PW - Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers - Eduardo Novella

talked before as well about um um CL generation in in U wild R I'm really happy to have this as well just allow to get uh can you hear me good well this is the title of the talk today it's my name my college and I'm going to be a little bit uh fast today I have like 45 slides so sorry if I speak real fast this is the on line for the presentation uh we are going to present who we are the introduction the methodology that we use uh the findings and vulnerabilities in the router conclusion and questions this is myself I'm not the speaker in any conference it's my first conference I little been nervous

h i Master student at The kov Institute is u in computer security in in the Netherlands I'm from brout University Ian I'm security analysa rescue in Del uh the compan is also in the states in San Francisco I'm working mainly in uh satellite devices so I'm doing security evaluation for uh Hardware this is my blog and this is my company right now these are my colleages uh maybe if you are um if you have mess around with Myer or iass or high Tac maybe you know this guy guy rber he's a researcher in rbout University night and then uh we have another College Carlo he's not here today uh he's also doing a lot of

research in Myer how to break the the crypto and he's also Master student like me was my uh my my colleague during during my master and he's also PD what this talk is about is like uh a little bit of Basic Hardware hacking and how we extract FW images from the router and how we uh we were able to find out the doublea uh algorithm to generate the keys uh then we did responsible disclosure with thep so basically they know everything this is the timeline I'm not going to go further you can read it later and yeah when you have a when Hardware you have to wait for like six months or something and then you can

release the vulnerabilities uh this to was supposed to be released at us Mi F in Washington this week but uh very invite me also here so I decided to be here as well think it really cool um I don't want to go in details in this we are going to release a paper so you can read the paper and we explain everything how doublea Works uh which algorithm is using internally how is uh how is working the authentication and the the Authentication basically uh the authentication uh there is a challenge response protocol and the problem is not here but the problem is that you even if you don't know the key you can de authenticate everyone in the

network so that means that you can get the handshakes the handshakes is the the packet where the key is so you can then BR Force this packet so basically uh what you can do is that you can be in the middle you can be the attacker the adversary and the communication is encrypted but you can send a package hey you have to be the you I want out of the of the of the network so you can send a package and the package is in PL text and you can delicate the the the the client maybe you can use ack I think everybody knows ack here right raise your hands if you know okay quite quite

a lot nice not going to be in details uh well this is uh the main the main thing that you have to do if you want to you want to you want to be sure if the algorithm is in in the in the router itself you have to extract the fiware the FW image sometimes is really easy sometimes it's not really easy so the steps that we did is like first thing you go to the website and see the FW is there normally the FW is not there because this is uh this is managed by the isps the second thing that we can do is like well maybe we have a little bit of skills in penetration testing we can

see if we can exploit something and we can get the fedw out some this is not working so we have to go to art or jtac there are Hardware protocols and if nothing work works we can always stct the the memory Flash and get the the content out basically this is an example common injection in one of the routers uh yeah you have tet you don't have many commands and suddenly you can you can execute commands in the in cell so you can escape the jail this is really common really really common usually this is for example you are H uh uh you were not able to exract a fiware for a common injection like here you can for example

communicate with your protocol is a Serial protocol and there are three cables uh uh g&d DX and and RX and you can try to extract the the FW over here sometimes this is protected basically all all the times is protect this so you can go further and you can for example try to J the device to try to J the device they always like to uh this is for example J it was not here so I soer uh some P here and then I communicate with the the board and when you are using jtac jtac is under the operative system and F itself so you are basically a really really low Hardware level so you can uh you can say I want to St I

want to Stack The Ram I want to read The Flash and it's really really cool if nothing works you can always uh use a e reader and you can get the the content out this is the mainly we did because most of the the routers they were not able to come on injection or the UR was always with password and some War they they were not using JT so basically we we D the fare let's go for the manufacturers uh we start with cont uh this is really common in Spain and also in the Netherlands that is the the count that I I live these are the findings uh I'm I'm going only to discuss two like one back

door where there are different back doors and the wbaa uh generation key this are also for example how we can how we could the FW so we basically uh we uh use open WT in run and then uh we enable tet we found the common injection we done the FW as well we also found the buff R flows but this is not important here let's go for the back doors

basically when we done the F we were able to do a little bit of reverse engineering so we realized like okay this looks like there are two users and sometimes here you have admin here and if you are checking the access mode and if the user is this user you are magically you are totally admin because we were using uh this router and you don't have all the the the features in the in the web interface so basically we discovered this and this is too bad because it cannot be changed by the customer it cannot be changed by the ISP without the Fe update and it's not PL it's imp PL it's not it's not has so if

