Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability
Wi-Fi Protected Setup (WPS) is a Wi-Fi Alliance specification (v1.0 - available since January 2007) designed to ease the process of securely setup Wi-Fi devices and networks. A couple of days ago US-CERT released a new vulnerability note, VU#723755, that allows an attacker to get full access to a Wi-Fi network (such as retrieving your ultra long secret WPA2 passphrase) through a brute force attack on the WPS PIN. The vulnerability was reported by Stefan Viehböck and more details are available on the associated whitepaper. In reality, it acts as a "kind of backdoor" for Wi-Fi access points and routers.
The quick and immediate mitigation is based on disabling WPS. Your holiday gift for the people around you these days is to tell them to disable WPS.
It is important to remark that this vulnerability affects both the WPS design (which typically means higher impact and longer fix times) and the current Wi-Fi vendor implementations. The design is affected as WPS presents serious weaknesses that allow an attacker to determine if half of the PIN is correct (Do you remember Windows LANMAN (LM) authentication? 7+7 != 14). Therefore the brute force process can be split in two parts, significantly reducing the time required to brute force the entire PIN from 100 million (108) to 11,000 (104 + 103) attempts.The vendor implementations (in Wi-Fi access points and routers) are also affected due to the lack of a proper (temporarily) lock out policy after a certain number of failed attempts to guess the PIN, plus some collateral DoS conditions.
The researcher used a Python (Scapy-based) tool that has not been release yet, although other tools that allow to test for the vulnerability have been made public, such as Reaver . The current tests indicate that it would take about 4-10 hours for an attacker to brute force the 8 digit PIN (in reality 7 digit PIN, 4+3+1 digits).
Lots of Wi-Fi devices available in the market implement WPS, a significant number seem to implement the PIN authentication option (the vulnerable mechanism - called PIN External Registrar), as it seems to be a mandatory requirement in the WPS spec to become WPS certified (by the Wi-Fi Alliance), and still a very relevant number seem to have WPS enabled by default. Based on that, and the experience we had on similar Wi-Fi vulnerabilities over the last decade, it might take time to the Wi-Fi industry to fix the design flaw and release a new WPS version, it will take more time to (all) vendors to release a new firmware version that fixes or mitigates the vulnerability, and it will take even extra time to end users and companies to implement a fixed and secure WPS version and/or implementation, or to disable WPS (although this is the quickest option... we know it takes much more time than we would like :( ).
To sum up, millions of devices worldwide might be affected and it will take months (or years - think on WEP) to fix or mitigate this vulnerability... so meanwhile, it is time to start a global security awareness campaign:
Disable WPS!!
This diary extends the Wi-Fi security posture of previous ISC diaries, were we covered the security of common Wi-Fi usage scenarios, and will be complemented by two upcoming Wi-Fi security end-user awareness resources: the SANS OUCH! January 2012 issue and lesson 12 of Intypedia (both will be available on mid January 2012).
----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com
Comments
DD-WRT is going up this weekend :/
DFrier
Dec 30th 2011
1 decade ago
If that is the case, why would it have been allowed? In what situation would you need to provide network access to the internet port?
Otherwise, this is more like the WEP problem and wardriving (or bad neighbor) situation. In one case, an attack could come from anywhere in the world, in the other, attackers would need to close enough I could hurl rocks at them. A bad situation but maybe as extreme as a vulnerability to the WAN port of the router.
That said, I made sure my router would run DD-WRT when I bought it. I'll be installing it soon.
James
Dec 30th 2011
1 decade ago
Raul Siles
Dec 30th 2011
1 decade ago
.
PC.Tech
Dec 30th 2011
1 decade ago
Raul Siles
Dec 30th 2011
1 decade ago
It also keeps a list of devices that have WPS config'ed.
Now to see if Reaver will compile on OS X and do some testing....
Paul
Dec 30th 2011
1 decade ago
Can be found at http://192.168.1.1/WAdv.htm
> Wireless > Advanced Wireless Settings
... apparently called "Secure Easy Setup" on many routers instead of "WPS".
Yes? No? Something else?
.
PC.Tech
Dec 31st 2011
1 decade ago
Jason
Jan 3rd 2012
1 decade ago