Wifi 'Protected Setup': not that protected at all

Posted by Emma Woollacott

The US Computer Emergency Readiness Team is warning that a popular tool bundled with many Wifi routers creates a major security flaw.

The Wifi Protected Set-up (WPS) protocol is designed to simplify the set-up process for home networks by allowing users to type in a shortened PIN instead of a long pass-phrase when adding a new device to a secure network.

But there's a problem, says Stefan Viehbock, who uncovered the issue and reported it to US-CERT.

"A few weeks ago I decided to take a look at the Wi-Fi Protected Setup (WPS) technology. I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wifi routers," he says.

"As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide."

The problem is that entering the wrong PIN returns information that could be useful to a hacker.

"When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct," advises US-CERT.

"Also, the last digit of the PIN is known because it is a checksum for the PIN."

This makes a big difference to amount of time it takes a hacker to crack the PIN through brute force - bringing it down to just 11,000 attempts in total.

And with some wireless routers lacking any lock-out policy for brute force atttempts, this means in many cases attackers close enough to the wireless access point could retrieve the user's password.