If you have a WiFi router at home and are using the WiFi Protected Setup (WPS) to secure your network, you might want to think about switching to another protocol. The US Computer Emergency Readiness Team sent out an alert this week that describes an exploit in WPS that could lead to cyber attackers figuring out your WiFi password.

The WPS protocol is supposed to make setting up a wireless network easier for people who are not as tech savvy as others. However, US-CERT now says:

A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible.

At the moment there is no solution to fixing this issue. US-CERT recommends that people who are using WPS for their WiFi routers disable it and use another method to secure the router, including “using WPA2 encryption with a strong password.” Several WiFi router makers such as Netgear, D-Link, Belkin and others sell products with WPS but so far none of them have commented on this newly discovered exploit.

WiFi WPS exploit found; no solution yet – Neowin.net.

 

Vulnerability Note VU#723755

WiFi Protected Setup PIN brute force vulnerability

Overview

The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible.

I. Description

WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called “external registrar” that only requires the router’s PIN. By design this method is susceptible to brute force attacks against the PIN.

When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.

It has been reported that some wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.

II. Impact

An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.

III. Solution

We are currently unaware of a practical solution to this problem.

Workarounds
Disable WPS.

Although the following will not mitigate this specific vulnerability, best practices also recommend only using WPA2 encryption with a strong password, disabling UPnP, and enabling MAC address filtering so only trusted computers and devices can connect to the wireless network.

Vendor Information

Vendor Status Date Notified Date Updated
Belkin, Inc. Affected 2011-12-27
Buffalo Inc Affected 2011-12-27
D-Link Systems, Inc. Affected 2011-12-05 2011-12-27
Linksys (A division of Cisco Systems) Affected 2011-12-05 2011-12-27
Netgear, Inc. Affected 2011-12-05 2011-12-27
Technicolor Affected 2011-12-27
TP-Link Affected 2011-12-27
ZyXEL Affected 2011-12-27

References

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc
http://www.wi-fi.org/wifi-protected-setup/
http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/

Credit

Thanks to Stefan Viehböck for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public: 2011-12-27
Date First Published: 2011-12-27
Date Last Updated: 2011-12-27
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Severity Metric: 7.44
Document Revision: 21

http://www.kb.cert.org/vuls/id/723755

Leave a Reply