What’s This? More bad news for the consumer? Well not exactly. Take solace in knowing that the vulnerability was discovered in the first place, but it is ironic that the shortcoming in almost all wireless routers, comes down to simple 7th grade math. The flaw in WPS (WiFi Protected Setup) has been discovered independently by at least 2 Industry researchers, and their findings have been documented and shared with the Information security community.
Chester Wisniewski of Sophos Canada writes in his blog posting……..
(Sophos Naked Security)Stefan Viehböck, an independent security researcher, published a paper on Boxing Day titled “Brute forcing Wi-Fi Protected Setup” to his WordPress blogdisclosing a weakness in the configuration of most consumer/SoHo Wi-Fi routers.
As we all know the state of security for most home Wi-Fi networks was nearly non-existent only a few years ago.
This prompted the Wi-Fi Alliance to establish a new simple method for consumers to enable and configure WPA2 on their routers without knowledge of encryption, keys or how it all works.
he standard is called Wi-Fi Protected Setup (WPS) and is enabled by default on nearly all consumer Wi-Fi access points, including those sold by Cisco/Linksys, Netgear, Belkin, Buffalo, D-Link and Netgear.
It has three methods of simplifying the connection of wireless devices to WPA2 protected access points:
- Push Button Connect (PBC) requires the user to push a button on the router which allows it to communicate with a client needing configuration. The client attempts to connect and the router simply sends it the security configuration required to communicate.
- Client PIN mode is where the client device supports WPS and has a PIN assigned by the manufacturer. You then login to the router’s management interface and enter the PIN to authorize that client to obtain the encryption configuration.
- Router PIN mode allows a client to connect by entering a secret PIN from a label on the router, or from its management interface which authorizes the client to obtain the security configuration details.
The first method requires physical access, while the second requires administrative access, both of these pass muster. The third however, can be accomplished only through the use of the Wi-Fi radio.
The PIN used for authentication is only eight digits which would give the appearance of 108(100,000,000) possibilities. It turns out the last digit is just a checksum, which takes us down to 107(10,000,000) combinations.
Worse yet the protocol is designed where the first half and second half are sent separately and the protocol will confirm if only one half is correct.
So you have now reduced the difficulty of brute forcing the PIN down to 104 (10,000) plus 103 (1,000) or 11,000 possibilities.
Some of the routers Viehböck tested did seem to implement a mechanism to slow down the brute forcing, but the worst case scenario allowed him to acquire the keys within 44 hours.
Compared with attempting to attack WPA2-PSK directly, this is a cheap and effective attack.
As the sub-title of Viehböck’s paper states “When poor design meets poor implementation” security is the loser.
If you own a reasonably modern Wi-Fi router you are at risk (unless you have installed some sort of alternative firmware like OpenWRT or Tomato Router).
If possible disable the WPS support on your router and contact your manufacturer for updated firmware which may provide a fix or mitigation against this attack.
Another researcher independently discovered the same issue and has published a tool called Reaver that implements this attack.
Similar to the Firesheep tool, this will likely light a fire under the butts of the Wi-Fi Alliance and manufacturers to quickly resolve these issues.
- Wi-Fi Protected Setup is Busted (zdnet.com)
- Researchers discover Wi-Fi router PIN vulnerability (electronista.com)
- Wi-Fi ‘protected set-up’ not so protected after all (news.cnet.com)
- Wi-Fi Pin Vulnerability Discovered By Research Team (inquisitr.com)
- Researcher reveals flaw in Wi-Fi Protected Setup (digitaltrends.com)
- New WiFi Setup Flaw Allows Easy Router PIN Guessing (mobile.slashdot.org)
- Wi-Fi Protected Setup Flaws Make Wireless Network Brute-force Attacks Feasible – PCWorld (pcworld.com)
- US-CERT Issues Warning About Current Wi-Fi Protected Setup Standard – ITProPortal (itproportal.com)
- Wi-Fi Protected Setup PIN Method Has Flaw, Allowing Hackers To Deploy Brute Force Attack For Valid PIN Number In Lesser Time Than Before (essayboard.com)
- How to extend your home wi-fi lan using the Airport Extreme when the Netgear router hasn’t a specific option for that (galigio.org)
- US-CERT says Wi-Fi hole open to brute force attack (physorg.com)