Reversing D-Link’s WPS Pin Algorithm

A while ago I found out that the D-Link router I had (655), had some XML output available for DHCP Lease status and interface statistics. I also noticed that these stats only became available after logging in initially from a certain IP&#x2F;MAC (no session state kept). The router gives a salt that is valid for a while and on the client side that salt is used together with the password to generate a hash which is used to login. You can then proceed to retrieve the XML data.<p>In case anyone is interested, the (very hacky) scripts are on Github: <a href="https://github.com/michielappelman/router-stats" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;michielappelman&#x2F;router-stats</a>

WPS is broken anyway. Its trivial to crack via brute force. Why its still being shipped as a feature, let alone a feature that&#x27;s on by default is beyond me. The failings of the wifi consortium are pretty obvious, to the point where I wonder if there&#x27;s some NSA trickery involved in making sure these things are insecure by default. I wish they took security more seriously.<p><a href="http://www.kb.cert.org/vuls/id/723755" rel="nofollow">http:&#x2F;&#x2F;www.kb.cert.org&#x2F;vuls&#x2F;id&#x2F;723755</a>

Craig is so damn smart. I love how he went in looking to exploit some format string vulnerability, or an incorrect escaping of arguments passed to system(). But came out with a way to systematically grab WPA&#x2F;2 keys from D-link. Why would D-link roll their own WPS key generation scheme? All the in-home routers i&#x27;ve seen come with the WPS pin set in NVRAM and written on the bottom of the router.

Aren&#x27;t WPS Pins completely flawed in their design anyway?<p>I seem to remember being able to use an exploit to break into my own router that had WPS enabled about a year ago using a program called reaver.<p>The exploit had something to do with routers telling the attacker whether or not they guessed the first 4 digits correctly and then it narrowed it down enough to where bruteforcing was easy.

Off the top of my head the only way to exploit this would be either by your ISP or the security services (via your ISP, or the router manufacturer).<p>Since WAN mac addresses don&#x27;t travel very far upstream. Typically only to the local exchange. So in order for someone to utilise that to generate a WPS key they would have to sit at the exchange (on your side of the connection) and do it.<p>The manufacturer might also store the WAN mac addresses of each piece of equipment they produce (along with serial, etc) and depending on the supply chain you purchased the router down or if you registered it, they could figure out your router&#x27;s WAN&#x2F;WPS pin that way.<p>In general PIN-based WPS is a bad idea. Turn it off and do button WPS only. Or turn it on only as needed.

Funny thing is that I&#x27;ve been looking at D-Link&#x27;s (actually Cameo&#x27;s) &#x2F;sbin&#x2F;ncc and other binaries the last couple of days (well actually nights...) on a DIR-636L.<p>I even have a note here wondering where they read from NVRAM or similar related to WPS because I couldn&#x27;t spot it. Guess I have the answer now!<p>I doubt I will have the time to investigate it, but my feeling is that there is a lot of funky stuff in &#x2F;sbin&#x2F;ncc and the companion binaries.

Question: I realize that the manufacturer has kind of dropped the ball, but would flashing the firmware with dd-wrt allow the user to patch the gaping security hole? Or does it go deeper?

Is there any reason at all the WPS pin would be derived from this kind of information? I don&#x27;t want to seem paranoid, but this sounds like a backdoor?