived from other easily accessible data found on the router. When [Craig] took a look at the firmware of a D-Link DIR-810L 802.11ac router, he found exactly the opposite; the WPS PIN was easily decipherable because it was generated entirely from the router’s MAC address and could be reverse engineered by sniffing WiFi.

When [Craig] was taking a look at the disassembled firmware from his router, he noticed a bit of code that accessed the NVRAM used for storing device-specific information like a serial number. This bit of code wasn’t retrieving a WPS pin, but the WAN MAC address instead. Instead of being unique to each device and opaque to every other bit of data on the router, the WPS pin was simply generated (with a bit of math) from the MAC address. This means anyone upstream of the router can easily derive the WPS pin of the router, and essentially gives everyone the keys to the castle of this router.

A few years ago, it was discovered the WPS pin was extremely insecure anyway, able to be brute-forced in a matter of minutes. There are patches router manufacturers could apply to detect these brute force attacks, closing that vulnerability. [Craig]‘s code, though, demonstrates that a very large number of D-Link routers effectively broadcast their WPS PIN to the world. To make things even worse, the BSSID found in every wireless frame is also derived from the WAN MAC address. [Craig] has literally broken WPS on a huge number of D-Link routers, thanks to a single engineer that decided to generate the WPS PIN from the MAC address.

[Craig] has an incomplete list of routers that are confirmed affected on his site, along with a list of confirmed unaffected routers.

Bluetooth-Enabled Danger Sign for Lab

Wireless Warning Sign

[A Raymond] had some free time at work, and decided to spend it on creating a wireless warning sign. According to his blog profile, he is a PhD student in Applied Physics. His lab utilizes a high-powered laser system. His job is to use said system, but only after it’s brought online by faculty scientists. The status of the laser system is changed by a manual switchbox that controls the warning signs wired around the lab entrances. Unfortunately, if you were in the upstairs office, you only knew this after running downstairs to check. [A Raymond's] admitted laziness finally got the better of him – he wanted a sign that displayed the laser’s status from the comfort of the office. He had an old sign he could use, but he wanted a way for it to communicate with the switchbox downstairs. After some thought, he decided Bluetooth was the way to go, using a pair of BlueSMiRF Bluetooth modules from Sparkfun and Arduino Uno R3’s.

He constructed a metal box that intercepted the cable from the main switchbox, mounting one BlueSMiRF and Uno into it. Upon learning that the switchbox sends 12V AC signals over three individual status wires, he half-wave rectified the wires and divided their voltages so that the Uno wouldn’t fry. Instead, it determined which status wire that had active voltage. and sent a “g(reen)”, “y(ellow)”, or “r(ed)” signal continuously via Bluetooth. On the receiving end, [A Raymond] gutted the sign and mounted the other BlueSMiRF and Uno into it along with some green, yellow, and red LEDs. The LEDs light up in response to the corresponding Bluetooth signal.

The result is a warning sign that is always up-to-date with the switchbox’s status. We’ve covered projects using Bluetooth before, from plush birds to cameras- [A Raymond's] wireless sign is in good company. He notes that it’s “missing” a high pitched whining noise when the “Danger” lights are on. If he decides to add an accompanying (annoying) sound, he couldn’t go wrong with something like this. Regardless, we’re sure [A Raymond] is happy that he no longer has to go back and forth between floors before he can use the laser.

A 1920’s Doorbell is Upgraded with 2010’s Technology

Doorbell

When you move into an old house, you are bound to have some home repairs in your future. [Ben] discovered this after moving into his home, built in 1929. The house had a mail slot that was in pretty bad shape. The slot was rusted and stuck open, it was covered in old nasty caulk, and it had a built-in doorbell that was no longer functional. [Ben] took it upon himself to fix it up.

The first thing on the agenda was to fix the doorbell. After removing the old one, [Ben] was able to expose the original cloth-insulated wiring. He managed to trace the wires back to his basement and, to his surprise, they seemed to be functional. He replaced the old doorbell button with a new momentary button and then hooked up a DIY doorbell using an XBee radio. [Ben] already had an XBee base station for his Raspberry Pi, so he was wrote a script that could send a notification to his phone whenever the doorbell was pushed.

Unfortunately, the old wiring just didn’t hold up. The push button only worked sporadically. [Ben] ended up purchasing an off the shelf wireless doorbell. He didn’t want to have to stick the included ugly plastic button onto the front of his house though, so [Ben] had to figure out how to trigger the new doorbell using the nice metallic button. He used the macro lens on his iPhone to follow the traces on the PCB until he was able to locate the correct points to trigger the doorbell. Then it was just a matter of a quick soldering job and he had a functional doorbell.

Once the electronics upgrades were complete, he moved on to fixing up the look of the mail slot. He had to remove the rust using a wire brush and sandpaper. Then he gave it a few coats of paint. He replaced the original natural insulation with some spray foam, and removed all the old nasty caulk. The final product looks as good as new and now includes a functional wireless doorbell.

We’re big fans of salvaging old-school home hardware. Another example that comes to mind is this set of door chimes with modernized driver.

ESP8266 Distance Testing

ESP

With progress slowly being made on turning the ESP8266 UART to WiFi module into something great, there is still the question of what the range is for the radio in this tiny IoT wonder. [CNLohr] has some test results for you, and the results are surprisingly good.

Connecting to the WiFi module through a TPLink WR841N router, [CN] as able to ping the module at 479 meters with a huge rubber duck antenna soldered on, or 366 meters with the PCB antenna. Wanting to test out the maximum range, [CN] and his friends dug out a Ubiquiti M2 dish and were able to drive 4.28 kilometers away from the module and still ping it.

Using a dish and a rubber duck antenna is an exercise in excess, though: no one is going to use a dish for an Internet of Things thing, but if you want to carry this experiment to its logical conclusion, there’s no reason to think an ESP8266 won’t connect, so long as you have line of sight and a huge antenna.

There’s still a lot of work to be done on this module. It’s capable of running custom code, and since you can pick this module up for less than $5 USD, it’s an interesting platform for whatever WiFi project you have in mind.

Inductive Charger Mod Allows for Non-Stop Wireless Rocking

Inductive charger

When you want to jam out to the tunes stored on your mobile devices, Bluetooth speakers are a good option. Battery power means you can take them on the go and the Bluetooth connection means you don’t have to worry about cables or wires dangling around. Unfortunately the batteries never seem to last as long as we want them too. You can always plug the speaker back in to charge up the battery… but when you unhook those cords they always seem to end up falling back behind the furniture.

[Pierre] found himself with this problem, but being a hacker at heart meant that he was able to do something about it. He modified his JAM Classic Bluetooth Wireless Speaker to include an inductive charger. It used to be a lot of work to fabricate your own inductive charging system, or to rip it out of another device. But these days you can purchase kits outright.

The JAM speaker was simply put together with screws, so no cracking of the plastic was necessary. Once the case was removed, [Pierre] used a volt meter to locate the 5V input line. It looks like he just tapped into the USB port’s power and ground connections. The coil’s circuit is soldered in place with just the two wires.

All [Pierre] had left to do was to put the speaker back together, taking care to find space for the coil and the new circuit board. The coil was taped to the round base of the speaker. This meant that [Pierre] could simply tape the charging coil to the underside of a glass table top. Now whenever his Bluetooth speaker gets low on battery, he can simply place it on the corner of the table and it will charge itself. No need to mess with cables.

 

 

A Lesson in Blind Reverse Engineering – Signals Intelligence

spread sheet of binary data

In a fit of desperation, I turned to data mining tools and algorithms, but stepped back from the horror of that unspeakable knowledge before my mind was shattered. That way madness lies.

–[Rory O'hare]

Wise words. Wise words, indeed. Who among us hasn’t sat staring into the abyss of seemingly endless data without the slightest clue to what it means or even how to go about figuring out what it means? To literally feel the brain damage seeping in as you start to see ‘ones’ and ‘zeros’ reach out to you from every day electronic devices…like some ghost in the wires. But do not fear, wise hacker! For we have good news to report! [Rory O'hare] has dived into this very abyss, and has emerged successful.

While others were out and about playing games and doing whatever non-hackers do to entertain themselves, [Rory O'hare] decided to reach out and grab some random wireless signals for a little fun and excitement. And what he found was not just a strong, repeating signal at 433Mhz. Not just a signal that oozed with evidence of ASK. What he found was a challenge…a mystery that was begging to be solved. A way to test his skill set. Could he reverse engineer a signal by just looking at the signal alone? Read on, and find out.

 

 

 

Hey There Little Plant. Let’s Be Friends!

poster_01_01

Perhaps, you’re circle of friends is getting too small. Or maybe, you just want to communicate with the leafy, green beings that have rooted themselves in the soil inside your house. If so, this environmental monitoring system will be perfect for you!

Created by [Dickson], this project monitors soil moisture, air temperature, and air humidity of your indoor plants and will alert you via email and SMS when your plants are thirsty. No longer will your sprouts shrivel up in the sun, but rather, they will be well-hydrated ready to produce their veggie goodness.

The system is battery operated, wireless, Arduino and Raspberry Pi based and comes with an Android app, which in turn allows you to view real-time and historical data, thus giving you the option to check in on your crew of Chlorophyll-embedded friends.

3116051405904844105

Let’s look at the sensors which are at work on the project.

[Read more...]

Follow

Get every new post delivered to your Inbox.

Join 98,361 other followers