Wi-Fi Protected Setup is Busted

Wi-Fi Protected Setup is Busted

Summary: You know that easy to setup Wi-Fi access point or router of yours? It turns out that the easy to setup part is also easy to hack: Really easy to hack.

SHARE:

The security behind this typical WPS setup window is broken.

The "security" behind this typical WPS setup window is broken.

I've never trusted Wi-Fi Protected Setup (WPS) on my Wi-Fi access points (AP) and routers. I've always thought that anything that was that easy to set up had to be easy to hack. It turns out my gut was right. The U.S. Computer Emergency Readiness Team (CERT) has confirmed that security researcher Stefan Viehböck has found a security hole big enough to drive a network through WPS.

According to Viehböck, he took a look at WPS and found "a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide." CERT agrees.

How bad is it? CERT states that "An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service."

The problem is, as Viehböck explains in detail (PDF Link) is that when the device's personal identification number (PIN), which is usually implemented as a simple physical or virtual push-button, authentication fails the access point will send an Extensible Authentication Protocol-Negative Acknowledgement (EAP-NACK ), which are sent in away that lets a hacker know if the first half of the PIN is right. Then, armed with that information, the attacker will be able to figure out the PIN's last digit of the PIN is known since it's is a checksum number for the entire PIN. What all that means is that it becomes much easier to work out a PIN. To be exact, with the worse luck in the world it would take a cracker 11.000 attempts to break the code.

Think that sounds safe enough? Think again. It seems most APs and routers from such big name vendors as Buffalo, D-Link, Cisco Linksys, Netgear, Technicolor, TP-Link, and ZyXEL won't stop an automated hack from trying one PIN after another. They'll just let the brute-force attacks continue-in the process quite likely knocking the WI-Fi devices off-line from this de facto denial of service attack-until they get the right PIN.

After that your network security goes out the window. A cracker can read your e-mail, grab your credit card passwords and on and on.

What's the fix for this? There isn't one. To quote, CERT, "We are currently unaware of a practical solution to this problem."

So what can you do? You need to log-in to your wireless device and disable WPS. Next, you'll need to reset your Wi-Fi network to manually use at WPA2 with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), aka Advanced Encryption Standard (AES), Other, older WI-Fi security methods, such as Wi-Fi Wired Equivalency Privacy (WEP) and WPA (Wi-Fi Protected Access), with the built-in Temporal Key Integrity Protocol (TKIP) have long been broken.

Unfortunately, since WPS was expressly designed to be used by people without a clue about network security, the people who are going to need to implement these security fixes are the ones who are least able to make them.

The real fix is going to need to come from the vendors with firmware updates. Until that's done, many home and small office Wi-Fi networks must be considered about as safe as a house with an unlocked front-door.

Related Stories:

Firesheep's Real Lesson: Take Wi-Fi Security Seriously

FaceTime calls are encrypted; and HIPAA compliant when using proper encryption

How to keep your Wi-Fi location out of Google

Finding and cleaning out your smartphone's Carrier IQ poison

Topics: Mobility, Networking, Security, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

24 comments
Log in or register to join the discussion
  • RE: Wi-Fi Protected Setup is Busted

    You need to write articles like this more. I automatically wasted a good minute trying to find the bias that's so prevalent in your posts, only to realize there wasn't one.
    Aerowind
    • RE: Wi-Fi Protected Setup is Busted

      @Aerowind
      On the other hand, you need to write comments like this less. Agreed, everyone?
      thebaldguy
      • RE: Wi-Fi Protected Setup is Busted

        @thebaldguy Right, let me apologize for wanting to read articles that are something more than flamebait.
        Aerowind
      • RE: Wi-Fi Protected Setup is Busted

        @Aerowind There is no "flamebait"; there's just the redefinition of the word "biased" nowadays to mean "anyone who doesn't agree with me".
        jgm@...
      • There actually is a good solution to this problem.

        Filter MAC IDs. Then the permutations between the MAC ID and the password are high enough that it would take too much time to accomplish it with brute force, even with parallel vector attacks. But don't use WPS, its not worth it. Use WPA2 & AES.<br><br>Its the only safe way.
        Uralbas
    • So we can assume...

      @Aerowind
      ...that MS doesn't have a financial interest in any of the compromised protocols. Good to know.
      John L. Ries
    • Informal definition of bias

      @Aerowind <br>Bias is the quality of any communication (news, opinion, research, etc) that tends to undermine what one wishes to believe (or have others believe).<br><br>That is not the real definition, of course, but it's used frequently enough around here and elsewhere that I think it worthwhile to call attention to it, as it tends to change the focus of the debate from the merits of the issue at hand to the alleged alignments and biases of the participants (ie. who's side who's on) and causes people to judge opinions and other data based on which points of view they support, rather than on whether or not they're true. The worst aspect of this is it gives people an excuse to automatically reject anything that calls into question their preconceived notions (or the party line to which they subscribe), while swallowing whole outright propaganda if it supports their own side (since anything that supports their own ideas is "fair and balanced" by definition).<br><br>It's long been true that the most effective propaganda technique is to tell people what they want to hear (it's made a number of radio talk show hosts very rich and influential). Accusations of bias directed at anyone who dares tell people what they don't want to hear merely make the job easier.<br><br>Mind you, I'm not specifically accusing *you* of doing that (only you know for certain).
      John L. Ries
  • I flashed my Cisco e3000 with DD-WRT right after purchase

    dd-wrt doesn't detect WPS by default.
    Dietrich T. Schmitz *Your
  • RE: Wi-Fi Protected Setup is Busted

    (looks at PDF)<br><br>8 decimal digits on the D-Link. Ouch. <br><br>"To be exact, with the worse luck in the world it would take a cracker 11.000 attempts to break the code."<br><br>11,000? Ouch.<br><br>"Think that sounds safe enough?"<br><br>No. Computers are good at doing things in the millions/billions. Very good.<br><br>"Whats the fix for this? There isnt one."<br><br>Sure there is.<br><br>1) Turn it off. My router has an option to turn it off.<br>2) Toss it out as a supported protocol on future routers. I don't know anybody who uses it anyways.<br>3) If they want to try again, they'll have to rewrite it from scratch. It does indeed look like it's fundamentally broken.<br><br>"Other, older WI-Fi security methods, such as Wi-Fi Wired Equivalency Privacy (WEP) and WPA (Wi-Fi Protected Access), with the built-in Temporal Key Integrity Protocol (TKIP) have long been broken."<br><br>WEP has been totally broken. WPA/TKIP has not. A table of common passwords is not a total breakdown. You should never, ever be using a common password anyways.<br><br>The password on a router should be a good one anyways - it only has to be entered once, and barring a complete wipe of the device, it's usually stored permanently anyways. It is not onerous to use a good password on a wireless network.
    CobraA1
    • RE: Wi-Fi Protected Setup is Busted

      @CobraA1 <br><br>Very well put, not much to add.<br>WEP has indeed been broken but I thought everyone here was aware of it as it sounds like last century news. Who wants to remember Hex characters anyway? <br>Most (if not all) Wi-Fi routers I work with (and they're quite a few years old) are WPA (TKIP+AES) compatible... so again the article sounds like another age.

      Edit: @JGM
      I know that WEP "protected" Wi-Fi is still all over the place.
      My point is that if you're a regular ZDnet reader or any IT review for that matter, the likelyhood of still using WEP is slim. Put the other way, people who still use WEP probably never read IT related stuff. So who exactly is this article targeting? Moreover, for IT aware people like us, I find the title somewhat over the top.
      jossvasco
      • I wish you were right

        @jossvasco I live in Germany, where most routers I've seen come with WPA2 activated and its default (unique per device) key written next to the serial number at the bottom.<br><br>When I was visiting my parents in the US this summer, I was shocked. Verizon, one of the most popular ISP in the D.C. area, provided routers with WEP installed by the technicians. Trying to activate WAP results in a warning saying something along the lines "be careful, not all computers will work". I was scanning the neighborhood and I was shocked about how many WEP routers were out there. If I got hacked threre, I'd sue Verizon.
        patibulo
      • RE: Wi-Fi Protected Setup is Busted

        @jossvasco I've just used Kismet on a Linux laptop to check out what networks/devices it can see in the neighborhood (more and more, especially now after Christmas) and I can see 3 WEP networks right now.
        jgm@...
    • RE: Wi-Fi Protected Setup is Busted

      @CobraA1

      Up until recently (1 year ago), routers needed a 'hard reset' about every month to fix lockup issues. So, there came a point then that you had to go with the 'easily remembered and re-setup password'.
      Lerianis10
      • RE: Wi-Fi Protected Setup is Busted

        @Lerianis10 My routers are several years old, and I have never had to hard reset them, I've only needed to do a reboot. In fact, I don't ever recall ever owning a router that required a hard reset.
        CobraA1
  • RE: Wi-Fi Protected Setup is Busted

    The fact is, WPA2 requires the DoS part of brute force attacks so you know something is going on. 3 bad logon attempts in 30 seconds is supposed to turn off all new connections for 2 minutes. So those 11,000 attempts would take over 45 hours of non-stop tries of 2 tries - no more - every 30 seconds... more than that and they slow themselves way down, to like, 1 try per minute (or more than a week to try 11000 passwords, possibly alerting you to their presence... if you're paying attention).

    Or don't you really know what "... won???t stop an automated hack from trying one PIN after another. They???ll just let the brute-force attacks continue-in the process quite likely knocking the WI-Fi devices off-line from this de facto denial of service attack-until they get the right PIN." actually means?

    Far-easier pickings at McD's or Starbucks, where Firesheep can grab your totally unencrypted data right out of the air if you don't know enough to use the secure sockets layer (SSL) i.e. https.
    Darr247
  • RE: Wi-Fi Protected Setup is Busted

    Looks like source code has been posted on Google Code: http://code.google.com/p/reaver-wps/
    Tee Bone Jones
  • MAC Filtering

    Isn't MAC filtering an option?
    Mr_Tech
    • RE: Wi-Fi Protected Setup is Busted

      @Mr_Tech MAC spoofing is trivial, and can be done with off the shelf equipment. No special skills or hardware is needed - just a router that is capable of changing its own MAC address (and many home routers are capable of such a thing).
      CobraA1
      • RE: Wi-Fi Protected Setup is Busted

        @CobraA1

        But still, you'd need to know what to spoof your MAC address to.

        Having said that, the better option is to disable WPS, which I do anyway. Not because I feared the security of the software up until now, but because I don't want anybody who has access to the room to hit the button every time they want to attach one of their personal devices.
        Michael Kelly
      • RE: Wi-Fi Protected Setup is Busted

        "But still, you'd need to know what to spoof your MAC address to."

        Easy enough to find using a packet sniffer. They're sent all over the place.
        CobraA1