WPS Attack - Null Pin

Why bother with a PIN at all ?

So far we have learnt that there are at two potential attack vectors on WPS - PBC (Push button connect) that can yield successful reveal of WiFi password. However, another router enthusiast who started looking at firmware embedded in HG658C found out that manufacturer has given an option to connect to the router using ..... an empty pin.

Connected to
Escape character is '^]'.
-----Welcome to ATP Cli------
Login: !!Huawei
BusyBox vv1.9.1 (2014-02-08 20:26:13 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# nvram show | grep wps_device_pin
size: 2659 bytes (30109 left)


I would love to know the reason behind this implementation, was it conscious ? Did they know that programmers building the firmware allowed this hole to persist, has nobody checked the possible implications ? Since routers are built from parts coming from different manufacturers it is a good idea to look at specific WiFi chip to see if correlation with other router manufacturers can be made in order to cross-reference the vulnerability. HG658C uses Broadcom BCM63168 SOC and above researcher has demonstrated that if one could send an empty PIN for eg. with reaver v. 1.6b or above using command:

reaver -i wlanXmon -b xx:xx:xx:xx:xx:xx -p "" -N

-i wlanXmon - describes wireless interface in monitor mode -b mac address of the Access Point -p "" empty pin inside quotation marks -N no-nacks - helps to accomplish that feat successfully Once we run this command the PSK (pre shared network key) would be provided in less than a minute of work on a vulnerable router of course !

So far I have found out that affected BCM63168 is implemented in at least 29 known routers/devices adding to the list. Others reported successful breaches on HUAWEI version of BT Home Hub 3.0B running BCM6361 adding potentially 12 more different routers to the list and EE-Smart-Hub from Arcadyan Corporation running on atheros chipset - sadly I could not locate the chipset model itself therefore I am still waiting to cross-reference it with other brands.

Pin cracked in 3 sec! My new personal record - after weeks of learning, boy was it worth it!