ie8 fix
madison

Networking

Steven J. Vaughan-Nichols
Home / News & Blogs / Networking

Wi-Fi Protected Setup is Busted

By | December 28, 2011, 1:31pm PST

Summary: You know that easy to setup Wi-Fi access point or router of yours? It turns out that the easy to setup part is also easy to hack: Really easy to hack.

The security behind this typical WPS setup window is broken.

The "security" behind this typical WPS setup window is broken.

I’ve never trusted Wi-Fi Protected Setup (WPS) on my Wi-Fi access points (AP) and routers. I’ve always thought that anything that was that easy to set up had to be easy to hack. It turns out my gut was right. The U.S. Computer Emergency Readiness Team (CERT) has confirmed that security researcher Stefan Viehböck has found a security hole big enough to drive a network through WPS.

According to Viehböck, he took a look at WPS and found “a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide.” CERT agrees.

How bad is it? CERT states that “An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.”

The problem is, as Viehböck explains in detail (PDF Link) is that when the device’s personal identification number (PIN), which is usually implemented as a simple physical or virtual push-button, authentication fails the access point will send an Extensible Authentication Protocol-Negative Acknowledgement (EAP-NACK ), which are sent in away that lets a hacker know if the first half of the PIN is right. Then, armed with that information, the attacker will be able to figure out the PIN’s last digit of the PIN is known since it’s is a checksum number for the entire PIN. What all that means is that it becomes much easier to work out a PIN. To be exact, with the worse luck in the world it would take a cracker 11.000 attempts to break the code.

Think that sounds safe enough? Think again. It seems most APs and routers from such big name vendors as Buffalo, D-Link, Cisco Linksys, Netgear, Technicolor, TP-Link, and ZyXEL won’t stop an automated hack from trying one PIN after another. They’ll just let the brute-force attacks continue-in the process quite likely knocking the WI-Fi devices off-line from this de facto denial of service attack-until they get the right PIN.

After that your network security goes out the window. A cracker can read your e-mail, grab your credit card passwords and on and on.

What’s the fix for this? There isn’t one. To quote, CERT, “We are currently unaware of a practical solution to this problem.”

So what can you do? You need to log-in to your wireless device and disable WPS. Next, you’ll need to reset your Wi-Fi network to manually use at WPA2 with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), aka Advanced Encryption Standard (AES), Other, older WI-Fi security methods, such as Wi-Fi Wired Equivalency Privacy (WEP) and WPA (Wi-Fi Protected Access), with the built-in Temporal Key Integrity Protocol (TKIP) have long been broken.

Unfortunately, since WPS was expressly designed to be used by people without a clue about network security, the people who are going to need to implement these security fixes are the ones who are least able to make them.

The real fix is going to need to come from the vendors with firmware updates. Until that’s done, many home and small office Wi-Fi networks must be considered about as safe as a house with an unlocked front-door.

Related Stories:

Firesheep’s Real Lesson: Take Wi-Fi Security Seriously

FaceTime calls are encrypted; and HIPAA compliant when using proper encryption

How to keep your Wi-Fi location out of Google

Finding and cleaning out your smartphone’s Carrier IQ poison

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Networking”

Topics

Security, Personal Identification Number, Wireless LANs, Wi-Fi, Wireless And Mobility, Steven J. Vaughan-Nichols

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge, PC operating system

Disclosure

Steven J. Vaughan-Nichols

Steven J. Vaughan-Nichols is a freelance writer. He does not own stocks or other investments in any technology company.

Biography

Steven J. Vaughan-Nichols

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge, PC operating system; 300bps was a fast Internet connection; WordStar was the state of the art word processor; and we liked it.

His work has been published in everything from highly technical publications (IEEE Computer, ACM NetWorker, Byte) to business publications (eWEEK, InformationWeek, ZDNet) to popular technology (Computer Shopper, PC Magazine, PC World) to the mainstream press (Washington Post, San Francisco Chronicle, BusinessWeek).

