Wi-Fi Protected Setup made easier to brute force - Update
A researcher has found design flaws and poor implementation in WPS (Wi-Fi Protected Setup) which makes it much simpler to brute force the protection on Wi-Fi access points that use the technology. The discovery has prompted the US CERT to issue an advisory which suggests disabling WPS as a workaround for the problem.
WPS simplifies the process of connecting a device to the Wi-Fi network by pushing a button to start the authentication, entering a PIN number from the new client into the access point, or entering an eight digit PIN number (usually printed on the device) from the access point to configure the connection. It is the last of these connections, known as "external registrar" or wps_reg, that researcher Stefan Viehböck found makes the process vulnerable to brute force attacks as it does not require any authentication.
A second design flaw, where the first four digits of the eight digit PIN are checked for validity immediately after they have been transmitted, means that the maximum possible number of authentication attempts needed drops from 108 (100 million) to 104+104 – 20,000. It fell further still, to 11,000 (104+103) when the researcher noted the last digit of the PIN is a checksum for the other seven digits. Once a correct PIN is sent, the access point sends a configuration packet which includes the WPA password.
In testing, few routers locked out devices sending bad PINs. One Netgear router was found to implement a lockout when authentication failed, but not for long enough to prevent a brute force attack still working within a day. Viehböck has written an application to brute force WPS connections which "will be released once I get around to cleaning up the code". Independently, another researcher, Craig Heffner had been looking into the same vulnerabilities and, after Viehböck's publication of his paper, he announced the availability of Reaver, his own WPS brute-force tool as a GPLv2 licensed, limited functionality open source version and as an enhanced commercial version.
Update (31/12/11): Viehböck has now released his WPS brute-forcing tool, wpscrack, a proof of concept implementation written in Python. "It's a bit faster than Reaver, but will not work with all Wi-Fi adapters" says Viehböck.
- Brute forcing Wi-Fi Protected Setup – When poor design meets poor implementation, Stefan Viehböck's paper