I know the original flaw... I have Viehboeck's white paper. I am looking for some other documents that are about WPS itself.... I don't care about he flaw everyone knows about... I want to study it. I am referring to the recent
report of a flaw (granted it is similar to the one Viehboeck and Heffner discovered, but this one relates to the chipsets that generate the mechanism (specifically the PRNGs) that create the cryptographic nonces (which are arbitrary numbers used in the initial idenity exchange and EAPs between Registrar and Enrollee in the WPS process. This is basic WPS mechanics though... as with everything, there is a great deal more detail involved...the detail involved in the recently revealed WPS vulnerability )that the PRNGs were crap (PRNG's create the so-called random number by use of a programmatic "entropy" which seeds the PRNG and creates the random number.
The real problem is that computers really cannot generate random numbers... there is always a pattern... and if the pattern is weak, so is the PRNG. And if the PRNG is weak, it can dramatically cut down the number of pins per router.
So this guy 0xcite in September said... "OK, they already screwed up how they generated the number by splitting it into two pieces.... let's see what else they did wrong. He found (amazingly) that a dramatically significant number of chipset manufacturers (or just a few who make chips for a good majority of routers) used a weak PRNG... and that this PRNG can be hacked and figured out.
So if I told you that you only needed to invert each hex byte of the routers's Mac address, then compare it to a SHA1 of thedecimal conversion of the mac address, using the larger of the two, then taking the larger of the two, and divide each digit in the sequence by the last nine digits of the decimal conversion of the MAC address.... you could basically figure out every PIN (for those routers, which seems to be exceedingly large based on the way they are all behaving) for let's say conservatively 50% of the WPS enabled routers.... no Reaver even necessary!!!
The main points here is the fact that WPS is a standard... it is not going away
. And the standard for its implementation was codified in 2007... There are weaknesses already in it... and if you understand how it works, use your imagination, learn a little about the cryptographic methods specified in the original standards you could find a treasure trove of hacks.
Think about hot-wiring a car.... when someone first figured out how to do that in the 1920s, did they fix it so you could never hot-wire a car again??? No!!! Because of the design of the combustion engine and the ignition of it, there was no way to fundamentally change it... They made it harder to get to the wires...or maybe they used little tricks to make it more cumbersome to time the ignition sequence... but who cares?!!!??
That little bit of work is trivial compared to having the ability to steal a car.
Obviously WPS is not oging to be around for 30 years....but I guarantee you, because it is WIFI Alliance standard, meaning no router can be certified without having WPS as a part of it, some form of WPS will be around for at least another 3 years. People don't change things like this very easily.
Note: I tried to attach some reference documents that took me awhile to find but the upload directory must not have its permissions set correctly as I could not upload it.
The article/white paper I am looking for is this: Wi-Fi Protected Setup, Technical Specification, ver. 1.0.0
But it has been scrubbed from the web just about.... There are some Asian sites like Scribd that offer it, but other than screenshots, I don't know how to get it.
In the meantime.... this is a good link to get some background... it also includes more links.http://www.hackforums.net/printthread.php?tid=4425809