Over the years, we’ve had to deal with vulnerabilities and weaknesses in wireless security protocols, such as the deprecation of the WEP protocol due to design flaws. Now, a standard that was designed to make wireless security easier, actually makes it less secure.
For those of you who haven’t heard of Wi-Fi Protected Setup (WPS) — which frankly included me until recently — it is a standard created by the Wi-Fi Alliance to make it easier for home users to configure security settings on their access points, making the task less foreboding for the non-technical.
In concept, I think this is a great idea. I know many average home users that run open access points simply because they find the tech lingo (WPA2, PSK, AES, TKIP, etc.) too overwhelming, or because they can’t be bothered with strong passwords. Making wireless security easier for the average Joe is noble goal. However, in practice WPS will make your WAP less secure.
According to research by Stefan Viehböck (also discovered independantly by another researcher as well), technical flaws in WPS make it embarrassingly simple to brute force a WPS PIN. Without going into too much technical detail, the WPS protocol responds to failed authentication attempts in a way that will both tell you if the first four digits of the PIN are correct, as well as disclose the eighth digit of the PIN. This severely reduces the number of guesses necessary to learn a WPA PIN. Rather than providing the 100,000,000 possible combinations (108) that an eight digit pin should offer, this flaw allows attackers to find the PIN with only 11,000 guesses (104 + 103). Computers can go through 11,000 combinations in no time. Furthermore, many devices that use WPS apparently don’t lockout failed authentication attempts. If an attacker knows your wireless router’s WPS PIN, he can use it to retrieve the router’s wireless network password. So if you use WPS, you should expect any attacker within range of your Wi-Fi signal can access your network.
The good news is that WPS is not an industry-wide standard. Only some wireless routers and access points use it. If you’d like more details on this issue, US-CERT has released a coordinated alert about it, including some of the router brands that are affected. This includes some well know consumer brands like Belkin, Netgear, D-Link, and others. Since this is a protocol level design flaw, there is no fix. If you use a wireless router that leverages WPS, you should stop using WPS.
By the way, if any WatchGuard wireless appliance owners are concerned with our devices, we do not use WPS and are not affected by this issue.
UPDATE: Researchers have posted a working Proof-of-Concept attack tool for this WPS attack. If you have a device that uses WPS, I highly recommend you disable it, or apply any vendor updates related to this issue. — Corey Nachreiner, CISSP (@SecAdept)