WPA2 Key Generation Vulnerability: Linksys / D-Link

AuthorAlexandro Sanchez Date2013-03-31

After finding the TP-Link WPA2 Key Generation Vulnerability, I reverse-engineered assistants provided by other vendors. It turns out that some Linksys and D-Link routers user nearly identical algorithms to generate the default WPA2 keys as TP-Link routers use. For more information about this vulnerability and its consequences, please refer to the report linked above as redundant information will be omitted here.

This time, the vulnerability affects the Linksys EasyLink Advisor and D-Link Quick Setup Wizard assistants, both based in Network Magic, a software created by Pure Networks, a company belonging to Cisco/Linksys. Since Pure Networks actually sold their software to third parties, e.g. D-Link, there might be a chance of other affected assistants.

The reversed generator is:

blacklist_windows = "1I2Z0O5SUV"
blacklist_macosx  = "B8DO0I1S5UVZ2"
blacklist = blacklist_windows  # Change me

def gen(seed):
    key = ""
    for i in range(10):
        while True:
            seed = ((seed * 0x343FD) + 0x269EC3) % (2**32)
            edx = ((seed >> 0x10) & 0x7FFF) % 0x24
            if edx >= 0xA:
                edx += 0x37
            else:
                edx += 0x30
            if chr(edx) not in blacklist:
                key += chr(edx)
                break
    return key

The seeds used by this function are obtained in the exactly same way as in the TP-Link assistant. The only difference this time is that rather than pseudorandomly choosing characters from a whitelist, it adds random characters in range [0-9A-Z], filtering out those found in a hardcoded blacklist, meant to prevent adding visually similar characters such as '0' and 'O' to the key.

As explained in the TP-Link vulnerability report, the low entropy can be exploited to bruteforce the key in a matter of minutes with a powerful GPU or hours with a CPU.

Affected routers

The complete list of affected Linksys routers is:

• WAP610N (Blacklisted characters on Windows assistant: "1I2Z0O5SUVB8")
• WRT110
• WRT120N
• WRT160N (V1, V2, V3)
• WRT160N-HP (V1*)
• WRT160NL
• WRT310N (V1, V2)
• WRT320N
• WRT400N
• WRT54G2
• WRT610N (V1*, V2)

The complete list of affected D-Link routers is:

• DGL-4100
• DGL-4300
• DIR-615 (not all revisions)
• DIR-625
• DIR-635
• WBR-1310
• WBR-1310 Rev. B
• WBR-2310

Resources

• Linksys-CheckKeys: Check if your key is vulnarable to this attack, i.e., find whether your key is in the set of keys generated by all possible seeds. Download: http://www.mediafire.com/download.php?pmqt9aykwxhwkto.
• Linksys-GenSeeds: This tool calculates the seed interval from the given time interval in which the router might have been installed. Download: http://www.mediafire.com/download.php?kpe7844kqd9bk4j.
• Linksys-GenKeys: Generate a key dictionary by specifying a seed interval. Download: http://www.mediafire.com/download.php?2h9y0pkay9id1rt.

Solutions

• Do not use seeds at all. Feed the results of a cryptographically secure PRNG such as /dev/urandom in Unix-like sytems as indices of the character array modulo its length. This is for instance what the Linksys E4200 WLAN routers do, the indices of the key character array are provided by CryptGenRandom in Advapi32.dll.
• If for some reason you want to use seeds for generating keys:
• Make them bigger than 32-bit. Just 2^32 keys are easy to check.
• Obtain them from a cryptographically secure PRNG.
• If you still want to obtain them from the system time, use low granularity time intervals (e.g. elapsed time in nanoseconds rather than seconds) to minimize the number of bits an attacker can guess.