WPS is Still Problematic

Written By Danielle Pucciarella-Galkova

About a decade ago a small button marked “WPS” started to appear on home routers. You may have also seen it on your personal mifi devices. This feature is known as Wifi Protected Setup (WPS) and it allows users to override the process of entering SSID credentials, and instead access wireless networks with either an eight-digit pin or the simple press of the button.

WPS is often enabled out of the box, with settings modifiable from the device’s admin control panel. When accessing a home network, typically once a device is connected, the credentials are stored and do not have to be entered again. So, is this process really that much of an inconvenience that we need to shorten it even further? Have we reached this level of first world problems where typing ~20 characters one time is just too much to ask? Apparently so.

The WPS pin option is vulnerable to remote brute-force attacks. Surprise! An eight-digit pin is easier to crack than a passphrase. And despite this being published by CERT in 2011, not much has changed since then, with WPS available on newly developed routers and mifis—this is still a very real threat.

While it could take a brute force program many lifetimes to crack a password such as “DanieLLe00%is$$AwesoMe087!!” it would take the same program just a couple of hours to do this with a WPS pin. In addition, most routers and mifis do not lock users out after too many WPS pin attempts. 

Another reason the WPS pin is so easy to crack is because it’s actually not strictly eight digits. WPS pins are authenticated through a two-step process, which can indicate to a brute force program, such as Reaver, if the first four digits are not correct. With this confirmation, there is no reason to continue trying that sequence. This further simplifies the brute-force process, forcing the program to make only 10,000 attempts for four digits instead of 100,000,000 attempts for eight.

One program that is particular effective at doing this is called Reaver. Reaver can be configured in less than five minutes and it doesn’t take a security professional master it. Once a wireless network is chosen, Reaver goes to work, and within a few hours the WPS pin is cracked. It’s that simple.

The easiest way for users to protect themselves against a WPS attack is to disable WPS completely. While balancing security and convenience can sometimes be a challenge, when it comes to the lax security associated with WPS, the cost of this convenience is clear.

Learn More:
https://www.kb.cert.org/vuls/id/723755
https://lifehacker.com/5873407/how-to-crack-a-wi-fi-networks-wpa-password-with-reaver

Danielle Pucciarella-Galkova
Previous

WHAT IS SHODAN?
Next

Dridex Evolves and Incorporates Atombombing