Attackers can easily crack Belkin routers’ WPS PINs

A considerable number of routers manufactured by US-based Belkin use a flawed method for creating PINs for Wi-Fi Protected Setup (WPS), making them easily discoverable by attackers, a researcher has found.

WPS is a network security standard aimed at allowing users to easily secure a wireless home network, and at simplifying the adding of new devices to the network by typing in a (relatively) short number instead of a long password.

The researcher, who goes by the name Craig and is one of the group of hackers interested in embedded systems who maintain the /dev/ttyS0 site alive, has discovered last year that D-Link routers create the WPS PIN from the device’s MAC address.

Wondering if other manufacturers made a similar mistake, he decided to analyze firmware used in Belkin routers and, unfortunately, discovered that some of the manufacturer’s devices generate WPS PINs based on part of their own MAC address and of their serial number.

“MAC addresses are easily gathered by a wireless attacker; serial numbers can be a bit more difficult. Or, at least that would be the case if the Belkin’s 802.11 probe response packets didn’t include the device’s serial number in its WPS information element,” he noted.

“Since WiFi probe request/response packets are not encrypted, an attacker can gather the MAC address (the MAC address used by the algorithm is the LAN MAC) and serial number of a target by sending a single probe request packet to a victim access point.”

By using the PoC he created, an attacker can easily discover the PINs and ultimately gain access to the network.

80 percent of the Belkin routers he tested were found to be vulnerable – F9K1001v4, F9K1001v5, F9K1002v1, F9K1002v2, F9K1002v5, F9K1103v1, F9K1112v1, F9K1113v1, F9K1105v1, F6D4230-4v2, F6D4230-4v3, F7D2301v1, F7D1301v1, F5D7234-4v3, F5D7234-4v4, F5D7234-4v5, F5D8233-4v1, F5D8233-4v3, and F5D9231-4v1 – but, as he noted, “It’s not entirely fair to pick on Belkin though, as this appears to be an issue specific to Arcadyan, who is the ODM for many Belkin products, as well as others. This means that there are additional devices and vendors affected.”

Given that WPS has had its share of problems and vulnerabilities, turning it off might generally be a good idea.