A security researcher has demonstrated a flaw in the WiFi Protected standard that would expose Wireless networks to brute-force attacks, prompting the United States Computer Emergency Response Team to issue a vulnerability warning.
“The Wi-Fi Protected Setup (WPS) PIN is susceptible to a brute force attack,” US-CERT warning issued Dec. 27 said. Widely used to secure wireless networks, WiFi Protected Setup (WPS) requires each router to have a unique eight-digit PIN. When WPS is enabled, the router allows devices to connect to the network provided they present the correct PIN.
Attackers could try brute-forcing the PIN by trying every possible combination, but the eight-digit PIN means there are 100,000,000 possible combinations. Theoretically, the brute-force attempts would take several years, making it an impractical attack scenario.
However, security researcher Stefan Viehböck found “a few really bad design decisions” in WPS that allowed the PIN to be split in two halves and tested separately, according to the warning.
Under WPS, devices could present four digits and the router would report back if the submitted combination was the first half of the PIN, Viehböck found. The last digit of the PIN appears to be just a checksum, which means the attacker only has to guess the remaining three digits in order to figure out the entire PIN. Instead of having to try 100,000,000 combinations, Viehböck found that the attackers have to try only 11,000 different combinations to find the right PIN.
“A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct,” the warning said.
Viehböck found it would take an average of two seconds to test each combination against a router, which means the time required for the brute-force attack has been dramatically slashed from several years to a few hours.
Considering that recent router models tend to have WPS enabled by default, this issue “affects millions of devices worldwide,” Viehböck wrote.
An attacker within range of a wireless access point may be able to brute-force the WPS PIN and retrieve the wireless network password in order to change the access point’s configuration settings or cause a denial of service, according to the US-CERT warning. Once in, the attacker can intercept email and steal credit card numbers or passwords.
Most of the routers Viehböck tested, which included products from Belkin, Buffalo, D-Link, Linksys, Netgear, Technicolor, TP-Link and ZyXEL, did not have any built-in mechanism to handle repeated incorrect PINs. One router from Netgear slowed down its responses when presented with several incorrect PINs in a row, but that just meant it would take the attacker an extra day or so to succeed.
“The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible,” the warning said.
WPS, introduced in 2007 by the WiFi Alliance, was intended to make it easier to setup secure wireless networks in home and small office environments.
US-CERT said it was “currently unaware of a practical solution to this problem.” Instead, the advisory recommended disabling WPS and instead using WPA2 encryption with a strong password to secure the network. Wireless networks can also be set up to use MAC Address filtering to verify and allow only recognized devices onto the network.
While Viehböck said he was working on a brute force tool which he may release at some point, researchers at Maryland-based Tactical Network Solutions have already released one such tool. Available on Google Code, TNS said it will sell a more advanced commercial version of Reaver.
“This is a capability that we at TNS have been testing, perfecting and using for nearly a year,” TNS said in a blog post Dec. 29. Reaver is capable of breaking WPS pins and recovering the plain text WPA/WPA2 pass phrase of the target access point in four to ten hours, according to the router’s response time, TNS claimed.