you have the fwk you know that this is totally secret and you can access uh this is uh how U we uh we realized that he was he had the common injection so he's checking the Ampersand he's checking the semicolon but what about the P what about the quotes so it was too easy uh the but really really common uh let's go for the algorithm we were able once we uh enable the tech tet because it was not enabled by default we were able to see one command here well you have like six commands like version and N5 WBA key blah blah blah and we realized okay we have to follow this we have to track this uh this uh command

this is as you see here is a client cell but this really conate uh cell uh we realized that there's nd5 uh dumping uh content from uh nd5 and code to result and then it's print in the WPA so we know already that it's N5 nice we can go a little bit further and we see here something really nice this looks like a MAC address and another thing and we realize that it was secret it was the the lamp Mac address and the well this is was the wireless one or the I don't remember which one and then all this string is going to md5 en code and then we realize this is plain test this is

cyer test and it will go a little bit further then they are removing before uh when they create this the the the password they remove it so uh the question is what about if I patch the field work and I put LS so that means that you can recover the the the plain text and we did it and he was working and how we can get uh for example uh well we can read this N5 and code because we use we use the common injection that I show you before so we were able to to see basically the pl text in for the algorithm uh this is to summarize this the constancy that you see this the

lower case the upper case and now we have two things if we want to break into the network so uh we can put forth three bytes that we don't know so we can use gpus it's pretty fast or we can do it even better so if we can have monitor mode we can see the package in the network and we realize that the I mean the headers are the MAC address in the wireless Mac address and the landm mark address so we can get all the data we need and it was basically if you have monitor mode is seconds uh this is about some minutes so you can recover the keys it's really easy this problem it was not only in the

Netherlands in 2015 it was also in Spain I found the same algorithm even it was even worse because it was same common injection but they didn't patch the ERS yet so it was really funny and here it was a uh you were not able to use LS so what I did is a for with Echo so I was able to Echo all the files with a loop so it was a a homemade LS so I found it that okay there is something here really interesting so I also recovered the algorithm basically the same strings different uh secret this is the cont theb back mode the password so yeah let's go for another brand this is uh really popular

in in in the Netherlands mainly you go to a store you only can buy this like a brand it's really popular uh when we start with the research uh many people they were uh when we start with the research two people from Italy they they released some some stuff so it was not really interesting for us anymore so well I I read it I read it and I follow a little bit what we're doing they also found back doors they also find some algorithms F ofon they were using just exor encryption so it was really funny because at the end of the of the PW image it was everything zeros so if you do exor with zeros you know what you get

the key in PL Tex so it was really cool so when you get the key you can thecate the FW and everything is in PL Tex and let's go for there our findings we found a new algorithm uh we confirm that the the old algorithm it was working in many many many routers maybe 90% of of the of the routers of this brand and we also reverse enging another uh binary the first binary we did it was just a binary and it was in the binary folder it was called outo WPA key so even if you are using CH root and you are using Kimu you can emulate it and you are inside of the emulation so you

can use the libraries that they are in the in the jail so basically you can get the key play test as well so it was really funny so I started doing reverse engineering and it was this binary was totally stripped so that means that you have no symbols in the in the binary and this is the last version I did it was nd5 have you see here but I didn't know so I reversed the whole nd5 algorithm it took me it took me like five days in the mid it was really cool and yeah well at the end you you learn if you see some constants in the binary maybe they are using 85 or S one

or 256 it was really cool uh this is was uh the they were using the old algorithm that the Italian Guys they release and they were using another charger here so basically it's like 40% of the routers they are using this Char Char set and the other ones they are using this one around 40 models that are affected um this is also well we didn't focus on the wbd generation but as you see here is always generated by the mark address so the mark address is always public so you can recover it as well we didn't pay attention to this it was too easy uh we went for now for Thon someone here remember spit out in 2008 so we

have the same problem again uh Thon same manufactur again uh we startu uh one image and we realize uh well now here is uh I rename all the functions but it was totally St so this is a a function that is generating all the the wireless network names for from the Ser number so there are like eight IP from Argentina uh Spain Holland Austria Poland I don't know uh this is for example one example I don't know where they are from they are not in the Netherlands right now uh this is uh for example the the switch that we found for all the uh WP WBS that they are generating here so I was I

started renaming for example I have no idea which model is this because was not the string and another here that I remove because I don't want to release the IP names and basically we really focus on the on the model in the Netherlands because it's the the router that we use every day at home so basically we uh quickly found they like hey this is format with the with the name with the format of the SSID we found the algorithm uh also we found that it was a public hidden SSID that it was from three four five years ago and nobody knew that and then it was with a hardcode password and it was really

funny as well and basically this is all the operations that they are doing and basically you see the Char set they are loading the A and this is uh the I think this is a length yeah this is a length so you have basically uh a lot of information here so we reverse this even if you don't know what is doing you can convert uh assembly code to a high level uh code in CE Python and you can uh you can do the same stuff uh this is more examples for uh more countries more countries we don't know which countries they are and yeah basically they they have function and this function is calling another

function is generate the has it was totally strip as well so we were renaming names for example here is like I don't know what is this but it's very use that's good and then I realized it was a string copy because he was uh copying here he was writing in the string here and yeah I'm going to show now some examples nd5 well model uh symbols that there are the symbols that they are a little bit difficult to group force and also the season number here so basically the SE number is a numerical number of n digits so it's pretty much always consecutive so you can really BR force it another example I don't remember

which country is this always the same N5 model IP serial number another one here they were generating the has and they are doing some calculations later to modify a little bit another one here looks like they are the same but they are not the same they are using different Nam but basically the algorithm is the same uh Arcadian this they are doing a little bit ofation in the FW so sometimes you have to strug a little bit to recover the FW in PL text and when I did this uh I already I work in in in in this uh number two in Spain for security uh SEC Wireless so we recover also the algorithm for aradian

they are using just uh EX and ants and and and normal additions and basically uh this is uh in was in Spain it was also in Germany and now it's in the Netherlands it can be in more countries so maybe also here I mean depends on the IP so and minutes enough enough only for

this is not in the Netherlands but this also another feww that I was paying attention sometimes when even I mean the the the binary itself the binary the FW image is not is not a stried you can see really fast like okay this is the function generate key generate key from Mar and they are using San 256 so it's really straightforward to to reverse engineering the the F this is uh if we are here we can go here and yeah generate key and this is the the function that is creating all the the the default settings so yeah we can know we can a little bit know that this function is going to create WPA F

from Key and then it's converting is doing some conversion and if we go a little bit farther a little bit deeper we can see the function and J key is taking one argument before uh calling the function and then it's here it's the address of the pass pray is the address of the key where is going to write the key and then it's jumping there so we jump there and here you basically really it fast you see like hey this is s s 256 uh we know that this it was something that it was coming before was the first argument we have some value at this address that has this length it has 20 20 bytes uh 20 byes in X that is 30

32 bytes sorry and then we have something here is load immediate in the uh register a26 can be the MAC address so if we go there we see something here this is the address I was talking about before so basically here we have 32 bites that they are the secret uh seat so the secret uh the magic number that they use to generate the key and then we have also the charge at the bottom uh the conclusion is like the things they are uh still they are really really terrible in security uh about routers they don't use uh they don't use much security they don't pay attention and this is not only a problem in the

Netherlands and in Spain the country I was living I'm native there so maybe this is a problem that it can be everywhere so um with this research we want to invite people to do the same in your con and maybe yeah we can do the same nice uh security security doesn't work I mean if you don't release the algorithm and you think that you are totally secure and your clients are secure it can be it can be in the way around so security bi security is not security actually my mentor say that if you have security by security and you uh subract security you have no security so another conclusion is like vendors they they reduce the same algorithm with

a slightly small uh difference so the same thing I found in Spain was 5 years later in Netherlands the same problem I found here in uh I think it was in Argentina it was in Portugal and I think it's another another country like Poland another guy sent me an email but yeah not have time for that so it looks like they are using the same always the same so yeah uh even the if the binary is stried or is not I mean if it's not stried and is notated is still doable it's not the solution yes St the binary and two are secure second uh and the other thing is like the ISP they don't have to include

the the algorithm itself in the in the f words and with this I think I'm done thank you for your attention and if you have questions go ahead

okay okay so Jeff first um other than sorry other than the back doors why are they trying to why they try yeah because they have uh I mean now they have tr69 this has remote protocol so they have totally access to rotor but uh I don't know which uh this spe were uh the year I don't know where where where they install this back in the router but maybe like some years ago this protocol it was not available all thep so it's some way to have cont rather I think it's for that

yeah exactly how are you getting theirs were you buying the same routers and then doing this how are you getting how can how can I start how I did to the you okay uh well we we bought a bunch of routers so you bought the yeah we went to eBay and we bought the second hand rter and you were actually buying their routers from eBay well not eBay it's another uh website okay so we have to break it off uh two more minutes I'll be actually