Building WPA Hardware Backdoors
May 11th, 2009
It used to be that building a hardware back door into a router was a difficult, resource-intensive task that only the most skilled hardware hacker would dare to undertake, but thanks to a new feature prevalent to nearly all new SOHO routers, just about anyone can build such a back door.
This new feature is called WiFi-Protected Setup. WPS is a standard designed to ease the distribution of strong WPA/WPA2 encryption keys. Anyone who has tried to enter a 60-character WPA key into a Wii will immediately appreciate WPS; when you want to add a new client to your wireless network, you simply push a button on the router, push a button on the client (clients typically have “soft” buttons), and the two will negotiate an 802.11 EAP session which the router uses to securely send the network encryption key to the client.
Unfortunately, along with this ease-of-use, WPS brings a whole new threat into SOHO router networks: physical attacks. Physical tampering with a router used to mean some malicious person bringing in a laptop, plugging it into the router, and trying to brute force the router login. But now, an attacker can install a simple hardware back door which activates WPS at a specified interval. In fact, in some cases this can be done with nothing more than a stick of gum.
The attack is very simple; you just have to create a circuit that “pushes” the WPS button on the router. With some routers, such as Linksys, you can simply short out the pins on the WPS button, causing WPS to remain permanently on. This can be done very easily using the foil wrapper from a stick of gum:
Place the foil in the Linksys' case
When the board is placed back in the case, the foil shorts the pins on the WPS button
Use the remaining foil to cover up the WPS LED
Note that since WPS will always be activated, the WPS LED will be constantly blinking, so it’s probably a good idea to cover up the LED as shown in the above picture.
Although a simple hack, using gum to back door a router is not the best solution. In the routers tested, the gum hack only worked on our Linksys router; the rest require us to push, hold, and release the WPS button before they would activate WPS. Even in the Linksys device, this is a non-stealthy hack, as the administrative interface will (rather obnoxiously) indicate that WPS is activated whenever an administrator logs in to view the wireless settings.
A far better solution can be found by using a simple NE555 timer circuit. The push buttons are typically configured with one contact connected to ground, and the other contact connected to something else that reads the button’s state. Using an NE555, we can connect the non-ground pin on the button to ground for a second or two, and then return the pin to it’s open state. The following circuit will push the WPS button for 1.5 seconds every 2.5 minutes:
NE555 Schematic Diagram
Vcc and ground are connected to the router’s DC power supply. Since the 555 can be powered from a wide range of voltage sources (4.5v – 16v), no voltage regulator should be required (routers typically run off of 5 – 12 volt DC power adapters). Conn1 is connected to the non-grounded pin on the WPS button.
The output (pin 3) stays high for 2.5 minutes and goes low (i.e., is grounded) for 1.5 seconds. D1 ensures that there is no charge flowing into pin 3 (probably not likely, but we don’t know exactly what the WPS button is connected to). When pin 3 goes low, it effectively grounds the button connected to Conn1; resistor R3 limits any current flowing through D1 during this period. The circuit can be modified to stay high for much longer periods of time by increasing the value of the R1 resistor.
Although the NE555 is not very precise when used to time long periods, precision is not really a concern in this application, so activating WPS once every 10-12 hours is possible. This has the added benefit of making such a back door more difficult to detect; WPS has a two minute time out period (if no client is found within two minutes, the router stops looking for a client until the button is pushed again), so the light will only be blinking for two two-minute intervals throughout a 24 hour period.
Below are pictures of the above circuit connected to several routers from various vendors. Since the WPS button works the same way on basically all routers, this circuit is a universal hardware back door for practically any router that has WPS support:
The circuit connected to a Linksys WRT160N
The circuit connected to a D-Link DIR-628
The circuit soldered up and placed inside a Belkin F5D8233-4v3
Now, you just wait for WPS to be activated (WPS state can be passively monitored real-time using our WPSpy tool) and use a WPS-capable WiFi card (or software) to retrieve the key:
Using a Belkin WiFi card to retrieve the WPA key via WPS
- 25 Comments »
- Posted in Hardware, Techniques
July 22nd, 2009 at 4:56 pm
Is this the hardware tips to increase network security..? I’ve no idea about the works.
January 14th, 2010 at 2:53 pm
Title…
Very interesting post. I would like to link back to it….
January 16th, 2010 at 12:54 pm
I would like to say, nice webpage. Im unsure if it has been talked about, however when using Chrome I can never get the entire blog to load without refreshing alot of times. Could just be my connection. Thanks
September 2nd, 2010 at 8:47 pm
I will testify that your headline ¡°how to reset your printer? troubleshooting for resetting your hp, dell, lexmar¡¡± is neat but I want to let you know that your site is now loading rapidly than it used to.
