The WPS (WiFi Protected Setup) flaw explained for the average user

[+Warwagon MVC]

The WPS (WiFi Protected Setup) Flaw Explained v1.5

Last month a serious security flaw was discovered in WPS. WPS is built in and effects almost all consumer routers sold in the last few years. Below is explanation about what WPS is and what has been discovered that makes it so dangerous to have enabled.

Why was it created?

The Wi-Fi Protected Setup (WPS) was created to help unsophisticated users secure their wireless router and connect different devices to their wireless network with ease.

How WPS Works

Every router that supports WPS has a an eight-digit device pin printed on the back. When you try to connect a wireless laptop or wireless printer to your wireless network it will ask you for that 8 digit pin. Now 8 digits are great, because someone would have to be parked on your curb for the next 6.3 years trying to find the correct combination of all 8 digits. It takes 6.3 years because after guessing 3 wrong numbers, the router goes into a lock-down state for 60 seconds. So only 3 different 8 numbers combinations can be tried every 60 seconds, thus taking about 6.3 years.

What went wrong

They Split the 8 digits into 2 sets of 4. All that has to happen now is the first 4 have to be found first. 4 digits only have a 10,000 possible number combination. Once the first 4 numbers are found, the router proclaims "You've found the first four" giving, in essence, a checkpoint at which to save the progress before finding the last 4. So instead of having to guess an 8 digit combination, all that has to be guessed now is two 4 digit combinations and that takes considerably less time. So we've now gone from taking 6.3 years down to about 1 day. But of course in some cases it gets worse. Some routers do not even go into a lock-down state for 60 seconds after 3 failed attempts. It allows as many guess as can be thrown at it. This means someone could potentially connect and compromise your secured WiFi network in less than 1 day.

How to protect yourself

All router manufactures have to add WPS to their routers and turn it on by default in order to be certified by the Wi-Fi Alliance. So for the last few years ,every router has it built in and has it enabled by default.

Let's start by seeing if your router even has WPS. This can be done one of 2 ways. First check the front of your router for a big WPS push button. If you don't see a push button on the front of the router, look on the back of the router for a sticker that contains an 8 digit pin.

There are 3 ways you can protect yourself if your router has WPS:

1) Disable WPS via the web interface on your router. In some cases, even though you turn off WPS, the router doesn't listen. So to make sure WPS is really turned off do the following: Find a Windows 7 machine with Wi-Fi and remove your current wi-fi connected network from the machine and try to reconnect to it. If it prompts you for the WPS pin then, WPS is still enabled. If it prompts you for the WPA key then WPS has been successfully disabled.

2) Firmware update. To correct this WPS issue all together will require a firmware update to the router. It should be a really easy thing to fix so Router manufactures should be releasing router updates shortly. The fix simply requires the input of all 8 numbers not the present system of 2 sets of 4. A firmware update will also be needed if you have a router that will not disable properly.

3) Use alternative firmware like Tomato or DD-WRT. Both of these 3rd party firmware's do not have support for WPS built into them so they are not susceptible to the WPS attack. Below is a link to a Google docs spreadsheet which has been kept up to date by users of the internet as to which Routers have WPS and which routers it can be disabled and it stays off.

https://docs.google....NSSHZEN3c#gid=0

[Another Canuck]

Here's a video for those who are interested in an in-depth look at WPS being exploited by the "Reaver" tool:

http://www.youtube.com/watch?v=Vg_Wo_1eo5c&hd=1

And the accompanying blog post: http://www.simplywifi.co/blog/2012/1/1/wps-brute-force-thoughts-and-video.html

[+Warwagon MVC]

Good Video

[+Xinok Subscriber²]

It's actually worse than that.

Since the last digit is a checksum of the previous digits,^[6] there are seven unknown digits in each PIN, yielding 10⁷ = 10,000,000 possible combinations.

Since the first half of the pin consists of four digits (10,000 possibilities) and second half has only three active digits (1000 possibilities), at most only 11,000 guesses are needed before the PIN is recovered.

Wikipedia

[+Warwagon MVC]

It's actually worse than that.

Yep I actually had that checksum part in my first draft, but thought the word checksum might confuse the regular person.

[+Warwagon MVC]

The worst part about all this is the average user. The average user barely knows what you mean by start button (now that the word start is gone), let alone how to log into the web based interface of their router and update the firmware. So once this technique of hacking routers becomes main stream, millions of users will be sitting ducks. Millions of users will not upgrade the firmware or turn off WPS in their routers.