Reverse Engineering The D-Link WPS Pin Algorithm

sub_4D56F8

A router with WPS requires a PIN to allow other devices to connect, and this PIN should be unique to every router and not derived from other easily accessible data found on the router. When [Craig] took a look at the firmware of a D-Link DIR-810L 802.11ac router, he found exactly the opposite; the WPS PIN was easily decipherable because it was generated entirely from the router’s MAC address and could be reverse engineered by sniffing WiFi.

When [Craig] was taking a look at the disassembled firmware from his router, he noticed a bit of code that accessed the NVRAM used for storing device-specific information like a serial number. This bit of code wasn’t retrieving a WPS pin, but the WAN MAC address instead. Instead of being unique to each device and opaque to every other bit of data on the router, the WPS pin was simply generated (with a bit of math) from the MAC address. This means anyone upstream of the router can easily derive the WPS pin of the router, and essentially gives everyone the keys to the castle of this router.

A few years ago, it was discovered the WPS pin was extremely insecure anyway, able to be brute-forced in a matter of minutes. There are patches router manufacturers could apply to detect these brute force attacks, closing that vulnerability. [Craig]’s code, though, demonstrates that a very large number of D-Link routers effectively broadcast their WPS PIN to the world. To make things even worse, the BSSID found in every wireless frame is also derived from the WAN MAC address. [Craig] has literally broken WPS on a huge number of D-Link routers, thanks to a single engineer that decided to generate the WPS PIN from the MAC address.

[Craig] has an incomplete list of routers that are confirmed affected on his site, along with a list of confirmed unaffected routers.

36 thoughts on “Reverse Engineering The D-Link WPS Pin Algorithm

  1. Before I used to think this was a sign of laziness or lack of experience from the part of programmers. Now I feel such complete lack of competence can only be explained by deliberate decision of leaving back doors in consumer products.

    I’m not sure whether I should be more worried about getting more paranoid after each article like that or the fact we use such broken and insecure devices everyday.

    1. Nope, you were right first time. Everything nowadays is done on a ‘good enough to ship’ basis rather than on a ‘good enough to be proud of’ basis. And with the ever increasing number of software engineers doing it “because it’s a well-paying job” (cf accountancy in the 1980s) rather than due to an interest and aptitude, things are not going to get better.

      I’ll get off my soapbox, you all get off my lawn…

    2. This is just terrible design by the ODM which originally designed the box so I wouldn’t be surprised if it affects several other manufacturers. D-Link just buys in a design from somebody else and rebrands the firmware + gives it a new casing. Very few of the major router manufacturers actually design it entirely themselves.

    3. Imagine you’re put in a similar situation, and required to write code that generates a random WPS PIN.

      You can easily use (or add) some PRNG code, like the Mersenne Twister, but if the number of calls to the PRNG before you call for the PIN is predictable (possibly zero), then the PRNG is useless unless you already had some source of a good quality random number to seed it with in the first place.

      Your code is required to run on a large variety of devices (see the affected router list for an example), or even be totally hardware independent. So you cannot rely on the existence or accessibility of a hardware RNG, ADC, RTC, multiple unsynchronized clocks, a noise generating diode, etc for an initial seed or random numbers. It would be great if you had any of these resources guaranteed, but you’re not involved in hardware design.

      Perhaps you could rely on some external event, or combination of events, with unpredictable timing. Or maybe background noise measurements on a channel. But is it *sufficiently* unpredictable? It wouldn’t be any good if the seed or random number used to generate your PIN might often fall into a limited range of values, possibly allowing the discovery and use of a quick dictionary attack, no reverse-engineering of firmware necessary.

      And what if the method you use is dependent on code that may later be replaced to support another hardware configuration? Will it still provide sufficient randomness? Will you remember to test? Will your successor test if you’re no longer on the project?

      You’re also under deadline, of course. To finish not just this, but a slew of other things as well. And a decent amount of testing to make sure whatever method you invent under pressure has no serious statistical flaws, may be out of the question.

