Follow-up and solutions for PIN algorithm leakage of Tenda and jinke Products

Recently, tengda started some products with MAC as "C83A35" and "00B00C", including tengda W150M, yunke NW705 P, yunke NW705S, Yinke NW705 +, and yunke NW714, inspector NW702, Inspector NW712, Inspector NW709 and other products have successively leaked the PIN algorithm.

 

The PIN algorithm is very simple. You only need to convert the last 6-digit hexadecimal MAC of the product starting with the first 6 MAC into a 10-digit number to get a 7-digit number. As we all know, a PIN consists of eight digits, the first seven digits of which are random, and the eighth digit is the check bit, which can be calculated by the first seven digits. In this way, the MAC can obtain the PIN directly, and the PIN can directly obtain the WPA key (PSK) to quickly crack the route.

WiFiBETA predicts that all official products of yunke use this simple, insecure, and non-random PIN generation solution. According to its official website statement, the affected products are listed at the beginning of this article and the related upgrade software (initially estimated to be a firmware or PIN reinstallation tool) is under development. Some products of tengda, whose OUI is C83A35, 00B00C, and 081075, also use this algorithm. It is worth mentioning that the tengda official did not provide any evidentiary response.

About Solution

Although the exposure of this algorithm has a wide impact scope, it is still limited to WPS functions. That is to say, as long as the WPS/QSS function is disabled, the related routers adopt the WPA/WPA2 encryption method and use a strong password, which can maintain high security.

Cisco Route Solution:

Dlink routing solution:

Select the Enable item.

Tengda Route Solution:

WiFiBETA recommends that you disable this function as soon as possible to ensure maximum wireless security.