A security researcher has gone public with at least two design implementation flaws in Wi-Fi Protected Setup (WPS), the on-by-default tool that helps users set up wireless networks without worrying about technical configuration issues.
According to Stefan Viehbock (see advisory .pdf), WPS is susceptible to brute-force attacks because of a design flaw in the specification. It basically allows anyone with enough computing power to brute force the WPS PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. "The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible," the US-CERT confirmed in its own advisory.
When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.
It has been reported that some wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.
This essentially means that an attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service condition.
An attack tool has been released to demonstrate the severity of this issue.
The US-CERT recommends that users disable WPS to mitigate the threat.