Design flaws in the Wi-Fi Protected Setup (WPS) wireless standard can make it easier for attackers to obtain access codes for secured wireless networks by brute force.
The vulnerabilities identified by security researcher Stefan Viehbock affect a large number of WPS-enabled routers and wireless access points.
The WPS standard was created in 2007 by the Wi-Fi Alliance in order to provide non-technical users with a simple method of setting up wireless networks.
The standard supports several Wi-Fi authentication methods including one that requires pushing a physical button on the router and one that uses a predefined PIN number printed on a sticker by the device manufacturer.
The PIN-based method is mandatory for WPS-certified devices, which support it by default. Devices that are WPS-capable, but aren't certified, are also likely to use the method.
The WPS PIN is an eight-digit random number. Under normal circumstances, it would take 100 million attempts to crack it. However, because of some bad design choices, this can be reduced to only 11,000 attempts, Viehbock said in a research paper published on Tuesday.
The main problem lies with how devices respond to failed WPS authentication attempts. The replies can indicate if the first or second halves of the PIN number are correct, significantly reducing the complexity of a brute-force attack. The fact that the last digit is actually the checksum of the other seven makes it even easier.
An authentication attempt takes between 0.5 and 3 seconds, allowing an attacker to go through all 11,000 combinations in less than four hours. "On average an attack will succeed in half the time," Viehbock said.
The researcher identified vulnerable devices from multiple vendors including Linksys, Netgear, D-Link, Buffalo, Belkin, ZyXEL, TP-Link and Technicolor, but he believes that others are affected as well.
The majority of router manufacturers don't implement lock-down periods after failed WPS authentication attempts. During Viehbock's tests, only a Netgear device was found to have such protection, but it was insufficiently aggressive and allowed the attack to be performed in less than a day.
The U.S. Computer Emergency Readiness Team (US-CERT) was alerted about the vulnerabilities at the beginning of December and notified some of the affected vendors. The only known workaround at the moment is to disable WPS, US-CERT said in its advisory.