ɘƨɿɘvɘЯ algo attack cracks Belkin router WPS PINs: researcher

A researcher who last year turned up weak WPS PIN protection in D-Link broadband modems has found the same problem exists on Belkin devices.

The writer at embedded systems hacker hangout /dev/ttyS0, who goes by the name of Craig, says the upshot of his latest work is the same as previously: it demonstrates that like D-Link, Belkin uses a vulnerable procedure to generate its WPS PINs.

The problem is that the vulnerable devices (list at end of article) all use easily-discoverable information to seed the PIN-generating algorithm, and a skilled attacker – or one using /dev/ttyS0's proof-of-concept code – can reproduce how the security number is generated.

The algorithm takes the device MAC address and serial number as its inputs. MAC addresses are easy for an attacker to gather, and Belkin provides the serial number in response to an ordinary 802.11 probe request.

The /dev/ttyS0 post claims that 80 per cent of the 24 devices tested exhibited the vulnerability.

The earlier post identifying the problem in D-Link routers is here.

Twitter user Eduardo Novella claimed another manufacturer is also vulnerable, but didn't identify which:

After reading how @belkin generates #wps pincodes thanks to @devttyS0 . I tried another well-known brand and BINGO! pic.twitter.com/KcULZdHmZd

— Eduardo Novella (@enovella_) April 11, 2015

However, that may suggest that the SuperTask! RTOS (realtime operating system) that seems to be the source of the problem is in widespread use. ®

Bootnote: The allegedly vulnerable devices are model numbers: