ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Researcher warns of Wi-Fi Protected Setup security holes

By | January 3, 2012, 6:16am PST

Summary: An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.

A security researcher has gone public with at least two design implementation flaws in Wi-Fi Protected Setup (WPS), the on-by-default tool that helps users set up wireless networks without worrying about technical configuration issues.

According to Stefan Viehbock (see advisory .pdf), WPS is susceptible to brute-force attacks because of a design flaw in the specification.  It basically allows anyone with enough computing power to brute force the WPS PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct.
follow Ryan Naraine on twitter
“The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible,” the US-CERT confirmed in its own advisory.

When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.

It has been reported that some wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.

This essentially means that an attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service condition.

An attack tool has been released to demonstrate the severity of this issue.

The US-CERT recommends that users disable WPS to mitigate the threat.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Researcher, Advisory, Flaw, Wireless LANs, Wi-Fi, Wireless And Mobility, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

4
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Researcher warns of Wi-Fi Protected Setup security holes
mrlinux 16th Jan
@IT_Fella 2 Issues MAC filtering is useless, but if you have a CISCO(Linksys) router it may not have disabled this feature even though you set it to disabled.
View in thread
0 Votes
+ -
RE: Researcher warns of Wi-Fi Protected Setup security holes
IT_Fella 3rd Jan
Except, that if you have the ability of setting your router to ONLY be configured through a WIRED connection...which mine does...and is...and use MAC filtering...it makes the task just a wee bit more difficult.
0 Votes
+ -
RE: Researcher warns of Wi-Fi Protected Setup security holes
Aerowind 3rd Jan
@IT_Fella Congratulations, you're good at security. Most people aren't, particularly the ones using WPS in the first place.
0 Votes
+ -
RE: Researcher warns of Wi-Fi Protected Setup security holes
mrlinux 16th Jan
@IT_Fella 2 Issues MAC filtering is useless, but if you have a CISCO(Linksys) router it may not have disabled this feature even though you set it to disabled.
0 Votes
+ -
RE: Researcher warns of Wi-Fi Protected Setup security holes
Derpsaucex 4th Jan
All I ever see are useless WPA2 encrypted wifi that I simply capture a handshake pcap and then run EC2 cloud breaking on it, getting the password in a couple of minutes usually

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix