WiFi WPS exploit found; no solution yet

If you have a WiFi router at home and are using the WiFi Protected Setup (WPS) to secure your network, you might want to think about switching to another protocol. The US Computer Emergency Readiness Team sent out an alert this week that describes an exploit in WPS that could lead to cyber attackers figuring out your WiFi password.

The WPS protocol is supposed to make setting up a wireless network easier for people who are not as tech savvy as others. However, US-CERT now says:

A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible.

At the moment there is no solution to fixing this issue. US-CERT recommends that people who are using WPS for their WiFi routers disable it and use another method to secure the router, including "using WPA2 encryption with a strong password." Several WiFi router makers such as Netgear, D-Link, Belkin and others sell products with WPS but so far none of them have commented on this newly discovered exploit.

Report a problem with article
Previous Story

TechSpot: HP Envy 14 Review

Next Story

Glary Utilities 2.41.0.1358

42 Comments

Commenting is disabled on this article.

Any time there is convenience, you can guarantee security will be the trade off.

Lucky I don't use WPS for myself or my customers!

even 20 character passwords can be cracked in days rather than weeks these days. todays GPU's can bruteforce 8 character passwords in 4hrs. what about multicore GPU's.

but then again, you'll all have smartphones and pads in the next couple years, so passwords won't be an issue, you'll all be giving away your privacy without even knowing it.

Maybe a dumb question here, and I should probably know better, but don't you have to push a physical or virtual button to activate WPS? Kink of like when you first pair BlueTooth? I know both my routers, I have to log into the admin page to push the virtual button. It's easier for me to just plug in the WiFi password. I have enough devices that I have it memorized.

Running WPA2-PSK here, with MAC filtering and reserved IPs. I know MAC spoofing is easy, but I like the layered approach.

Steven Watson said,
Maybe a dumb question here, and I should probably know better, but don't you have to push a physical or virtual button to activate WPS? Kink of like when you first pair BlueTooth? I know both my routers, I have to log into the admin page to push the virtual button. It's easier for me to just plug in the WiFi password. I have enough devices that I have it memorized.

Running WPA2-PSK here, with MAC filtering and reserved IPs. I know MAC spoofing is easy, but I like the layered approach.

yep you have to push a button on 1 device. the router is always listening, that means you can send a signal out & the router will say, hey i'm here.. how many credit card numbers do you want to phish for today?

Wow, the technologically elite are a bunch of arseholes.
I read the ramblings here, and this is precisely why the average joe has problems.

I would challenge everyone here who says how easy it is, to try something out of your profession for a change.

I bet you would find the simplest task from another profession quite daunting, while experts in that field will NOT taunt and berate you as you do when they try to play on your field.

I frequently get firmware updates for my routers. I have always used d-link. The sad thing is, this is the hard way to get in to alot of routers. I've gotten into routers before by just trying short simple passwords. Too many times the ssid is the best clue to the password. This will be fixed by manufacturers, but most people won't even know there is a problem to fix, or how to fix it.

Like people said in previous comments, the big issue here is that non tech-savvy people will not update their firmware. Not long ago I saw some people vulnerable to the "DCC SEND "startkeylogger" 0 0 0" exploit on Lynksys/Netgear routers and I think this has been around for a LONG time.

To make things worse, most people have no idea how to change their WIFI key or encryption. Just look at the number for "dlink" and "netgear" wifi spots you see around you.

Glad I use Astaro and my APs are controlled by it. No WPS ease of connectivity. They only get on if I want them on.

Just Google WPA2 generator and update to WPA2 like you should have from the beginning. Problem solved. Now if you have an iDevice on wifi, definitely go a little easier on that key, because it is a PITA to enter those special characters.

ScottDaMan said,
Just Google WPA2 generator and update to WPA2 like you should have from the beginning. Problem solved. Now if you have an iDevice on wifi, definitely go a little easier on that key, because it is a PITA to enter those special characters.


A work around I have used is to save the very complex 128bit WPA2 key into a .txt file, upload to a web server and use copy and paste to paste the key. Long winded yes, but there are workarounds ;-)

StevenNT said,
A work around I have used is to save the very complex 128bit WPA2 key into a .txt file, upload to a web server and use copy and paste to paste the key. Long winded yes, but there are workarounds ;-)

Ouch, how 90s of you.

Breach said,
Um, and how long does it take to actually brute force 11k combinations?

Not long at all I would assume

No one should be using WPS. It doesn't even set up a long enough key. If you are tech savvy enough to know and buy a router, it won't take long to set up one properly.

xpclient said,
No one should be using WPS. It doesn't even set up a long enough key. If you are tech savvy enough to know and buy a router, it won't take long to set up one properly.

Exactly; if not ask someone who is knowledgeable about it.

Fritzly said,

Exactly; if not ask someone who is knowledgeable about it.

Applies to you, me and the rest of the 0.5% of geek population. What about the average Joe and Jane who actually do take the time to RTFM and follow the router manufacturer's recommendation 'to use WPS as the easiest way to set up your wireless connection'? It's that 99.5% of people who don't read tech news and even if they did wouldn't know how to disable WPS without expert help. Even if there are firmware updates which address this particular problem, none of the routers I've seen have automatic updates. It's all a question of how exploitable the exploit is in reality. If it takes 15 minutes that's a big problem for most folk. If it takes 2 months that's still a big problem for corporate environments and sensitive networks operating over wireless.

I guess some people fail to realize that this feature is for non-tech savvy users since of course most people reading this article are going to likely already have it disabled or will know how to if somehow they never disabled it, used it out of laziness or whatever it might be.

Most routers also rarely see any firmware updates, that is why a lot of people tech-savvy tend to switch to alternative firmwares such as Tomato mods, DD-WRT and any others not as popular. Then on top of that, non-tech savvy users are still likely to never know there is an update to their router and how to update it without getting support.

mistical said,
I guess some people fail to realize that this feature is for non-tech savvy users ...
...or the masses of lazy careless network admins & IT support people who don't feel like dealing with anything even remotely laborious if they can simplify it by pushing the WPS button. I'm constantly surprised by the number of mid->large sized companies that have a separate IT only wireless router used in their lab or elsewhere that use WPS because it's easy.

deep1234 said,
Will dd-wrt send updates? I think so.

your right, but it's been quite a while since they updated their recommended firmware on the peacock thread over there.

so even if a fix is out soon odds are the firmware with the fix won't be stable enough to recommend for a while yet as the recommended firmware on there (i.e. BS build 14929) is from Aug 2010.

That is why at minimal you should change your passwords regularly- plus use a "Strong" password with at least 12 letter, Number, Special Character, upper and lower case Combinations.
That reminds me of the old saying...
"IF A THIEF WANTS TO BREAK IN, NO LOCK WILL STOP THEM. Locks are only to keep the honest people honest."
I am sure soon a patch will come...

redvamp128 said,
That is why at minimal you should change your passwords regularly- plus use a "Strong" password with at least 12 letter, Number, Special Character, upper and lower case Combinations.
That reminds me of the old saying...
"IF A THIEF WANTS TO BREAK IN, NO LOCK WILL STOP THEM. Locks are only to keep the honest people honest."
I am sure soon a patch will come...

What patch ? Do you see router manufactures sending out Firmware updates ? No way. They may fix this in new routers.

Brute forcing Wi-Fi
Protected Setup

http://www.neowin.net/forum/to...-compromise-of-router-pins/

Sraf said,

I don't know about you, but my router is on it's 13th or so firmware update

Like me, you are one of the lucky ones. :-)

alexalex said,
What patch ? Do you see router manufactures sending out Firmware updates ? No way. They may fix this in new routers.

that's why it's nice running firmware like DD-WRT which WILL release a fix

redvamp128 said,
That is why at minimal you should change your passwords regularly- plus use a "Strong" password with at least 12 letter, Number, Special Character, upper and lower case Combinations.
That reminds me of the old saying...
"IF A THIEF WANTS TO BREAK IN, NO LOCK WILL STOP THEM. Locks are only to keep the honest people honest."
I am sure soon a patch will come...


To bad research shows that changign your password regularly, does NOT increase security, and CAN reduce it. but it does not inherently increase security.

HawkMan said,

To bad research shows that changign your password regularly, does NOT increase security, and CAN reduce it. but it does not inherently increase security.

Source? Don't just say "research" without pointing us to the source. It just looks like you pulled some "research" out of your ass.

Sraf said,

I don't know about you, but my router is on it's 13th or so firmware update

13th or so firmware?! What the heck router is that or have you just f***ed it up that many times? A D-Link I had for MANY years NEVER had a firmware patch and my newer Linksys E2000 hasn't had any yet and even the Tomato firmware I'm using hasn't ever had one yet.

I've NEVER seen more than one update to several items that should receive updates more often such as router firmware, bios updates, etc. Electronic gadgetry is created so fast, no companies support their stuff for much past the release of the next item.

As far as creating a massively long password and changing it constantly, that's a bunch of crap. Only thing that does is almost force the person using it, to forget it!!

cork1958 said,

As far as creating a massively long password and changing it constantly, that's a bunch of crap. Only thing that does is almost force the person using it, to forget it!!

This xkcd comic says it all: http://xkcd.com/936/

HawkMan said,

To bad research shows that changign your password regularly, does NOT increase security, and CAN reduce it. but it does not inherently increase security.

HUH?
WHere did you get that one from?-- changing the password on a scheduled plan for decades has increased security. (That is a known fact in both Business and in Military Security)

Actually yes-- because, simply put--- it makes the Brute force have to start over and would take it longer to find it because it will not know to start over on the breaking.... think about that one.. if it already has tried AAAAZ123 and you go and and change it to ABAAZ123 then those precurser points have already been tried.
and Not saying some 44 character password but a simple 12-14 should be easy to remember.

Edited by redvamp128, Dec 29 2011, 12:13pm :

Jebadiah said,

Source? Don't just say "research" without pointing us to the source. It just looks like you pulled some "research" out of your ass.

Yes exactly-- it is a known fact in Business and Also in Military Security that Changing the Password on a frequent basis creates more security.

Also password changing for security is taught in Networking Basics 101.

Edited by redvamp128, Dec 29 2011, 1:04pm :

redvamp128 said,

HUH?
WHere did you get that one from?-- changing the password on a scheduled plan for decades has increased security. (That is a known fact in both Business and in Military Security)

Actually yes-- because, simply put--- it makes the Brute force have to start over and would take it longer to find it because it will not know to start over on the breaking.... think about that one.. if it already has tried AAAAZ123 and you go and and change it to ABAAZ123 then those precurser points have already been tried.
and Not saying some 44 character password but a simple 12-14 should be easy to remember.

To correct myself if it has already tried AAAAZ123 and is on ZZZZZ123 and you change it something before it will not know you have started it over.

HawkMan said,

To bad research shows that changign your password regularly, does NOT increase security, and CAN reduce it. but it does not inherently increase security.

I don't think so Tim.

alexalex said,

Like me, you are one of the lucky ones. :-)

My netgear router has had 10 firmware updates since it came out 2yrs ago... heck they even added IPv6 and other new features to the factory firmware recently... and some places like buffalo now use DD-WRT or OpenWRT as their backend so you can always go to dd-wrt if they do use OpenWRT in some way to update your router if you don't get one from the factory

redvamp128 said,
WHere did you get that one from?-- changing the password on a scheduled plan for decades has increased security. (That is a known fact in both Business and in Military Security)

Actually yes-- because, simply put--- it makes the Brute force have to start over and would take it longer to find it because it will not know to start over on the breaking.... think about that one.. if it already has tried AAAAZ123 and you go and and change it to ABAAZ123 then those precurser points have already been tried.
and Not saying some 44 character password but a simple 12-14 should be easy to remember.

Not as much as it used to, but it still does make security a little better, up to a point. It use to take so long to brute force that if you changed your password every 90 days, it wouldn't do the bruteforcer any good. Now days with better rainbow tables, multiprocessing and distributed computing, not so much. Also, once you get to a certain point in complexity, it may actually make it easier to guess. Not only that, the more complex and the more you have to change it, the better chance that someone is going to write it down on a sticky and put it on their monitor or under their keyboard.

For example: Which is easier to bruteforce? A 15 char password that allows any char in any form (numbers, letters, special chars) but does not specify how many of each, or one that requires at least 2 upper, 2 lower, 2 numbers and 2 special chars? The regular 15 char could be easier, because it could be all letters, but it could also be harder. You just don't know. In the case of the second requirement, you already know you have at least 2 of each type of char, which narrows down how many retries you have.

As an example of how much easier brute-forcing is, A colleague once transferred a password protected quicken file between computers. He couldn't remember the password because it was automatically filled in on the first computer. Running a brute-forcer to try and crack it took around 5 months. (After a couple of days, he left it running, just to see how long it would take). 6 months later, he upgraded the new computer and and the brute-force software and decided to try it again, just for Sh*ts and Grins. It took less than a week.

Fireyetti said,

I don't think so Tim.

You should. In the real world where the are policy regarding the change of password monthly and requires the use of strong passwords - people will tend to **** up. The classic post-it with the password under the keyboard is real. And usually people put passwords like Hunter@1, Hunter@2... depending on the month so they will not forget it. So no, changing passwords regularly is not a good advice.

Atreus said,

You should. In the real world where the are policy regarding the change of password monthly and requires the use of strong passwords - people will tend to **** up. The classic post-it with the password under the keyboard is real. And usually people put passwords like Hunter@1, Hunter@2... depending on the month so they will not forget it. So no, changing passwords regularly is not a good advice.

If people would follow good password security practices and change it to something completely different instead of incremental such as your example, yes, it would help. Unfortunately, most of them don't.

As far as I know, industry standard is still 90 days, which is what was suggested a long time ago. With the current ease of password cracking, that doesn't really make much a different anymore. Add to that, the problem with bad security practices and hackers having access to the whole hash tables, it seems like we might as well not use passwords anymore. It doesn't help that many people use the same password on multiple sites, so when they are compromised on one, they are compromised on many.

Two factor authentication seems to be the new way to protect your accounts, and who knows what the future has in store.