| Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack |
|
 |
| Affected Systems |
Most Wi-Fi access points that support Wi-Fi Protected Setup (WPS) are affected. Many home routers support WPS.
|
| Overview |
| Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configure secure wireless networks, such as a one-touch button that allows easy connection to the network instead of having to type a PIN. This external registrar PIN exchange mechanism is susceptible to brute-force attacks that could allow an attacker to gain access to an encrypted Wi-Fi network. |
| Description |
WPS uses a PIN as a shared secret to authenticate an access point and a client and provide connection information such as WEP and WPA passwords and keys. In the external registrar exchange method, a client needs to provide the correct PIN to the access point.
An attacking client can try to guess the correct PIN. A design vulnerability reduces the effective PIN space sufficiently to allow practical brute-force attacks. Freely available attack tools can recover a WPS PIN in 4-10 hours.
For further details, please see Vulnerability Note VU#723755and documentation by Stefan Viehböck and Tactical Network Solutions. |
| Impact: What does this mean to me? |
An attacker within radio range can brute-force the WPS PIN for a vulnerable access point. The attacker can then obtain WEP or WPA passwords and likely gain access to the Wi-Fi network. Once on the network, the attacker can monitor traffic and mount further attacks.
If you have password protected your Wi-Fi station, there is a possibility that it could be bypassed. If an intruder is able to connect to your network, they have full access to your internet connection - allowing them to download anything they want (including illegal things that could be tracked back to your house), upload viruses or use your connection to attack other computers or networks. They would also have access to your computers and data. |
| Solution |
Update Firmware
Check your access point vendor's support website for updated firmware that addresses this vulnerability. Further information may be available in the Vendor Information section of VU#723755 and in a Google spreadsheet called WPS Vulnerability Testing.
Disable WPS
Depending on the access point, it may be possible to disable WPS. Note that some access points may not actually disable WPS when the web management interface indicates that WPS is disabled.
For help with updating or disabling WPS or any other questions, feel free to contact NGT at support@ngtnet.net or (641) 562-2226. |
| References |
|
This article and further information can be found at US-CERT.
|
|
