What is Pixie dust attack on router?

A Pixie-Dust attack works by bruteforcing the key for a protocol called WPS. WPS was intended to make accessing a router easier, and it did - for attackers.

A WPS Pin consists of 8 digits - two Pre-Shared-Keys or PSKs. Each PSK has half the pin. To understand how a Pixie Dust attack works, you'll need to understand how the requests to the AP work:

1. Computer sends - EAPOL Start

2. Router sends - EAP-Request for the Identity

3. Computer sends - Responds with the Identity

4. Router sends - EAP request

5. Computer sends - EAP response
...

And it loops these requests a few more times before the credentials are sent.

However, during this process, your computer has been given the following:

  • Diffie Hellman Public key of the Enrolee

  • Diffie Hellman Public key of the Registrar

  • Two hashes - of the WPS PIN

  • Enrolee nonce and a derived authkey

; Now in order to successfully bruteforce the previously mentioned PSKs, you'll need two more nonces - which are supposed to be randomly generated. And this is the most important part - since the random numbers are not really random but are derivations of the hashes (or are just zeroes) then we can bruteforce this key, even on a slow system! It will work if the implementation on the router is bad (which it is in most cases) and you should be able to find a list of vulnerable routers on the internet.

tl;dr: We bruteforce a badly generated key because of a flaw in how the random numbers are generated in many routers.


One of his books, Kevin D. Mitnick writes about Pixie Dust Attack:

To make connecting any new device to a home router easy, the Wi-Fi Alliance, a group of vendors eager to spread the use of Wi-Fi technologies, created WiFi protected setup (WPS). WPS was advertised as a way for anyone—I mean anyone—to securely set up a mobile device at home or in the office. In reality, though, it’s not very secure.

WPS is typically a button that you push on the router. Other methods include use of a PIN and near field communication (NFC). Simply put, you activate the WPS feature, and it communicates with any new devices you have in your home or office, automatically synchronizing them to work with your Wi-Fi network.

Sounds great. However, if the router is out in “public”—say, in your living room—then anyone can touch the WPS button and join your home network. Even without physical access, an online attacker can use brute force to guess your WPS PIN. It could take several hours, but it’s still a viable attack method, one you should protect yourself against by immediately turning off WPS on the router.

Another WPS attack method is known as Pixie Dust. This is an offline attack and affects only a few chip makers, including Ralink, Realtek, and Broadcom. Pixie Dust works by helping hackers gain access to the passwords on wireless routers. Basically the tool is very straightforward and can gain access to a device in seconds or hours depending on the complexity of the chosen or generated WPS PIN.For example, one such program, Reaver, can crack a WPS-enabled router within several hours.

Art of Invisibility by Kevin Mitnick (PDF).

To be more clear here are some helpful links about hacking tools for cracking WPS: Link #1, Link #2, Link #3.

Tags:

Wifi

Wps

Password Cracking

Related

Encrypting text file with AES 256 instead of password manager What attacks are mitigated by requiring CORS for subresource integrity verification? A company has requested scans of identity documents. What should I do? A government agency sent our website admin an email that our website had been defaced Genuineness of Application Pentest On Jailbroken iOS Device Why are one time password reset links safer than one time passwords? A tale of two sources: Is TLS *defense* against Man-in-the-Middle, or not? Could governments and banks become CAs? What are the advantages of paying for a VPN service as opposed to hosting your own? Why does OWASP suggest using POST over PUT for file uploads? Hashing Password on Client Side to avoid lag on single-core game server? Is it safe to download internet files over TOR

Recent Posts