Many devices are still vulnerable to a Wi-Fi attack method disclosed more than a decade ago, software and firmware supply chain security company NetRise reported on Wednesday.
The attack, named Pixie Dust, came to light in 2014, when a researcher showed that a vulnerability related to Wi-Fi Protected Setup (WPS) could be exploited to obtain a router’s WPS PIN and connect to the targeted wireless network without needing its password.
The Pixie Dust hack involves an attacker who is in range of the targeted Wi-Fi network capturing the initial WPS handshake, which contains data that can then be cracked offline to obtain the WPS PIN. The attack leverages the fact that on some devices random numbers are generated using predictable or low-entropy methods.
The attacker only needs seconds to capture the WPS handshake and the PIN can then be obtained offline within minutes or even seconds.
NetRise has conducted an analysis of 24 networking device models used today to see if they are still vulnerable to Pixie Dust attacks. The devices came from six vendors, but half of them were made by TP-Link.
NetRise’s analysis showed that of the 24 routers, access points, range extenders, and powerline/Wi-Fi hybrid systems only four have been patched against Pixie Dust attacks, but in many cases the fixes came after 9-10 years. Of the unpatched products, seven have reached end of life, but 13 are still supported.
In the tests conducted by the security firm, the WPS PIN was recovered in 1-2 seconds.
If twenty popular device models were found to be vulnerable to Pixie Dust attacks, that can translate to millions of affected devices.
“The persistence of vulnerable WPS implementations reflects a systemic flaw in firmware supply chains. Vendors reuse insecure libraries, fail to enforce secure defaults, and provide little transparency. This exposes manufacturers to reputational damage, potential regulatory action, and legal liability,” NetRise explained.
“Affected devices may appear secure due to UI settings that hide or disable WPS superficially, but remain exploitable at the firmware level. This creates silent exploit paths in high-trust environments such as branch offices, retail, and healthcare. Enterprises cannot reliably detect this exposure, leaving them dependent on vendor disclosures that often never come,” the security firm noted.
NetRise’s research comes after CISA warned recently that an old missing authentication vulnerability impacting TP-Link Wi-Fi range extenders has been exploited in the wild.
Related: Organizations Warned of Vulnerability Exploited Against Discontinued TP-Link Routers
Related: Vulnerabilities Expose Helmholz Industrial Routers to Hacking
Related: Chinese APT Hacking Routers to Build Espionage Infrastructure
