Wi-Fi Protected Setup (WPS)

The WPS standard was developed in 2007 by the Wi-Fi Alliance (a trade association that promotes wireless LAN technology and certifies products if they conform to certain standards of interoperability) to allow home users who know little of wireless security to set up WPA2 as well as making it easy to add new devices to an existing network. In December 2011 researcher Stefan Viehböck reported a design and implementation flaw to the US-CERT. The flaw makes brute-force attacks against PIN-based WPS feasible to perform on WPS-enabled Wi-Fi networks. The vulnerability note is available on the US-CERT’s web site.

The WPS PIN is 8 digits long, the last one being a checksum. That leaves 10.000.000 (107) possible PINs, but this number can be further reduced to only 11.000. Validation of the PIN is made in 2 steps – the first and the second half are validated separately. Thus the attacker can try all the combinations of the first half (104 = 10.000) and then all the combinations of the second half which contains only 3 unknown digits (103 = 1.000).

Soon after the flaw was reported, Tactical Network Solutions released an open source tool Reaver which uses the aforementioned protocol flaw to get the network key from the WPS enabled device. A video of Reaver in action is available on their web site.

To make things worse, some Access Points don’t have an option to disable the WPS feature and some Access Points keep it turned on even if the user disabled it through the user interface.

The success of an attack is implementation dependent. If the Access Point turns the WPS feature off for some time after receiving multiple wrong PINs the attack is likely to fail as it would take too much time for the correct guess.

What can the users do to protect their wireless networks?

We can turn the WPS feature off if we do not need it. As mentioned the attack might still be possible. We can check if WPS is really disabled with Reaver. Regularly checking the vendor’s web site for new firmware is another good thing to do. Cisco has published a list of Linksys devices for which they have or will release a suitable firmware. There are also some alternative open source firmware vendors to check for compatible firmware – Tomato, OpenWRT and DD‑WRT.

As WPS was introduced in 2007 devices manufactured sooner should not be at risk.


Author of this article is Marko Dolničar, who has been working as student internship in ViRIS.

Posted by milanon3.5.2012