Wi-Fi protected set-up (WPS) Exploit - who's at risk?

GeX · 4 Jan 2012 at 09:17

Not seen anything about this in here yet, so thought I'd try and get some discussion going on.

Wi-Fi protected set-up (WPS) was designed to ease the task of joining clients to a wireless network. The user simply types an 8 digit numeric pin, which transparently gives the user the WPA/WPA2 PSK and allows them to join the wireless network. So far so good.

...

There are 8 digits in the pin, the 8th being a checksum of digits 1-7. So with 7 digits left, it then gets interesting: during a WPS negotiation attempt, the system acknowledges when the first 4 digits of the PIN are correct. So we try up to 10^4 keys first, then 10^3 keys plus the checksum. There are around 11,000 keys/PINs to be attempted, but because of how the exploit works, searching half of the key space first, on average the number of keys that are probably tried before the right one is found is around half that. That small number means the key space can be tested in a relatively small amount of time, typically somewhere between 4 and 10 hours.

Source: http://blog.thesysadmins.co.uk/wifi-protected-setup-wps-vulnerability.html

This seems to be pretty big when you consider that a lot of ISPs in the UK ship routers with WPS enabled by default. On the link there is a Google Doc that is being compiled of devices that are known to be vulnerable - but with this being a flaw with WPS itself.. I think it's safer to assume that a device vulnerable until proven otherwise.

GeX · 4 Jan 2012 at 10:42

Engram said:
Looks like there are a few different ways you can use it:

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Methods

Indeed, this is also covered in the linked PDF;

http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

GeX · 5 Jan 2012 at 15:11

Let us know how you get on J.B

GeX · 15 Jan 2012 at 17:38

Agreed J.B.

edscdk said:
wps is a home user thing not a corporate thing, the chances of someone "hacking" into your router using this exploit are almost 0, for every 100,000 people who get a virus and have all their details and passwords stolen 1 will get done with this exploit, the risk is so tiny its almost a non issue (in my mind)

Plenty of small businesses have home or small business grade equipment, so I wouldn't say it's a non-issue. Chances are fairly low, sure, but seems a bit foolish to dismiss it.
You only need to look at the buzz around this exploit to realise that plenty of people are trying it out.