Vulnerability in WiFi’s WPS is likely to affect the majority of home users
On 27 December Stefan Viehböck disclosed a WiFi Protected Setup (WPS) vulnerability. WPS was developed by the WiFi Alliance in 2007. Its purpose is to provide easy WiFi security for home users. “I noticed a few really bad design decisions,” wrote Stefan, “which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide.”
More details are provided in his paper Brute forcing Wi-Fi Protected Setup. He notes two basic design flaws in WPS.
As the External Registrar option does not require any kind of authentication apart from providing the PIN, it is potentially vulnerable to brute force attacks.
An attacker can derive information about the correctness of parts the PIN from the AP ́s responses.
The latter ‘flaw’ effectively reduces the length of the PIN, allowing an attacker to try all possibilities within a short period of time. Stefan wrote a ‘proof of concept’ brute force attack. This is usually circumvented by a ‘lock-down’ facility; that is, further log-in attempts are automatically blocked after, say, three failures. But, he writes,
Some vendors did not implement any kind of blocking mechanism to prevent brute force attacks. This allows an attacker to try all possible PIN combinations in less than four hours (at 1.3 seconds/attempt).
On average an attack will succeed in half the time.
Stefan’s vulnerability has now been accepted by CERT. CERT’s advisory comments
We are currently unaware of a practical solution to this problem.
Although the following will not mitigate this specific vulnerability, best practices also recommend only using WPA2 encryption with a strong password, disabling UPnP, and enabling MAC address filtering so only trusted computers and devices can connect to the wireless network.
Ironic, isn’t it? The ‘official’ security solution often provided by default for non-technical home users requires a technical capability beyond the average home user in order to stop it being a weakness… But irony or no irony, the simple fact is that the majority of home users everywhere are likely to be vulnerable.