Wednesday, 28 December 2011 22:32

Wireless Protected Setup Broken; We Wonder Why it Took So Long

Written by

Reading time is around minutes.

broken-lockWe have said this before and we will say it again; what can be locked, can be unlocked. We also would like to add that nothing is “secure” unless it is powered off, unplugged and perhaps at the bottom of the ocean. I will never forget the feeling of watching someone remotely open and close the tray on my XboX and that was wired and behind TWO firewalls. Let’s face it all you can really do is minimize the threat and have a good plan to react when something happens.

Now I know by now you are wondering where I am going with all of this, well it is just that one of the mainstays of home and small business wireless, the wireless protected setup has been broken. WPS was intended as a way to allow users to quickly setup a secure network using the WPA (Wi-Fi Protected Access) protocol. However the key to this is a simple pin code that is only 8 digits. When we first saw WPS in action our thought was “how can a 6 digit (numeric only) be secure? If you have 0-9 and 8 digits the possible combinations is only around 100 million. Now considering the fact that WEP (wired equivalent privacy) at 48-bit uses more than that as it uses alphanumeric combinations and can be hacked in about 5-minutes with even slow hardware I am not surprised to find that WPS has been cracked open.  In fact my first thought was “why did it take this long?”

The new discovery happened when Stefan Viehbock found a few very poorly implemented versions of this handy little feature. This in turn caught the eye of US-CERT (United States Computer Emergency Readiness Team). From there things took off and we have the announcement we have today.  Now, as we said if the PIN is 6 numeric digits then you only have about possible combinations. Well apparently some of the WPS implementations make it even easier than that.  

When using WPS and the pin there is no lock out policy in effect (much like WEP) so you can attempt the PIN as many times as you like (again on most systems). The odd thing is that if you get the PIN wrong the access point will actually give you a return response allows the attacker to find out the first half (yes half of 8 digits) is correct. Additionally the last digit of the PIN is found in the checksum of the PIN so you are now only looking for 3 in reality. Your possible combinations drop from 100 million to around 11, 000.

This flaw was found on many of the leading brands of wireless devices including Lynksys, D-Link, Belkin, Netgear, TP-Link, ZyXEL, Buffalo and Technicolor.  In many cases the use of this attack causes the access point to stop sending or retrieving traffic until it is rebooted, effectively a handy little DoS attack.
The only work around for this is to turn off WPS. To help further protect your network it is recommended that you use WPA2 with AES encryption, a strong password, turn off UPnP (universal Plug and Play), and as a final measure use MAC (Machine Address Code) filtering to only allow trusted systems into your network. The last step is not always supported by residential wireless gear, but if you have the option it is nice to have.

Discuss this in our Forum

Read 2757 times Last modified on Wednesday, 28 December 2011 22:39

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.