Wi-Fi protected set-up (WPS) Exploit - who's at risk?

[GeX]

Not seen anything about this in here yet, so thought I'd try and get some discussion going on.

Wi-Fi protected set-up (WPS) was designed to ease the task of joining clients to a wireless network. The user simply types an 8 digit numeric pin, which transparently gives the user the WPA/WPA2 PSK and allows them to join the wireless network. So far so good.

...

There are 8 digits in the pin, the 8th being a checksum of digits 1-7. So with 7 digits left, it then gets interesting: during a WPS negotiation attempt, the system acknowledges when the first 4 digits of the PIN are correct. So we try up to 10^4 keys first, then 10^3 keys plus the checksum. There are around 11,000 keys/PINs to be attempted, but because of how the exploit works, searching half of the key space first, on average the number of keys that are probably tried before the right one is found is around half that. That small number means the key space can be tested in a relatively small amount of time, typically somewhere between 4 and 10 hours.

Source: http://blog.thesysadmins.co.uk/wifi-protected-setup-wps-vulnerability.html

This seems to be pretty big when you consider that a lot of ISPs in the UK ship routers with WPS enabled by default. On the link there is a Google Doc that is being compiled of devices that are known to be vulnerable - but with this being a flaw with WPS itself.. I think it's safer to assume that a device vulnerable until proven otherwise.

 

[Engram]

Sounds nasty. But what was the point of WPS? If you want to allow clients to join the network with an 8 digit pin, why not just make the PSK an 8 digit PIN?

 

[shine]

The goal of WPS was to make it easy foe non technical people to set-up secure wireless networks at home. Good idea but clearly needs more work.

 

[PistolPete]

Doesn't WPS require you to push a button on the router first, so any attack would need physical access to it too - or am I missing the point?

 

[Engram]

Doesn't WPS require you to push a button on the router first?

Looks like there are a few different ways you can use it:

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Methods

 

[GeX]

Looks like there are a few different ways you can use it:

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Methods

Indeed, this is also covered in the linked PDF;

http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

 

[J.B]

We have been tinkering with this in the lab and are planning on doing some tests.

Most routers I've seen have a button to enable it but if you have a router with a PIN for WPS then you are probably in trouble.

Certainly a bit of a concern for the home router market and any SME who might just have an off the shelf router

 

[GeX]

Let us know how you get on J.B

 

[DragonQ]

My WPS has always been off so no worries here.

 

[KIA]

Waiting for WPS Fix: http://www.smallnetbuilder.com/wireless/wireless-features/31664-waiting-for-the-wps-fix
WPS Vulnerability Testing Spreadsheet: https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c
Cracking WPA: http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver

 

[Deception]

Let us know how you get on J.B

+1. Would love to see the results too.

 

[BarBrawllin]

Waiting for WPS Fix: http://www.smallnetbuilder.com/wireless/wireless-features/31664-waiting-for-the-wps-fix
WPS Vulnerability Testing Spreadsheet: https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c
Cracking WPA: http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver

Downloading VMware now

 

[deadite66]

took me 13.7 hours to crack my router with reaver.

 

[J.B]

We're not having huge progress, the edimax router we have for simulating home routers was playing silly buggers and after some tweaking we've concluded that it doesn't impliment the standard properly! So edimax users are probably ok!

We've been put on client work now so R&D has been put on hold.

I did see online that some peeps we're trying to compile a list of vulnerable devices.

 

[deadite66]

in a bind with my router (Netgear dgnd3300v2) anything above .42 firmware DHCP reservation is broken but the disable WPS toggle doesn't stick on .42

fed up with broken netgear firmware, ordered the Buffalo adsl router which dd-wrt supports.

 

[edscdk]

wps is a home user thing not a corporate thing, the chances of someone "hacking" into your router using this exploit are almost 0, for every 100,000 people who get a virus and have all their details and passwords stolen 1 will get done with this exploit, the risk is so tiny its almost a non issue (in my mind)

 

[PistolPete]

wps is a home user thing not a corporate thing, the chances of someone "hacking" into your router using this exploit are almost 0, for every 100,000 people who get a virus and have all their details and passwords stolen 1 will get done with this exploit, the risk is so tiny its almost a non issue (in my mind)

You think it'll be this high?

 

[SoundsGood]

Reminds me of the BT Business hubs which come pre-configured 10 digit purely numerical WPA2 keys..

 

[Ev0]

Had been waiting for a tool for this after first reading the paper on it a week or 2 ago, will have to give it a test later when I've dug my USB wireless dongle out.

 

[J.B]

wps is a home user thing not a corporate thing, the chances of someone "hacking" into your router using this exploit are almost 0, for every 100,000 people who get a virus and have all their details and passwords stolen 1 will get done with this exploit, the risk is so tiny its almost a non issue (in my mind)

You're are forgetting all the SMEs who just use an off the shelf router. I admit that for corporate environment the risk is near nil but it still presents a risk