September 25, 2016

Wi-Fi Protected Setup Vulnerable to Brute Force Attack

(LiveHacking.Com) – Security researcher Stefan Viehböck has revealed a design and implementation flaw in Wi-Fi Protected Setup (WPS) that that makes Wi-Fi networks vulnerable to brute-force attacks.  US CERT has issued an advisory which suggests disabling WPS. The WPS specification has three methods of simplifying the connection of wireless devices to WPA2 protected access points. One of those methods involves using an eight digit PIN from a label on the router which authorizes the client to obtain the WPA2 configuration details.

An eight digit pin should have 100,000,000 different combinations, however a design flaw means that one of the digits is just a checksum and so reduces the possibilites down to 10,000,000. However the real weakness is that the protocol is designed in such a way that the first half and second half are sent separately and the protocol will confirm if just that half is correct. This reduces the number of PIN possibilities to 10,000 (4 digits) plus 1,000 (3 digits as checksum can be calculated) which is just 11,000 possibilities.

According to Viehböck  this means that some routers, which don’t employ any mechanisms to slow down brute force attacks, can be cracked within 44 hours. More information about this vulnerability can be found in Stefan’s paper: Brute forcing Wi-Fi Protected Setup. He has also released a PoC Brute Force Tool that can be found here.

Note: This vulnerability was also independently discovered by Craig Heffner (/dev/ttyS0Tactical Network Solutions) who has released a tool called “Reaver” on Google Code.