Just need the MAC and serial number to generate Belkin WPS Pin

A researcher discovered that Belkin implements a vulnerable procedure to generate WPS PINs. Just knowing MAC and the serial number he can calculate it.

A security researcher who goes by the name of Craig has discovered a critical flaw affecting Belkin network devices. that could be exploited by attackers to calculate the WPS PINs. In October 2014 Craig wrote on /dev/ttyS0 a post on a similar bug affecting D-Link routers.

This time the expert explained that Belkin implements a vulnerable procedure to generate its WPS PINs, an attacker just needs of the MAC and the serial number of a device to calculate the PIN.

Being a known obfuscation method, using the Firmware Analysis Tool binwalk he was able to de-obfuscate and extract the compressed firmware image, then he started the analysis of the code searching for the flaw. The researcher tested 24 Belkin routers, 80% of them were found using the flawed algorithm for the generation of the WPS PINs.

“MAC addresses are easily gathered by a wireless attacker; serial numbers can be a bit more difficult. Although serial numbers aren’t particularly random, GenerateDefaultPin uses the least significant 4 digits of the serial number, which are unpredictable enough to prevent an external attacker from reliably calculating the WPS pin.” reported the blog post.

Craig discovered that vulnerable devices use a PIN-generating algorithm based on information easy to retrieve, the MAC address and serial number. In order to retrieve the MAC address of a vulnerable device Craig exploited an ordinary 802.11 probe request to which Belkin devices reply the serial number.

“Since WiFi probe request/response packets are not encrypted, an attacker can gather the MAC address (the MAC address used by the algorithm is the LAN MAC) and serial number of a target by sending a single probe request packet to a victim access point. We just need to reverse the GenerateDefaultPin code to determine how it is using the MAC address and serial number to create a unique WPS pin (download PoC here):” continues the post.

The models of the allegedly vulnerable devices are listed below:

F9K1001v4
F9K1001v5
F9K1002v1
F9K1002v2
F9K1002v5
F9K1103v1
F9K1112v1
F9K1113v1
F9K1105v1
F6D4230-4v2
F6D4230-4v3
F7D2301v1
F7D1301v1
F5D7234-4v3
F5D7234-4v4
F5D7234-4v5
F5D8233-4v1
F5D8233-4v3
F5D9231-4v1

Pierluigi Paganini

(Security Affairs – Belkin WPS Pin Algorithm, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.