Every so often we like to highlight the work of our forum members. WarWagon, a Neowin MVC, has done the dirty work of explaining the the recently discovered WPS exploit. Posted below is his work and you can view the forum thread here where the topic is being discussed.
Last month a serious security flaw was discovered in WPS. WPS is built in and effects almost all consumer routers sold in the last few years. Below is explanation about what WPS is and what has been discovered that makes it so dangerous to have enabled.
Why was it created?
The Wi-Fi Protected Setup (WPS) was created to help unsophisticated users secure their wireless router and connect different devices to their wireless network with ease.
How WPS Works
Every router that supports WPS has a an eight-digit device pin printed on the back. When you try to connect a wireless laptop or wireless printer to your wireless network, it will ask you for that 8 digit pin. Now 8 digits are great, because someone would have to be parked on your curb for the next 6.3 years trying to find the correct combination of all 8 digits. It takes 6.3 years because after guessing 3 wrong numbers, the router goes into a lock-down state for 60 seconds. So only 3 different 8 numbers combinations can be tried every 60 seconds, thus taking about 6.3 years.
What went wrong
They Split the 8 digits into 2 sets of 4. All that has to happen now is the first 4 have to be found first. 4 digits only have a 10,000 possible number combination. Once the first 4 numbers are found, the router proclaims "You've found the first four" giving, in essence, a checkpoint at which to save the progress before finding the last 4. So instead of having to guess an 8 digit combination, all that has to be guessed now is two 4 digit combinations and that takes considerably less time. So we've now gone from taking 6.3 years down to about 1 day. But of course, in some cases it gets worse. Some routers do not even go into a lock-down state for 60 seconds after 3 failed attempts; it allows as many guess as can be thrown at it. This means someone could potentially connect and compromise your secured WiFi network in less than 1 day.
How to protect yourself
All router manufactures have to add WPS to their routers and turn it on by default in order to be certified by the Wi-Fi Alliance. So for the last few years ,every router has it built in and has it enabled by default.
Let's start by seeing if your router even has WPS. This can be done one of 2 ways. First check the front of your router for a big WPS push button. If you don't see a push button on the front of the router, look on the back of the router for a sticker that contains an 8 digit pin.
There are 3 ways you can protect yourself if your router has WPS:
1) Disable WPS via the web interface on your router. In some cases, even though you turn off WPS, the router doesn't listen. So to make sure WPS is really turned off do the following: Find a Windows 7 machine with Wi-Fi and remove your current Wi-Fi connected network from the machine and try to reconnect to it. If it prompts you for the WPS pin then, WPS is still enabled. If it prompts you for the WPA key then WPS has been successfully disabled.
2) Firmware update. To correct this WPS issue all together will require a firmware update to the router. It should be a really easy thing to fix so router manufactures should be releasing router updates shortly. The fix simply requires the input of all 8 numbers not the present system of 2 sets of 4. A firmware update will also be needed if you have a router that will not disable properly.
3) Use alternative firmware like Tomato or DD-WRT. Both of these 3rd party firmware's do not have support for WPS built into them so they are not susceptible to the WPS attack. Here is a link to a Google docs spreadsheet which has been kept up to date by users of the internet as to which routers have WPS and which routers it can be disabled and it stays off.