Pierluigi Paganini April 14, 2015

A researcher discovered that Belkin implements a vulnerable procedure to generate WPS PINs. Just knowing MAC and the serial number he can calculate it.

A security researcher who goes by the name of Craig has discovered a critical flaw affecting Belkin network devices. that could be exploited by attackers to calculate the WPS PINs. In October 2014 Craig wrote on /dev/ttyS0 a post on a similar bug affecting D-Link routers.

This time the expert explained that Belkin implements a vulnerable procedure to generate its WPS PINs, an attacker just needs of the MAC and the serial number of a device to calculate the PIN.

Being a known obfuscation method, using the Firmware Analysis Tool binwalk he was able to de-obfuscate and extract the compressed firmware image, then he started the analysis of the code searching for the flaw. The researcher tested 24 Belkin routers, 80% of them were found using the flawed algorithm for the generation of the WPS PINs.

Craig discovered that vulnerable devices use a PIN-generating algorithm based on information easy to retrieve, the MAC address and serial number. In order to retrieve the MAC address of a vulnerable device Craig exploited an ordinary 802.11 probe request to which Belkin devices reply the serial number.

“Since WiFi probe request/response packets are not encrypted, an attacker can gather the MAC address (the MAC address used by the algorithm is the LAN MAC) and serial number of a target by sending a single probe request packet to a victim access point. We just need to reverse the GenerateDefaultPin code to determine how it is using the MAC address and serial number to create a unique WPS pin (download PoC here):” continues the post.

The models of the allegedly vulnerable devices are listed below: