Bypass Wireless Security
Summary: Security Flaw Found in Wi-Fi Protected Setup (WPS) that allows Brute Force Hack of PIN in Roughly Two Hours
The Wi-Fi Protected Setup (WPS) was a standard launched in 2007 by the Wi-Fi Alliance to simplify connecting to a wireless network — and simplify setting up encryption. With so many people failing to set up a router password because they found it too confusing, the standard implemented either/and a single button setup option, in addition to a simplified eight-digit PIN used by the AP and connecting devices. However, security researcher Stefan Viehbock has discovered a new security hole in the standard that allows a hacker to use brute force to access a WPS PIN-protected router — in roughly around two hours.
WPA / WPA2 is essentially bypassed with this flaw. WPS is enabled by default on many routers marketed to consumers and small businesses.I fully expect the Backtrack Security CD to have a tool available well before this researcher releases his own. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use.
I fully believe that hiding your SSID is pointless as a security measure. I equate it to an anecdote I had while talking with a guy I know who works for parking enforcement. One day, he’s walking around doing regular rounds on patrol when he happens across 2 cars parked in a fire zone (outside of the regular loading zone). He says he might have never noticed them had it not been for the fact that both had their hazard lights flashing which indicated that the drivers had known that they’d parked illegally. Both were ticketed. That’s kind of what not broadcasting your SSID is like. Any simple tool used to detect WLANs is going to see it. Hell, I would be surprised if the old NetStumbler won’t see it. You turn off SSID broadcasting, if anything, you’re asking to be cracked even more. As for MAC Address filtering, people have been spoofing mac addresses for years now to get past that, though I’ll admit that it can be helpful.
Regarding your WPA/WPA2 password, I’m recommending no less than 10 characters with at least 1 capital, and a mix of alpha numerical values. The longer the better (the longer the password is, the longer it takes to crack). Here is why.
I use this website to generate mine: Password Generator
According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.”
Setting up a home wireless network to use encryption traditionally involved navigating a confusing array of Web-based menus, selecting from a jumble of geeky-sounding and ill-explained encryption options (WEP, WPA, WPA2, TKIP, AES), and then repeating many of those procedures on the various wireless devices the user wants to connect to the network. To make matters worse, many wireless routers come with little or no instructions on how to set up encryption.
Enter WPS. Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router.
But according to new research, routers with WPS are vulnerable to a very basic hacking technique: The brute-force attack. Put simply, an attacker can simply try thousands of combinations in rapid succession until he happens on the correct 8-digit PIN that allows authentication to the device.
One way to protect against such automated attacks is to disallow authentication for a specified amount of time after a certain number of unsuccessful attempts. Stefan Viehböck, a freelance information security researcher, said some wireless access point makers implemented such an approach. The problem, he said, is that most of the vendors did so in ways that make brute-force attacks slower, but still feasible.
Earlier today, Viehböck released on his site a free tool that he said can be used to duplicate his research and findings, detailed in this paper (PDF).
“The Wi-Fi alliance members were clearly opting for usability” over security, Viehböck said in a instant message conversation with KrebsOnSecurity.com. “It is very unlikely that nobody noticed that the way they designed the protocol makes a brute force attack easier than it ever should.”
Separately, Craig Heffner, a researcher with Columbia, Md. based security consultancy Tactical Network Solutions, has released an open-source tool called “Reaver” to attack the same vulnerability. Heffner notes that once an attacker has successfully guessed the WPS PIN, he can instantly recover the router’s encryption passphrase, even if the owner changes the passphrase. In addition, he warns, “access points with multiple radios (2.4/5GHz) can be configured with multiple WPA keys. Since the radios use the same WPS pin, knowledge of the pin allows an attacker to recover all WPA keys.”
The important thing to keep in mind with this flaw is that devices with WPS built-in are vulnerable whether or not users take advantage of the WPS capability in setting up their router. Also, routers that include WPS functionality are likely to have this feature turned on by default.
First the good news: Blocking this attack may be as simple as disabling the WPS feature on your router. The bad news is that it may not be possible in all cases to do this.
In an advisory released on Dec. 27, the U.S. Computer Emergency Readiness Team (US-CERT) warned that “an attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.” The advisory notes that products made by a number of vendors are impacted, including Belkin, Buffalo, D-Link, Linksys, Netgear, TP-Link and ZyXel.
Viehböck said none of the router makers appear to have issued firmware updates to address the vulnerability. The US-CERT advisory makes no mention of updates from hardware vendors.The advisory also says little about which models may be affected, but if your router has a “WPS PIN” notation on its backside, then it shipped with this WPS feature built-in.
This is where you need to make a tradeoff – Do we allow home users to secure their network “easy and less secure” or “hard and more secure”?
Bottom line, all users need to be aware of the security needs of their systems and networks. Do your due diligence to protect yourself.
