The WPS (WiFi Protected Setup) flaw explained

Every so often we like to highlight the work of our forum members. WarWagon, a Neowin MVC, has done the dirty work of explaining the the recently discovered WPS exploit. Posted below is his work and you can view the forum thread here where the topic is being discussed. 

Last month a serious security flaw was discovered in WPS. WPS is built in and effects almost all consumer routers sold in the last few years. Below is explanation about what WPS is and what has been discovered that makes it so dangerous to have enabled.

Why was it created?

The Wi-Fi Protected Setup (WPS) was created to help unsophisticated users secure their wireless router and connect different devices to their wireless network with ease.

How WPS Works

Every router that supports WPS has a an eight-digit device pin printed on the back. When you try to connect a wireless laptop or wireless printer to your wireless network, it will ask you for that 8 digit pin. Now 8 digits are great, because someone would have to be parked on your curb for the next 6.3 years trying to find the correct combination of all 8 digits. It takes 6.3 years because after guessing 3 wrong numbers, the router goes into a lock-down state for 60 seconds. So only 3 different 8 numbers combinations can be tried every 60 seconds, thus taking about 6.3 years.

What went wrong

They Split the 8 digits into 2 sets of 4. All that has to happen now is the first 4 have to be found first. 4 digits only have a 10,000 possible number combination. Once the first 4 numbers are found, the router proclaims "You've found the first four" giving, in essence, a checkpoint at which to save the progress before finding the last 4. So instead of having to guess an 8 digit combination, all that has to be guessed now is two 4 digit combinations and that takes considerably less time. So we've now gone from taking 6.3 years down to about 1 day. But of course, in some cases it gets worse. Some routers do not even go into a lock-down state for 60 seconds after 3 failed attempts; it allows as many guess as can be thrown at it. This means someone could potentially connect and compromise your secured WiFi network in less than 1 day.

How to protect yourself

All router manufactures have to add WPS to their routers and turn it on by default in order to be certified by the Wi-Fi Alliance. So for the last few years ,every router has it built in and has it enabled by default.

Let's start by seeing if your router even has WPS. This can be done one of 2 ways. First check the front of your router for a big WPS push button. If you don't see a push button on the front of the router, look on the back of the router for a sticker that contains an 8 digit pin.

There are 3 ways you can protect yourself if your router has WPS:

1) Disable WPS via the web interface on your router. In some cases, even though you turn off WPS, the router doesn't listen. So to make sure WPS is really turned off do the following: Find a Windows 7 machine with Wi-Fi and remove your current Wi-Fi connected network from the machine and try to reconnect to it. If it prompts you for the WPS pin then, WPS is still enabled. If it prompts you for the WPA key then WPS has been successfully disabled.

2) Firmware update. To correct this WPS issue all together will require a firmware update to the router. It should be a really easy thing to fix so router manufactures should be releasing router updates shortly. The fix simply requires the input of all 8 numbers not the present system of 2 sets of 4. A firmware update will also be needed if you have a router that will not disable properly.

3) Use alternative firmware like Tomato or DD-WRT. Both of these 3rd party firmware's do not have support for WPS built into them so they are not susceptible to the WPS attack. Here is a link to a Google docs spreadsheet which has been kept up to date by users of the internet as to which routers have WPS and which routers it can be disabled and it stays off.

Report a problem with article
Previous Story

Google testing tweaks to image search results

Next Story

Nokia confirms availability of Lumia 800 battery update

20 Comments

Commenting is disabled on this article.

this is why its important to just get a new router every couple of years.
its not just for the new features, but the security on the router becomes outdated so quickly.
you can still find unsecured wireless signals from neighbors and access their internet.
these were older routers that didn't pressure users into using WPS or WPA

I cracked a test AP using this hack in about 3 hours. The AP was using WPA2 so without this hack it would have been impossible to hack the AP.

SK[ said,]WPS is designed for the average Joe, the average Joe won't even be aware this flaw exists.

Thus, not turning it off or updating their firmware. So Basically there will be millions of effected consumer routers out there which will never be fixed. A lot of potential hackable networks.

That's an insane design flaw - it's comparable to password checks that tell you whether a user account name actually exists if you try to login, only that it's much worse as it affects all routers out there...

Unfortunately my router is embedded in the DSL modem from my ISP, and they have not announced any plans to update firmware to deal with WPS security issue.

I tried calling their helpdesk, but no one there even knew their modem supported the feature or that there was a security concern about it.

To go through all 8 digit combinations at a rate of 3/min it would take 100000000/3/60/24/365 = 63.4 years. On average the key would be found after only half of the numbers are guessed, 32 years. Not 6.3 years.

If the router verifies the first half, to go through 4 digit combinations would take 10000/3/60/24 = 2.3 days. On average this is halved, and then doubled for the next four digits. So 2.3 days on average.

Memnochxx said,
To go through all 8 digit combinations at a rate of 3/min it would take 100000000/3/60/24/365 = 63.4 years. On average the key would be found after only half of the numbers are guessed, 32 years. Not 6.3 years.

If the router verifies the first half, to go through 4 digit combinations would take 10000/3/60/24 = 2.3 days. On average this is halved, and then doubled for the next four digits. So 2.3 days on average.

I believe there is more to it than is listed in this article. I could be wrong, but I believe that the with the last 4 digits, one of the digits is actually a checksum that can be calculated from the preceding 7 digits, meaning it's actually only a 4 digit and a 3 digit number you have to find. At any rate, the software that was released to do this claimed that on average it took about 11 hours, not 2 days.

Kushan said,

I believe there is more to it than is listed in this article. I could be wrong, but I believe that the with the last 4 digits, one of the digits is actually a checksum that can be calculated from the preceding 7 digits, meaning it's actually only a 4 digit and a 3 digit number you have to find. At any rate, the software that was released to do this claimed that on average it took about 11 hours, not 2 days.

You are correct it's actually 7 numbers because the 8th is in fact a checksum. I was just writing it for the average user in mind and didn't want their eyes to glaze over when I used a big word like checksum, so I left it out.

warwagon said,

You are correct it's actually 7 numbers because the 8th is in fact a checksum. I was just writing it for the average user in mind and didn't want their eyes to glaze over when I used a big word like checksum, so I left it out.

I understand that, however I think it's probably worth mentioning since it knocks off 9,000 required attempts at guessing the password (almost halving it, in fact). Still, even if that wasn't the case, then it would still be a major exploit.

Careful about recommending third party firmware, It probably voids people's warranties, might want to point that out.