Wi-Fi Protected Setup design flaw leaves routers open to attack

By on December 29, 2011, 1:51 PM

Design flaws in the Wi-Fi Protected Setup (WPS) standard used by most modern routers could make it easier to retrieve a wireless network's password through brute force and leave it open to attack. The issue was first brought to light by security researcher Stefan Viehböck and has since prompted a vulnerability notice from the U.S. Computer Emergency Readiness Team (CERT).

The WPS standard was created in 2007 by the Wi-Fi Alliance in order to provide non-technical users with simpler methods of setting up secure wireless networks. One of these methods uses a predefined eight-digit PIN number printed on a sticker by the router manufacturer. The problem, according to Viehböck, is that entering the wrong PIN returns information that could be useful to a hacker.

Ideally an eight-digit PIN code would produce 100,000,000 possible combinations, enough to keep an attacker busy for a few years if attempting a brute force break-in. But the protocol used by Wi-Fi Protected Setup responds to failed authentication attempts by indicating if the first or second halves of the PIN number are correct, significantly reducing the possible combinations. Plus, the last digit is actually the checksum of the other seven. That means an attacker only has to try 11,000 different combinations to find the right PIN.

In his tests, Viehböck found that an authentication attempt takes between 0.5 and 3 seconds and the majority of routers don't implement lock-down periods after several consecutive failed WPS authentication attempts. Only one router from Netgear slowed its responses to failed authentication attempts in order to mitigate against the attack, but that only extended the attack time to a day or so -- otherwise it can take 2-4 hours.

Devices from Buffalo, D-Link, Linksys, Netgear and others are affected. Presummably, the flaw can be addressed with a simple software fix, but until then the US-Cert is recommending users switch off WPS.




User Comments: 7

Got something to say? Post a comment
Guest said:

This is what happens when you make security easy.

It ceases to be secure.

Trillionsin Trillionsin said:

Guest said:

This is what happens when you make security easy.

It ceases to be secure.

What online is even actually secure? If someone wants to badly enough, they'll get into what they want with the right know-how. Some saying along the lines of, a lock and key keeps an honest man honest.

Guest said:

"What online is even actually secure? If someone wants to badly enough, they'll get into what they want with the right know-how. Some saying along the lines of, a lock and key keeps an honest man honest."

TLS Web Client Certificate Authentication with a 4096-bit RSA private key, burned into a smartcard if that's your thing, is the most secure yet still practical (supported by all major operating systems and browsers) method I can think of off the top of my head.

Some sites do this, like StartCom, or the Verisign Identity Protection Authentication Service.

Every popular webserver can be configured to do this, including IIS. Apache can even do it on a per-file or per-directory basis.

I'm using it for my WordPress Blogs (the Administration panels).

supertech supertech said:

I've installed thousands of routers over the years and have never trusted WPS and have always turned it off exactly for security reasons. I'm glad I did this.

fimbles fimbles said:

Packet sniffing FTW!

lipe123 said:

well lets look at this realisticly:

1. locate wifi thats vunerable.

2. Knock on house door and say you are from usa wi-fi protection and they will be fined if the network isnt secured right away, offer to do it for 10$ on the spot.

3. enter house with owners blessing, login to router with netbook.

4. Setup security properly if its not right and save password on netbook.

5. profit.

That took all of 30minutes vs hours of brute force..

Of course if you are going to spend hours anyways you can just break into the house and login to the router and get the pwd too.

I get that this is something somone might do for a company but for a home user this is pretty super low risk.

Guest said:

@lipe123:

You don't really believe that your scenario is even remotely plausible, do you? Seriously?

Nobody that I know - heck, nobody in my *neighborhood* would be gullible enough to fall for your "let me into your home and onto your computer or you will be fined $10" line. No, let me take that back - I would happily let you into my house to screw around on my network. While you are busy, I'll be on the phone to the police. Voila, one less ***** criminal off the streets.

I get that you're trying to say that social engineering is usually the quickest way (by far) to get a password. But the article clearly states that this vulnerability would only take 2-4 hours to successfully exploit, and a huge percentage of routers would never know they were being attacked. Getting a password that quickly without being detected trumps your "knock on house door" method any day of the week.

@supertech:

I'm with you, and other posters.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.