September 12th, 2010 at 11:03 am
I got your page searching for storm door hardware.topic SourceSec Security Research » Blog Archive » Building WPA Hardware Backdoors was interesting. Please Keep posting on storm door hardware.
October 5th, 2010 at 4:32 pm
we always use power adapters at home because of our different voltage applications;’,
October 30th, 2010 at 4:00 pm
Hey, sorry for being off but what theme is this blog using? did you make it yourself? I really love the theme you are using.
April 5th, 2011 at 2:35 am
I was looking for something completely different,got your page SourceSec Security Research » Blog Archive » Building WPA Hardware Backdoors and found it Interesting.Nice Post on storm door hardware…
June 6th, 2011 at 7:54 am
Greetings from Idaho! I’m bored at work so I decided to check out your site on my iphone during lunch break. I really like the info you provide here and can’t wait to take a look when I get home. I’m shocked at how fast your blog loaded on my cell phone .. I’m not even using WIFI, just 3G .. Anyways, fantastic site!
June 22nd, 2011 at 8:37 pm
Carl: I agree with you but there are other genuine good offers out there. Cheers!
July 17th, 2011 at 6:40 pm
I think you could distribute many more posts, me and also our kids appreciate your internet site and experience were greater educated following browsing.
August 8th, 2011 at 4:53 pm
That is a great point to bring up. Thanks for the post.
August 8th, 2011 at 4:56 pm
you have a great blog here! would you like to make some invite posts on my blog?
November 25th, 2011 at 12:02 pm
I’m agitated all these article directories. It sure would be nice to have every article directory that instantly accepts articles.
December 15th, 2011 at 6:02 am
A powerful share, I simply given this onto a colleague who was doing a little analysis on this. And he in fact bought me breakfast because I found it for him.. smile. So let me reword that: Thnx for the treat! But yeah Thnkx for spending the time to debate this, I really feel strongly about it and love reading extra on this topic. If possible, as you turn into experience, would you thoughts updating your weblog with more details? It is highly helpful for me. Huge thumb up for this blog publish!
December 15th, 2011 at 8:57 am
I like Your Article about SourceSec Security Research » Blog Archive » Building WPA Hardware Backdoors Perfect just what I was searching for! .
December 15th, 2011 at 10:22 pm
Hi! There are certainly a lot of details like that to take into consideration. That is a great point to bring up. I offer the thoughts above as general inspiration but clearly there are questions like the one you bring up where the most important thing will be working in honest good faith. I don?t know if best practices have emerged around things like that, but I am sure that your job is clearly identified as a fair game. Both boys and girls feel the impact of just a moment’s pleasure, for the rest of their lives.
December 18th, 2011 at 7:28 am
http://www.niggershitonyourface.com
March 27th, 2012 at 8:03 am
You actually make it seem so easy with your presentation but I find this topic to be really something which I think I would never understand. It seems too complex and very broad for me. I am looking forward for your next post, I will try to get the hang of it! Consider a visit to my website whenever you feel like doing so. thnk u!!!
April 21st, 2012 at 5:48 am
Thanks a lot…
Hey, Thanks for your post, it was really informative. I’ll be looking forward for your next post….
May 31st, 2012 at 2:43 am
Great post at SourceSec Security Research » Blog Archive » Building WPA Hardware Backdoors. I was checking constantly this blog and I’m impressed! Extremely helpful information specially the last part
I care for such info a lot. I was seeking this certain info for a very long time. Thank you and good luck.
September 20th, 2012 at 12:43 am
Hi there, I discovered your website by way of Google while looking for a similar matter, your website got here up, it seems to be great. I have bookmarked it in my google bookmarks.
November 6th, 2012 at 2:47 pm
buy generic viagra – buy generic viagra , http://buyviagraonlinexpress.com/#3001 generic viagra
December 13th, 2012 at 6:10 am
generic viagra GRB order prescription online buy viagra http://genericviagrapharm.org/#733163 number buy viagra http://genericviagrapharm.org/#572925 – buy generic viagra order viagra by iphone
January 6th, 2013 at 3:10 am
i just disable wps all toghter. i also only use dd-wrt firmware on linksys routers. the wps button/feature is only as safe as the location of the router if enabled. if the wps button is within reach of a guest hat really just wants to use your connection, the wps button can save a lot of time compared running airdump/airsnort/aircrack/backtrack/ip and MAC cloning/ect…