      I’m not saying generating a PIN from the MAC is a great method. But at least you can rely on the MAC address to be unique per device, and it is a quick solution to what I’ve hopefully impressed isn’t as trivial a problem as it may seem. I and others could surely come up with improved methods, but we’re not under the gun, and have the benefit of hindsight.

      1. I understand the problems here. If the PIN was based on some serial number of the chip or board or whatever, I wouldn’t complain that much, as without gaining physical access to the device the PIN wouldn’t break that easy.

        However basing a security PIN on data the same device is broadcasting in the air available to everyone feels like a new low or a simple backdoor.

      2. If the problem with a random numbers is finding a good initial seed without extra hardware in the device, then just flash some random into it at the factory at the same time that it gains its initial firmware and a MAC.

        Aaand, done.

    1. In the real world, user buys router, insets CD, clicks Next until the installer finishes… goes surfing… I would doubt they even get presented with the coice of what to do with WPS, far less understand the implications, in most cases. This is why sane defaults, and good security are the responsibility of the router manufacturer.

      1. Exactly. You’d think router manufacturers would be far better at implementing security properly, but that appears not to be the case. I’ve come across a couple of issues myself; I recently came across a wireless router which had the remote management interface enabled by default (even when the interface was disabled the port was still left open), and another one not too long ago that had the WAN MAC address set as its default password. It’s a concern to say the least.

    2. I didn’t turn off WPS. I installed DD-WRT and then made sure WPS was off. I gave up long ago on the crap code that D-Link and others ship. I wouldn’t buy a router unless it ran well-supported open-source firmware.

    3. Here is the crazy thing. A lot of router uses open software inside and integrate with their own code. So technically, some of them are open sourced!

      http://tsd.dlink.com.tw/downloads2008list.asp?OS=GPL

      GPL Source Code GPL Code:DIR-810L A1 GPL code for FW v1.01 349.32 MB .
      GPL Source Code GPL Code:DIR-810L B1 GPL code for FW v2.00 355.14 MB .
      GPL Source Code GPL Code:DIR-810L B1 GPL code for FW v2.01 344.75 MB

      Because of GPL, the router models that uses GPL code are available for downloading, so where is the “many eyeballs” part and where is the user fixing code part?

      BTW DIR-810L is the router in OP.

        1. This is a comment to Anonymous. Sorry to put it bluntly but your an idiot, and I’m real sick of the idiots making the same comments as the media and main population condmeing the problems of security with open source software. Get smarter or shut up. You don’t get heartbleed because of open source, you get heartbleed from lack of funds, and natural consequence of complicated code coded by humans. Therefore logic is not (Open source = bad software/security holes) its (bad software/security holes = funding/human error). yes that was a rant

      1. Good luck actually compiling those source tarballs from the various router manufacturers. You’ll find they tend to be a mess of badly patched packages and hacky modifications along with a half missing build system that has scripts missing so it won’t compile. They’re only providing them because they’re forced to and they’re the nicer ones who even bother to vaguely comply with the GPL. There are plenty of manufacturers who basically tell you to get lost if you ask for the source.

      2. I did manage to compile source code of my Belkin router. They even throw in the cross compiler, binary blobs that they have licensed, drivers and scripts necessary for that. So for that particular model, it was complete and I managed to compile a working binary. [Teddy Bear] ported Tomato USB over shortly afterwards and I was and am still happy.

        You’ll be surprised if you have actually done your research that quite a few of the router vendors have source code available these days. Just need to google for vendor and gpl . Off the top of my head, the usual ASUS, TP-Link, Belkin (even before they bought Linksys), D-Link have source code available. So if you insist on GPL, buy from those who do respect that instead of brands that you claimed not to. Easy as that.

  2. So whatever happened to the convention of spelling out acronyms on first use? I remembered *what* wi-fi protected setup did, but had to look up the full version of the name just now so I could write this sentence.

