Big Security Hole Found in Wi-Fi Protected Setup

Wi-Fi Protected Setup (WPS) is a method of configuring home routers using secure wireless connections by using a PIN. However, there's a massive problem with it reports DailyTech.

The WPS standard was created by the Wi-Fi alliance - www.wi-fi.org - as a way to help make home networking easier, but unfortunately, it also created a gaping security hole. The EAP-NACK message in the WPS protocol includes a flag in it, which unwittingly allows hackers to subvert a router quickly and easily - oops. As DailyTech explains: "The message tells the user if the first half of the pin they typed was right.  Thus it drastically reduces the time needed to crack the PIN using a brute force attack.  Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster. The flaw reduces the time it takes to crack your average PIN from 10⁸ attempts to 10⁴+10³ attempts (11,000 attempts total).  Assuming you can fire off ten requests or more a second, you should be able to crack routers in minutes."

So, it's not quite as insecure as WEP which can be nailed in just a few seconds, but it's not far off either and with increasing computer power, this exploit becomes ever quicker and easier to crack. You'd think realizing that implementing a flag which tells you if part of your password is right or wrong would be spotted as a security risk at the design stage, wouldn't you? Apparently not.

Stefan Viehboeck initially discovered this vulnerability and advised the U.S. Department of Homeland Security (DHS) which issued a warning to the public about this issue. WPS is implemented in many routers from household names such as Netgear, Cisco/Linksys, D-link and Belkin, so Viehboeck advised them of this problem too, so that they could fix their routers. However, as is to be expected with such things, none of those manufacturers have done anything about this. Therefore, he will be releasing an exploitation tool written in C to the public which might just prod them into action.

In the meantime, the recommended action is to switch off WPS and set up your wireless network the hard way, which might well be too difficult for those who are not computer literate. However, to be really safe, it's probably best not to use wireless at all if possible, since your internal network is effectively available to outsiders due to the nature of radio transmission.

Viehboeck has now released a video of this hack in action from his wpscrack utility against a TP link router (model TL-WR1043ND) here.