24
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Wi-Fi Protected Setup is Busted
CobraA1 Updated - 31st Dec
@Lerianis10 My routers are several years old, and I have never had to hard reset them, I've only needed to do a reboot. In fact, I don't ever recall ever owning a router that required a hard reset.
View in thread
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
Aerowind 28th Dec
You need to write articles like this more. I automatically wasted a good minute trying to find the bias that's so prevalent in your posts, only to realize there wasn't one.
1 Vote
+ -
RE: Wi-Fi Protected Setup is Busted
thebaldguy 28th Dec
@Aerowind
On the other hand, you need to write comments like this less. Agreed, everyone?
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
Aerowind 29th Dec
@thebaldguy Right, let me apologize for wanting to read articles that are something more than flamebait.
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
jgm@... 29th Dec
@Aerowind There is no "flamebait"; there's just the redefinition of the word "biased" nowadays to mean "anyone who doesn't agree with me".
0 Votes
+ -
There actually is a good solution to this problem.
Uralbas Updated - 29th Dec
Filter MAC IDs. Then the permutations between the MAC ID and the password are high enough that it would take too much time to accomplish it with brute force, even with parallel vector attacks. But don't use WPS, its not worth it. Use WPA2 & AES.

Its the only safe way.
0 Votes
+ -
So we can assume...
John L. Ries 29th Dec
@Aerowind
...that MS doesn't have a financial interest in any of the compromised protocols. Good to know.
0 Votes
+ -
Informal definition of bias
John L. Ries Updated - 30th Dec
@Aerowind
Bias is the quality of any communication (news, opinion, research, etc) that tends to undermine what one wishes to believe (or have others believe).

That is not the real definition, of course, but it's used frequently enough around here and elsewhere that I think it worthwhile to call attention to it, as it tends to change the focus of the debate from the merits of the issue at hand to the alleged alignments and biases of the participants (ie. who's side who's on) and causes people to judge opinions and other data based on which points of view they support, rather than on whether or not they're true. The worst aspect of this is it gives people an excuse to automatically reject anything that calls into question their preconceived notions (or the party line to which they subscribe), while swallowing whole outright propaganda if it supports their own side (since anything that supports their own ideas is "fair and balanced" by definition).

It's long been true that the most effective propaganda technique is to tell people what they want to hear (it's made a number of radio talk show hosts very rich and influential). Accusations of bias directed at anyone who dares tell people what they don't want to hear merely make the job easier.

Mind you, I'm not specifically accusing *you* of doing that (only you know for certain).
0 Votes
+ -
I flashed my Cisco e3000 with DD-WRT right after purchase
Dietrich T. Schmitz * Your Linux Advocate 28th Dec
dd-wrt doesn't detect WPS by default.
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
CobraA1 Updated - 28th Dec
(looks at PDF)

8 decimal digits on the D-Link. Ouch.

"To be exact, with the worse luck in the world it would take a cracker 11.000 attempts to break the code."

11,000? Ouch.

"Think that sounds safe enough?"

No. Computers are good at doing things in the millions/billions. Very good.

"Whats the fix for this? There isnt one."

Sure there is.

1) Turn it off. My router has an option to turn it off.
2) Toss it out as a supported protocol on future routers. I don't know anybody who uses it anyways.
3) If they want to try again, they'll have to rewrite it from scratch. It does indeed look like it's fundamentally broken.

"Other, older WI-Fi security methods, such as Wi-Fi Wired Equivalency Privacy (WEP) and WPA (Wi-Fi Protected Access), with the built-in Temporal Key Integrity Protocol (TKIP) have long been broken."

WEP has been totally broken. WPA/TKIP has not. A table of common passwords is not a total breakdown. You should never, ever be using a common password anyways.

The password on a router should be a good one anyways - it only has to be entered once, and barring a complete wipe of the device, it's usually stored permanently anyways. It is not onerous to use a good password on a wireless network.
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
jossvasco Updated - 30th Dec
@CobraA1

Very well put, not much to add.
WEP has indeed been broken but I thought everyone here was aware of it as it sounds like last century news. Who wants to remember Hex characters anyway?
Most (if not all) Wi-Fi routers I work with (and they're quite a few years old) are WPA (TKIP+AES) compatible... so again the article sounds like another age.

Edit: @JGM
I know that WEP "protected" Wi-Fi is still all over the place.
My point is that if you're a regular ZDnet reader or any IT review for that matter, the likelyhood of still using WEP is slim. Put the other way, people who still use WEP probably never read IT related stuff. So who exactly is this article targeting? Moreover, for IT aware people like us, I find the title somewhat over the top.
0 Votes
+ -
I wish you were right
patibulo Updated - 29th Dec
@jossvasco I live in Germany, where most routers I've seen come with WPA2 activated and its default (unique per device) key written next to the serial number at the bottom.

