Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability

Published: 2011-12-30
Last Updated: 2011-12-30 03:19:11 UTC
by Raul Siles (Version: 1)
8 comment(s)

Wi-Fi Protected Setup (WPS) is a Wi-Fi Alliance specification (v1.0 - available since January 2007) designed to ease the process of securely setup Wi-Fi devices and networks. A couple of days ago US-CERT released a new vulnerability note, VU#723755, that allows an attacker to get full access to a Wi-Fi network (such as retrieving your ultra long secret WPA2 passphrase) through a brute force attack on the WPS PIN. The vulnerability was reported by Stefan Viehböck and more details are available on the associated whitepaper. In reality, it acts as a "kind of backdoor" for Wi-Fi access points and routers.

The quick and immediate mitigation is based on disabling WPS. Your holiday gift for the people around you these days is to tell them to disable WPS.

It is important to remark that this vulnerability affects both the WPS design (which typically means higher impact and longer fix times) and the current Wi-Fi vendor implementations. The design is affected as WPS presents serious weaknesses that allow an attacker to determine if half of the PIN is correct (Do you remember Windows LANMAN (LM) authentication? 7+7 != 14). Therefore the brute force process can be split in two parts, significantly reducing the time required to brute force the entire PIN from 100 million (108) to 11,000 (104 + 103) attempts.The vendor implementations (in Wi-Fi access points and routers) are also affected due to the lack of a proper (temporarily) lock out policy after a certain number of failed attempts to guess the PIN, plus some collateral DoS conditions.

The researcher used a Python (Scapy-based) tool that has not been release yet, although other tools that allow to test for the vulnerability have been made public, such as Reaver . The current tests indicate that it would take about 4-10 hours for an attacker to brute force the 8 digit PIN (in reality 7 digit PIN, 4+3+1 digits).

Lots of Wi-Fi devices available in the market implement WPS, a significant number seem to implement the PIN authentication option (the vulnerable mechanism - called PIN External Registrar), as it seems to be a mandatory requirement in the WPS spec to become WPS certified (by the Wi-Fi Alliance), and still a very relevant number seem to have WPS enabled by default. Based on that, and the experience we had on similar Wi-Fi vulnerabilities over the last decade, it might take time to the Wi-Fi industry to fix the design flaw and release a new WPS version, it will take more time to (all) vendors to release a new firmware version that fixes or mitigates the vulnerability, and it will take even extra time to end users and companies to implement a fixed and secure WPS version and/or implementation, or to disable WPS (although this is the quickest option... we know it takes much more time than we would like :( ).

To sum up, millions of devices worldwide might be affected and it will take months (or years - think on WEP) to fix or mitigate this vulnerability... so meanwhile, it is time to start a global security awareness campaign:

Disable WPS!!

This diary extends the Wi-Fi security posture of previous ISC diaries, were we covered the security of common Wi-Fi usage scenarios, and will be complemented by two upcoming Wi-Fi security end-user awareness resources: the SANS OUCH! January 2012 issue and lesson 12 of Intypedia (both will be available on mid January 2012).

Raul Siles
Founder and Senior Security Analyst with Taddong

Keywords: wifi WPS
8 comment(s)


Linksys E2000: WPS is enabled and there's no way to DISable it.

DD-WRT is going up this weekend :/
I am wondering if this vulnerability includes the external (internet side) port.
If that is the case, why would it have been allowed? In what situation would you need to provide network access to the internet port?
Otherwise, this is more like the WEP problem and wardriving (or bad neighbor) situation. In one case, an attack could come from anywhere in the world, in the other, attackers would need to close enough I could hurl rocks at them. A bad situation but maybe as extreme as a vulnerability to the WAN port of the router.
That said, I made sure my router would run DD-WRT when I bought it. I'll be installing it soon.
The vulnerability only affects WPS, that is, the wireless interface of the Wi-Fi access point or router. Thus, proximity to the Wi-Fi device is required, but remember, this might mean a few hundred meters or even kilometers/miles.
How about just doing the WPA2/AES thing and be done with it?
Please, do not mix the Wi-Fi security mechanisms (WEP/WPA/WPA2... using RC4,TKIP,AES...) with WPS. WPS is a complementary protocol or standard designed to "easily and securely" setup Wi-Fi devices and networks and share, for example, the WEP/WPA/WPA2... key material.
My ActionTec PK5000 from Qwest has the ability to disable WPS completely. When enabled, you actually get to choose which mode of operation you want to use -- Push Button (PBC), AP PIN, or Device PIN. The default, of course, is PBC.

It also keeps a list of devices that have WPS config'ed.

Now to see if Reaver will compile on OS X and do some testing....
For the Linksys WRT54G (only a -million- or so in the field)... it doesn't seem to be named "WPS", but instead "Secure Easy Setup" and the -Default- is -Enable- that needs to be set to -Disable-
Can be found at
> Wireless > Advanced Wireless Settings
... apparently called "Secure Easy Setup" on many routers instead of "WPS".
Yes? No? Something else?
Yes, but I really, really like WPS for setting up WiFi enabled printers. Is it worth the risk if you've changed your passphrase from the default one? My home WiFi came with a passphrase set to the numeric value of the MAC address which I changed to fully alpha-numeric, non-dictionary.

Diary Archives