WiFi Protected Setup Router Backdoor May 17, 2009

WiFi-Protected Setup is a standard designed to ease the distribution of strong WPA/WPA2 encryption keys. Anyone who has tried to enter a 60-character WPA key into a Wii will immediately appreciate WPS; when you want to add a new client to your wireless network, you simply push a button on the router, push a button on the client (clients typically have “soft” buttons), and the two will negotiate an 802.11 EAP session which the router uses to securely send the network encryption key to the client.

But what if you want to use WPA and allow anyone to connect to your WiFi network? Well, you’d simply have to keep pusing the WPS button once every two minutes (WPS has a two minute time-out period). Granted, there probably aren’t many (any?) legitimate uses for this, but it would be a great opportunity for some nefarious individual: with such a system in place, he can always get in no matter how strong you make your WPA key.

This hack is very simple; you just have to create a circuit that “pushes” the WPS button on the router. With some routers, such as Linksys, you can simply short out the pins on the WPS button, causing WPS to remain permanently on. This can be done very easily using the foil wrapper from a stick of gum; note that since WPS will always be activated, the WPS LED will be constantly blinking, so it’s probably a good idea to cover up the LED:

Placing the foil in the Linksys case

Placing the foil in the Linksys' case

When the board is placed back in the case, the foil shorts the pins on the WPS button

When the board is placed back in the case, the foil shorts the pins on the WPS button

Use the remaining foil to cover up the WPS LED

Use the remaining foil to cover up the WPS LED

Although a simple hack, using gum to back door a router is not the best solution. In the routers tested, the gum hack only worked on our Linksys router; the rest require us to push, hold, and release the WPS button before they would activate WPS. Even in the Linksys device, this is a non-stealthy hack, as the administrative interface will (rather obnoxiously) indicate that WPS is activated whenever an administrator logs in to view the wireless settings.

A far better solution can be found by using a simple NE555 timer circuit. The push buttons are typically configured with one contact connected to ground, and the other contact connected to something else that reads the button’s state. Using an NE555, we can connect the non-ground pin on the button to ground for a second or two, and then return the pin to it’s open state. The following circuit will push the WPS button for 1.5 seconds every 2.5 minutes:

NE555 Schematic

NE555 Schematic

Vcc and ground are connected to the router’s DC power supply. Since the 555 can be powered from a wide range of voltage sources (4.5v – 16v), no voltage regulator should be required (routers typically run off of 5 – 12 volt DC power adapters). Conn1 is connected to the non-grounded pin on the WPS button.

The output (pin 3) stays high for 2.5 minutes and goes low (i.e., is grounded) for 1.5 seconds. D1 ensures that there is no charge flowing into pin 3 (probably not likely, but we don’t know exactly what the WPS button is connected to). When pin 3 goes low, it effectively grounds the button connected to Conn1; resistor R3 limits any current flowing through D1 during this period. The circuit can be modified to stay high for much longer periods of time by increasing the value of the R1 resistor.

Although the NE555 is not very precise when used to time long periods, precision is not really a concern in this application, so activating WPS once every 10-12 hours is possible. This has the added benefit of making such a back door more difficult to detect; WPS has a two minute time out period (if no client is found within two minutes, the router stops looking for a client until the button is pushed again), so the light will only be blinking for two two-minute intervals throughout a 24 hour period.

Below are pictures of the above circuit connected to several routers from various vendors. Since the WPS button works the same way on basically all routers, this circuit is a universal hardware back door for practically any router that has WPS support:

The circuit connected to a Linksys WRT160N

The circuit connected to a Linksys WRT160N

The circuit connected to a D-Link DIR-628 The circuit soldered up and placed inside a Belkin router

The circuit connected to a D-Link DIR-628 The circuit soldered up and placed inside a Belkin router

The circuit soldered up and placed inside a Belkin F5D8233-4v3

The circuit soldered up and placed inside a Belkin F5D8233-4v3

Now, you just wait for WPS to be activated (WPS state can be passively monitored real-time using WPSpy) and use a WPS-capable WiFi card (or software) to retrieve the key:

Using a Belkin WiFi card to retrieve the WPA key via WPS

Using a Belkin WiFi card to retrieve the WPA key via WPS

5 Comments
KrisBelucci June 2nd, 2009

Hi, good post. I have been wondering about this issue,so thanks for posting. I’ll definitely be coming back to your site.

AndrewBoldman June 4th, 2009

Great post! Just wanted to let you know you have a new subscriber- me!

Find Jobs May 15th, 2011

That is the precise blog for anyone who wants to find out about this topic. You realize so much its virtually hard to argue with you (not that I truly would want…HaHa). You undoubtedly put a brand new spin on a subject thats been written about for years. Nice stuff, simply nice!

Leave a Reply