Mercusys AC12G WPS Vulnerability with Weak Lockout Policy

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The router enables Wi-Fi Protected Setup (WPS) 2.0 by default, but with a weak lockout policy that allows for repeated PIN guessing attacks. After 10 failed attempts, the router only locks out further attempts for 60 seconds. This weak policy can be exploited if WPS PIN mode is activated, allowing an attacker to recover Wi-Fi credentials in a single attempt using a predicted PIN derived from the router's BSSID MAC address.

Impact

The default WPS configuration, combined with the weak lockout policy, creates a vulnerability where an attacker can predict the WPS PIN and, if WPS PIN mode is activated, use the PIN to gain access to the Wi-Fi network. This access allows for full local area network (LAN) access to all devices connected to the network.

Reproduction

The vulnerability can be reproduced by enabling WPS PIN mode on the affected router. After 10 failed PIN attempts, the router will lock out further attempts for 60 seconds, creating a window for an attacker to exploit the weak lockout policy. The WPS PIN can be predicted using the BSSID MAC address, and if WPS PIN mode is activated, the predicted PIN can be used to recover Wi-Fi credentials in a single attempt.

Remediation

To address this vulnerability, WPS should be disabled by default, the lockout duration should be increased to at least 3600 seconds, the maximum number of attempts before lockout should be reduced to 3, and a hardware random number generator should be used for PIN generation instead of an algorithm based on the MAC address.