When I was visiting my parents in the US this summer, I was shocked. Verizon, one of the most popular ISP in the D.C. area, provided routers with WEP installed by the technicians. Trying to activate WAP results in a warning saying something along the lines "be careful, not all computers will work". I was scanning the neighborhood and I was shocked about how many WEP routers were out there. If I got hacked threre, I'd sue Verizon.
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
jgm@... 29th Dec
@jossvasco I've just used Kismet on a Linux laptop to check out what networks/devices it can see in the neighborhood (more and more, especially now after Christmas) and I can see 3 WEP networks right now.
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
Lerianis10 29th Dec
@CobraA1

Up until recently (1 year ago), routers needed a 'hard reset' about every month to fix lockup issues. So, there came a point then that you had to go with the 'easily remembered and re-setup password'.
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
CobraA1 Updated - 31st Dec
@Lerianis10 My routers are several years old, and I have never had to hard reset them, I've only needed to do a reboot. In fact, I don't ever recall ever owning a router that required a hard reset.
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
Darr247 28th Dec
The fact is, WPA2 requires the DoS part of brute force attacks so you know something is going on. 3 bad logon attempts in 30 seconds is supposed to turn off all new connections for 2 minutes. So those 11,000 attempts would take over 45 hours of non-stop tries of 2 tries - no more - every 30 seconds... more than that and they slow themselves way down, to like, 1 try per minute (or more than a week to try 11000 passwords, possibly alerting you to their presence... if you're paying attention).

Or don't you really know what "... won???t stop an automated hack from trying one PIN after another. They???ll just let the brute-force attacks continue-in the process quite likely knocking the WI-Fi devices off-line from this de facto denial of service attack-until they get the right PIN." actually means?

Far-easier pickings at McD's or Starbucks, where Firesheep can grab your totally unencrypted data right out of the air if you don't know enough to use the secure sockets layer (SSL) i.e. https.
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
Tee Bone Jones 28th Dec
Looks like source code has been posted on Google Code: http://code.google.com/p/reaver-wps/
0 Votes
+ -
MAC Filtering
Mr_Tech Updated - 29th Dec
Isn't MAC filtering an option?
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
CobraA1 29th Dec
@Mr_Tech MAC spoofing is trivial, and can be done with off the shelf equipment. No special skills or hardware is needed - just a router that is capable of changing its own MAC address (and many home routers are capable of such a thing).
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
Michael Kelly 29th Dec
@CobraA1

But still, you'd need to know what to spoof your MAC address to.

Having said that, the better option is to disable WPS, which I do anyway. Not because I feared the security of the software up until now, but because I don't want anybody who has access to the room to hit the button every time they want to attach one of their personal devices.
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
CobraA1 29th Dec
"But still, you'd need to know what to spoof your MAC address to."

Easy enough to find using a packet sniffer. They're sent all over the place.
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
mrefuman 29th Dec
I will agree with the earlier post about the quality of the article. It's great to see something that isn't just flame bait. Good article.
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
capablemonkey Updated - 29th Dec
>"Other, older WI-Fi security methods, such as Wi-Fi Wired Equivalency Privacy (WEP) and WPA (Wi-Fi Protected Access), with the built-in Temporal Key Integrity Protocol (TKIP) have long been broken."

While WEP is definitely broken, WPA1/2-TKIP is not "broken" in the same sense. There is a weakness in WPA-TKIP that is exploited by the Beck-Tews attack but it requires very specific circumstances for it to work.
0 Votes
+ -
Good article, thank you! And kudos for the impartiality!
WinTard 29th Dec
I exclusively use MAC filtering lists, WPA2 & AES and have been doing so for eons. And instead of sacrificing security for convenience, any device that doesn't support WPA2 & AES simply doesn't connect to my Wi-Fi. Unlike others who purposely set lower security so all device connect easily. In addition, being multi-homed via (3) ISPs my multiple routers also perform MAC filtering, and prevent anything through their default gateway that isn't on the list. So someone may break in with difficulty, but can't get out to the Internet. Interestingly, all these routers use open-source Linux, my oldest router being a WRT54G running firmware v4.71.1, Hyperwrt 2.1b1 + Thibor15c.

~~~~~~~~~~
If I were a medical man, I should prescribe a holiday to any patient who considered his work important.
~ Bertrand Russell

If the aborigine drafted an I.Q. test, all of Western civilization would presumably flunk it.
~ Stanley Garn

If there is a gun hanging on the wall in the first act, it must fire in the last.
~ Anton Chehkov, advice to a novice playwright.
0 Votes
+ -
RE: Wi-Fi Protected Setup is Busted
calkinsj@... 30th Dec
Although a number of people write about, talk about, think about hacking wireless access points, I only know one person who can actually DO it. Even with the new information which makes it sound like I can easily "drive a network" through a perceived security hole, it's not that easy. Brute force: Just kick the door down? Quite immature . . .

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix