Security Sidebar: Wi-Fi unProtected Setup

The ubiquitous wireless router.  These devices are in our office buildings, hotels, restaurants, gas stations...and most certainly our homes.  They are the lifeblood of the Internet connectivity we rely on every single day.  With our demand for wireless Internet, it should come as no surprise when Cisco claims that the number of wireless devices will exceed the world’s population this year (2014).  So with all these wireless devices accessing all these wireless routers, I thought it would be nice to highlight a recent security flaw that you might find interesting.  While you probably won't be able to directly affect change on the wireless router(s) in your hotel room, restaurant, or gas station, you can certainly use this information to lock down your wireless router at home.

Everyone who's anyone knows that, when you configure your router, you should enable wireless security (WPA, WPA2, Mixed Mode, etc).  Furthermore, many people use a long, sophisticated, there's-no-way-you-will-ever-guess-this password when configuring said security.  The pain with using long passwords is that every time you need to connect a device, you have to type in the cumbersome password.  Some consider this a bit too much for their delicate fingers and busy schedules.  Fortunately, the Wi-Fi Alliance created the Wi-Fi Protected Setup (WPS) feature that allows devices to easily connect to wireless routers using the benefits of strong security without the need to remember long, confusing passwords.

WPS has three different modes:  Push Button Configuration, PIN entry, and Near Field Communication.  Push Button Configuration allows a user to physically push a button on the wireless router and then push/click a button on their wireless device and the WPS does all the security configuration for you.  Using the PIN entry, a wireless device will detect the wireless network and be prompted for a PIN.  When the correct PIN is entered, the device is added to the network.  The Near Field Communication mode allows network settings to be transferred to a new device without requiring manual entry of the PIN.  For all wireless routers with WPS enabled (which includes most wireless routers on the market today), the PIN entry mode is mandatory.  The Push Button Configuration and Near Field Communication modes are optional.  The mandatory PIN entry mode is the highlight of the security flaw that I mentioned earlier, so let's check it out.

Several articles have been written over the past few years highlighting the shortcomings of the WPS PIN entry.  First, the PIN entry mode is mandatory for any WPS enabled device (so attackers always know they can exploit this feature).  What's more interesting is that the PIN is always 8 digits long.  Can it get more interesting than that?  Yes it can.

Turns out, the 8-digit PIN is actually broken up into a 4-digit number, a 3-digit number, and a checksum number.  This makes it much easier to guess the PIN.  When a wireless device tries to connect to the router using the WPS PIN entry, the router will respond with a message that tells the device if the first 4 digits of the PIN are correct or not.  Most routers do not limit the number of PIN entries, so you can keep guessing the first 4 digits of the PIN until the router sends you a success message.  After that, you simply guess the next three digit number.  Finally, you calculate the final checksum number using the previous seven digits.  Using this information, an attacker could get the PIN in less than 11,000 guesses.  Once you know the PIN, you can access the router at will...even if the security password or SSID changes.  To make things easier for the attacker, a tool called Reaver is available for purchase.  This open source tool will crack a WPS PIN in a matter of a few hours.  Pretty crazy stuff, huh?

Some of the more modern wireless routers have introduced a PIN lockout feature that only allows a certain number of PIN entries before locking out.  This is nice because the attack vector I just described will take up to 11,000 attempts before learning the PIN...certainly violating the lockout threshold.  The bad news is that a guy named Dominique Bongard, founder of Swiss security firm 0xcite, recently published an attack method that will brute-force attack the WPS PIN with one guess and a series of offline calculations.  By using only one guess, the attacker will certainly be able to avoid any PIN lockouts that may be present.

Is your home's wireless router vulnerable to at least one of these attacks?  Very likely so.  The suggested mitigation is to disable the WPS feature on your router.  Although, even disabling WPS still doesn't solve the issue in some cases.  You could also implement MAC address filtering on your network so that only known MAC addresses can connect.

Until next time...keep it wireless, but keep it secure!


Published Sep 03, 2014
Version 1.0

Was this article helpful?

No CommentsBe the first to comment