Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability

Published: 2011-12-30
Last Updated: 2011-12-30 03:19:11 UTC
by Raul Siles (Version: 1)
8 comment(s)

Wi-Fi Protected Setup (WPS) is a Wi-Fi Alliance specification (v1.0 - available since January 2007) designed to ease the process of securely setup Wi-Fi devices and networks. A couple of days ago US-CERT released a new vulnerability note, VU#723755, that allows an attacker to get full access to a Wi-Fi network (such as retrieving your ultra long secret WPA2 passphrase) through a brute force attack on the WPS PIN. The vulnerability was reported by Stefan Viehböck and more details are available on the associated whitepaper. In reality, it acts as a "kind of backdoor" for Wi-Fi access points and routers.

The quick and immediate mitigation is based on disabling WPS. Your holiday gift for the people around you these days is to tell them to disable WPS.

It is important to remark that this vulnerability affects both the WPS design (which typically means higher impact and longer fix times) and the current Wi-Fi vendor implementations. The design is affected as WPS presents serious weaknesses that allow an attacker to determine if half of the PIN is correct (Do you remember Windows LANMAN (LM) authentication? 7+7 != 14). Therefore the brute force process can be split in two parts, significantly reducing the time required to brute force the entire PIN from 100 million (108) to 11,000 (104 + 103) attempts.The vendor implementations (in Wi-Fi access points and routers) are also affected due to the lack of a proper (temporarily) lock out policy after a certain number of failed attempts to guess the PIN, plus some collateral DoS conditions.

The researcher used a Python (Scapy-based) tool that has not been release yet, although other tools that allow to test for the vulnerability have been made public, such as Reaver . The current tests indicate that it would take about 4-10 hours for an attacker to brute force the 8 digit PIN (in reality 7 digit PIN, 4+3+1 digits).

Lots of Wi-Fi devices available in the market implement WPS, a significant number seem to implement the PIN authentication option (the vulnerable mechanism - called PIN External Registrar), as it seems to be a mandatory requirement in the WPS spec to become WPS certified (by the Wi-Fi Alliance), and still a very relevant number seem to have WPS enabled by default. Based on that, and the experience we had on similar Wi-Fi vulnerabilities over the last decade, it might take time to the Wi-Fi industry to fix the design flaw and release a new WPS version, it will take more time to (all) vendors to release a new firmware version that fixes or mitigates the vulnerability, and it will take even extra time to end users and companies to implement a fixed and secure WPS version and/or implementation, or to disable WPS (although this is the quickest option... we know it takes much more time than we would like :( ).

To sum up, millions of devices worldwide might be affected and it will take months (or years - think on WEP) to fix or mitigate this vulnerability... so meanwhile, it is time to start a global security awareness campaign:

Disable WPS!!

This diary extends the Wi-Fi security posture of previous ISC diaries, were we covered the security of common Wi-Fi usage scenarios, and will be complemented by two upcoming Wi-Fi security end-user awareness resources: the SANS OUCH! January 2012 issue and lesson 12 of Intypedia (both will be available on mid January 2012).

Raul Siles
Founder and Senior Security Analyst with Taddong

Keywords: wifi WPS
8 comment(s)
ISC StormCast for Friday, December 30th 2011 http://isc.sans.edu/podcastdetail.html?id=2227


Diary Archives