WPS - Is it flawed?
Last Post: November 19, 2014:
-
As with almost all things in the security realm, the _real_ weaknesses always seem to come back to proper implementation.
Look at this cluster^&*(:
http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/
-
So true. Cryptography is hard. Why do so many people insist on doing it themselves.
About a zillion years ago I tried to talk Phil Zimmerman and Jon Callas into turning PGP into a company that would write the crypto bits for other companies and then let them use the PGP name. PGP provides a library, audits the implementation, then calls the product "PGP certified" or "Protected by PGP." Of course that would depend on PGP building name recognition outside of geek-land and their reputation could be crushed by the first group to do something stupid with a certified product.
-
The WPS specification clearly states that "PIN values should be randomly generated, and they MUST NOT be derivable from any information that can be obtained by an eavesdropper or active attacker." The two examples explicitly given are device serial number and the MAC Address.
Is it possible that the D-Link AP is basically WFA certified, but that its WPS feature is not certified? WPS is, after all, an optional feature !
I tried to look up the WFA certificate for the DIR-810L just now, but the WFA Certified Device database is currently unavailable.
__________________________________________________________________________________________________________________
Creating truly random numbers requires Crypto strength algorithms, and hardware. This includes Nonces (Numbers used once).
Some Wi-Fi manufacturers have been known to use Nonces composed of all Zeroes, other hard-coded constants, and even the originators Nonce.
This all makes me wonder how D-Link handles WPA2 Nonces .
-
Interestingly, the WFA database indicates that two versions of this AP had been certified very close to each other. In addition, if you compare the actual certs there is almost no difference between them - except perhaps a misleading feature that's a requirement anyway. Not that it's related to the problem, but the latest release is also based on Linux, whereas the previous one was not. I doubt all these indicators are just coincidence.
There really is no excuse for selling such a hokey product with such a weak design. This particular flaw should have been obvious to a first year programmer with a CS degree, even before the new WPS standard came out.
I think it's nice that Reaver Pro takes advantage of this recent revelation, but I see no evidence that it actually works on any WPS 2.0 AP's.
Thanks to everyone for making this flaw public - it makes for a great lesson. Hopefully D-Link, and others, will remember it.