In December 2011 Stefan Viebhock published a report about a vulnerability discovered and analyzed by him in Wi-Fi Protected Setup(WPS) previously known as Wi-Fi Simple Config. Introduced by Wi-Fi Alliance in 2007 year, WPS allows users without an advanced knowledge about Wi-Fi router’s configurations to easily setup their home Wi-Fi networks, adding new devices or enabling the security. The user can add a new device in the wireless network either by pushing a button on both wireless router and new device(Push-Button-Connect) or by introducing a 8 characters PIN into the new device “connection wizard” interface. Simply said the PIN is functioning as the authentication method for registering a new device in the network.
Stefan Viebhock claims that all Wi-Fi routers studied by him(Cisco/Linksys, Netgear, D-Link, Belkin, Buffalo, ZyXEL) have WPS activated by default and are suffering of a grave design and implementation flaw which enable an attacker to gain access to an otherwise sufficiently secured wireless network. It’s estimated that 95% of home wireless routers come with WPS enabled by default.
The PIN number(8 digits) is divided in two parts, 4 digits each and the last digit(8th) is the checksum of first 7 digits. If an attacker introduces the wrong digits for the first part of the PIN he will receive an EAP-NACK(negatively acknowledge, equivalent of connection refused error in our case) message and the same for the second part. Knowing that the last digit is the checksum of the first 7 digits and making the calculations, there are needed only 11,000 attempts to find the correct PIN, making a brute force attack(“guessing attack”) likely to succeed in less than 4 hours. Even if the routers have a blocking mechanism to prevent brute force attacks, the lockout phases are not long enough and the brute force attack still succeeds in less than a day. When the correct PIN is found, the wireless router(or Access Point) send to the attacker the WPA/WPA2 PSK(pre-shared key) needed to connect to the network.
A tool which comes in two versions was released to automate the brute force attack: Reaver, a open source software based and Reaver Pro hardware based. Both versions are able to perform the brute force attack and when the correct PIN is found, the WPA/WPA2 passphrase is extracted and disclosed to the attacker. That’s all, the attacker has gained access to your home network.
I was thinking what can be the consequences of a succeeded attack against your home wireless router. It’s not only that somebody is stealing your bandwidth, but an attacker can use your wireless router implicitly your IP to perform illegal transactions or other nefarious things, so the threat is very serious. Nobody wants to risk waking up with the Police at the door.
How can we mitigate this kind of brute force attack? The first thing we can do is to disable the WPS as advised by US-CERT. Also it’s recommended to use WPA2(not WEP or WPA) encryption method as authentication mechanism, to enable MAC filtering and to turn off the SSID( Service Set Identification) broadcast from your wireless router(make SSID invisible).
Keep safe !