Just need the MAC and serial number to generate Belkin WPS Pin

Pierluigi Paganini April 14, 2015

A researcher discovered that Belkin implements a vulnerable procedure to generate WPS PINs. Just knowing MAC and the serial number he can calculate it.

A security researcher who goes by the name of Craig has discovered a critical flaw affecting Belkin network devices. that could be exploited by attackers to calculate the WPS PINs. In October 2014 Craig wrote on /dev/ttyS0 a post on a similar bug affecting D-Link routers.

This time the expert explained that Belkin implements a vulnerable procedure to generate its WPS PINs, an attacker just needs of the MAC and the serial number of a device to calculate the PIN.

Being a known obfuscation method, using the Firmware Analysis Tool binwalk he was able to de-obfuscate and extract the compressed firmware image, then he started the analysis of the code searching for the flaw. The researcher tested 24 Belkin routers, 80% of them were found using the flawed algorithm for the generation of the WPS PINs.


belkin router wps pin

“MAC addresses are easily gathered by a wireless attacker; serial numbers can be a bit more difficult. Although serial numbers aren’t particularly random, GenerateDefaultPin uses the least significant 4 digits of the serial number, which are unpredictable enough to prevent an external attacker from reliably calculating the WPS pin.” reported the blog post.

Craig discovered that vulnerable devices use a PIN-generating algorithm based on information easy to retrieve, the MAC address and serial number. In order to retrieve the MAC address of a vulnerable device Craig exploited an ordinary 802.11 probe request to which Belkin devices reply the serial number.

“Since WiFi probe request/response packets are not encrypted, an attacker can gather the MAC address (the MAC address used by the algorithm is the LAN MAC) and serial number of a target by sending a single probe request packet to a victim access point. We just need to reverse the GenerateDefaultPin code to determine how it is using the MAC address and serial number to create a unique WPS pin (download PoC here):” continues the post.

The models of the allegedly vulnerable devices are listed below:

  • F9K1001v4
  • F9K1001v5
  • F9K1002v1
  • F9K1002v2
  • F9K1002v5
  • F9K1103v1
  • F9K1112v1
  • F9K1113v1
  • F9K1105v1
  • F6D4230-4v2
  • F6D4230-4v3
  • F7D2301v1
  • F7D1301v1
  • F5D7234-4v3
  • F5D7234-4v4
  • F5D7234-4v5
  • F5D8233-4v1
  • F5D8233-4v3
  • F5D9231-4v1

Pierluigi Paganini

(Security Affairs – Belkin WPS Pin Algorithm, hacking)

you might also like

leave a comment