    I realize that for common enough abbreviations we can assume the readers would know them already, but how many of us actually use/talk about WPS that often?

    1. Style guide choice. You’re sitting in front of a computer with Google. Deal with it.

      If you want the non-glib answer, here’s the first sentence of the article:

      “A router with WPS requires a PIN to allow other devices to connect, and this PIN should be unique to every router and not derived from other easily accessible data…”

      That literally tells you everything you need to know about WPS: it’s a way to connect to WiFi by some out of band method. What more does typing out ‘WiFi Protected Setup’ add?

  3. I’ve seen routers which didn’t let you turn off WPS. You just didn’t have the option to disable it. At least you knew the router was crap and had no security there though. I’ve seen reports of routers that had the ability to turn off WPS but that just meant it stopped advertising it. It would still accept WPS packets if you sent them so you were vulnerable to all of the WPS attacks even though it would appear that you had disabled it.

  4. Consumer routers are a mess. Question is, how to fix it? I say PR-shaming and economic consequences. Make a law that gives consumers the right to refund their router up to 5 years after release if the manufacturer doesn’t provide timely firmware updates, or doesn’t provide simple and standardized security update alerts (RSS, email, twitter …) or is shown to have vulnerabilities that is proof of failure of design (judged by some as neutral as possible third party organisation). Make a simple, public vulnerability grading for each router manufacturer on a scale from 1-10 and mandate that all packaging and promotion materials must prominently display that score.

    1. Wow, that has to be the worst solution possible. That means zero personal responsibility on hundreds of millions of people verses the responsibility and risk of millions of people on a few thousands. If thats not the furtherest from justice I don’t know what is. And talk about immature, and supporting turning society into distopia operating with a drone like society.

  5. If i understand correctly, this is easily exploitable because the LAN and WAN mac addresses are off by 1. Otherwise the WAN mac address would not be known and the WPS pin could not be determmined.
    Not saying that the MAC>WPS is a good design choice, just pointing out this detail.

  6. I doubt this decision was made quietly by one engineer at his desk. If it was, it should have at least been picked up by the code reviewer. Either way, they need to have a good look at their development practices!

    It reminds me of the old routers (was it BT home hubs?) that generated both the unique SSID and the WEP key from the same serial, and with a bit of maths you could generate a handful of potential WEP keys which had a high probability of being correct, just from the SSID.

    1. …What is this ‘code reviewer’ you speak of?

      Seriously though, If you haven’t watched the Black Hat 2013 video about Network Surveillance Cameras, I highly recommend it – you have no idea how deep these types of problems go, it makes you wonder if there’s any sort of review process at all.

      The presenter managed to turn surveillance cameras from most top-tier manufacturers (including Cisco) into Linux shells with root access due to lousy programming, not unlike the one posted here.

      Here’s a link, it’s about 30 mins long but seriously worth it: https://www.youtube.com/watch?v=B8DjTcANBx0

  7. I don’t understand why people think this is huge. Does no one critically think anymore? Corporation A cares only about money, then makes product, then buyers’ find they took all the possible ways of cutting costs. Is that really that foreign? Do people really not realize that if given the opportunity 99.5% of the population will do the wrong/evil thing if there are no consequences, and since the consequence of morality is intrinsic then everyone you meet would probably steal from you, lie to you, and let you die so long as there are no consequences. Statistics show that 97% of people will lie 20 times in 5 minutes within first meeting. So why does anyone trust anyone, especially those that can obfuscate immoral/unethical choices? No cares about you or whats right (morally/ethically), thats reality, if you want something other than that, you have to do it yourself. If the source of evil/wrong is humans, then adding more humans to fix it, won’t do anything, or metaphorically speaking, you can’t clean a dirty surface with dirty water.

  8. Hi Craig,

    Great findings… however the pingen.py phthon script is not working… I tried to run it and it reported File “c:\pingen.py”, line 7 class WPSException(Exception)
    what could be the problem here ???

    Please help.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.