Page 1 of 1

WPS Pixie dust attack

PostPosted: Wed Feb 04, 2015 2:26 pm
by cyberdrain
The WPS Pixie dust attack is a new (well... August last year) type of attack against WPS that allows recovery of the keys when the M3 handshake is completed. The attack won't work all the time and I couldn't find any tools yet (though figuring it out yourself is way more fun), but the brute force itself is offline, so no more pesky WPS lockout. With this attack WPS cracking becomes a lot easier. Oh and have fun of course :D

Re: WPS Pixie dust attack

PostPosted: Wed Feb 04, 2015 2:31 pm
by Randoph
I thought WPS was one of the newer and better methods to secure a network, but as I read from the PDF; "Poor design and implementation". Was I wrong about it being secure or is this just a personal opinion from the writer?

Re: WPS Pixie dust attack

PostPosted: Wed Feb 04, 2015 7:04 pm
by cyberdrain
Randoph wrote:Was I wrong about it being secure or is this just a personal opinion from the writer?

First rule of crypto: don't invent your own. Take a guess as to how WPS was created? They weakened the otherwise secure AES based WPA2 protocol by adding an extension that was supposed to allow completely safe and easy set-up of Wi-Fi. And I guess they did succeed well in the latter.

However, one design mistake allowed for a bruteforce of the keys (too small keyspace compared to AES) and another for bruteforce within 4 hours (the second part of the key was based on the first). Of course there were no limits to how many keys you could try within a certain time. Oh and did I mention that once you know the keys used in WPS, you can use those to get the WPA2 keys to the wireless network? Worse still, some routers don't even allow WPS to be completely disabled, even when you specifically 'disable' it. The flaw was found in 2011 and the tool Reaver was released soon afterwards to automate the attack.

Now this new attack sometimes allows for offline bruteforce after you get to the third message in the handshake (M3). Simply said, the randomness (entropy) used to generate the random keys used by WPS in some devices is too low. No or low entropy for creation of new keys means the same or a guessable key is used in the protocol (this is yet another key, not the WPS or AES keys themselves). As the rest of the protocol is based on those keys being random, this allows recovery of the WPS key and ultimately the AES key for the wireless network. It also means the countermeasures designed against WPS bruteforce (stalling the handshake) have become useless whenever this attack can be used, as the attack is done offline.

Well, at least it isn't as broken yet as WEP was...

Re: WPS Pixie dust attack

PostPosted: Thu Feb 05, 2015 5:50 pm
by limdis
Image