Over the years, we’ve had to deal with vulnerabilities and weaknesses in wireless security protocols, such as the deprecation of the WEP protocol due to design flaws. Now, a standard that was designed to make wireless security easier, actually makes it less secure.
For those of you who haven’t heard of Wi-Fi Protected Setup (WPS) — which frankly included me until recently — it is a standard created by the Wi-Fi Alliance to make it easier for home users to configure security settings on their access points, making the task less foreboding for the non-technical.
In concept, I think this is a great idea. I know many average home users that run open access points simply because they find the tech lingo (WPA2, PSK, AES, TKIP, etc.) too overwhelming, or because they can’t be bothered with strong passwords. Making wireless security easier for the average Joe is noble goal. However, in practice WPS will make your WAP less secure.
According to research by Stefan Viehböck (also discovered independantly by another researcher as well), technical flaws in WPS make it embarrassingly simple to brute force a WPS PIN. Without going into too much technical detail, the WPS protocol responds to failed authentication attempts in a way that will both tell you if the first four digits of the PIN are correct, as well as disclose the eighth digit of the PIN. This severely reduces the number of guesses necessary to learn a WPA PIN. Rather than providing the 100,000,000 possible combinations (108) that an eight digit pin should offer, this flaw allows attackers to find the PIN with only 11,000 guesses (104 + 103). Computers can go through 11,000 combinations in no time. Furthermore, many devices that use WPS apparently don’t lockout failed authentication attempts. If an attacker knows your wireless router’s WPS PIN, he can use it to retrieve the router’s wireless network password. So if you use WPS, you should expect any attacker within range of your Wi-Fi signal can access your network.
The good news is that WPS is not an industry-wide standard. Only some wireless routers and access points use it. If you’d like more details on this issue, US-CERT has released a coordinated alert about it, including some of the router brands that are affected. This includes some well know consumer brands like Belkin, Netgear, D-Link, and others. Since this is a protocol level design flaw, there is no fix. If you use a wireless router that leverages WPS, you should stop using WPS.
By the way, if any WatchGuard wireless appliance owners are concerned with our devices, we do not use WPS and are not affected by this issue.
UPDATE: Researchers have posted a working Proof-of-Concept attack tool for this WPS attack. If you have a device that uses WPS, I highly recommend you disable it, or apply any vendor updates related to this issue. — Corey Nachreiner, CISSP (@SecAdept)
Yiddish says
Good configuration settings.
Kent says
You make a really good point. Making wireless security easier has made it less secure. Mobile security encryption needs to be more efficient and simplified for the average user.
Ladies Golf Bags 2012 says
Hey tere I am so happy I found your blpg page, I really
found you by mistake, while Iwas researching on Google for something else, Anyways I am here now and woulkd
just like to say thanks a lot for a marvelous post
and a all round exciting blog (I also love the theme/design), I don’t
have time too browse it all at the minute but I have bookmarked it and also added in your RSS feeds, so when I have time I will be basck
to read much more, Please do keep up the superb work.
tracking an iPhone at this moment says
Hurrah! At last I got a web site from where I be capable of actuaqlly obtain useful data concerning my study
and knowledge.
Claudio says
Thank you for the good writeup. It in fact was a amusement account it.
Look advanced to more added agreeable from you! By the way,
how could we communicate?
mascarillas para la cara caseras says
Do you have a spam problem on this site; I also am a blogger, and I was wondering your situation; we have developed some nice methods and we are looking to exchange techniques with
others, why not shoot me an email if interested.
Jule I. Standaert says
I am really loving the theme/design of your web site.
Do you ever run into any web browser compatibility problems?
A number of my blog visitors have complained about my website not operating
correctly in Explorer but looks great in Safari. Do you
have any ideas to help fix this problem?
Jesenia I. Danese says
I’m no longer certain the place you are getting your information, but great topic.
I needs to spend some time learning more
or working out more. Thank you for wonderful information I was on the lookout for this information for my mission.
Lita Q. Jenkin says
continuously i used to read smaller articles that as well clear their motive, and that
is also happening with this post which I am reading at this
place.
Cristine P. Schug says
I’ve been surfing on-line more than 3 hours lately, yet I never
discovered any interesting article like yours.
It is pretty price enough for me. In my view, if
all web owners and bloggers made just right content material as you did, the internet shall be much
more useful than ever before.
Jovan J. Swinney says
This is very fascinating, You are a very professional blogger.
I’ve joined your feed and sit up for in search of more of your magnificent post.
Additionally, I have shared your website in my social networks