We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,713 News Articles

Wi-Fi Protected Setup flaws make wireless network brute-force attacks feasible

Attackers can use information from failed WPS authentication responses to break into wireless networks

Design flaws in the Wi-Fi Protected Setup (WPS) wireless standard can make it easier for attackers to obtain access codes for secured wireless networks by brute force.

The vulnerabilities identified by security researcher Stefan Viehbock affect a large number of WPS-enabled routers and wireless access points.

The WPS standard was created in 2007 by the Wi-Fi Alliance in order to provide non-technical users with a simple method of setting up wireless networks.

The standard supports several Wi-Fi authentication methods including one that requires pushing a physical button on the router and one that uses a predefined PIN number printed on a sticker by the device manufacturer.

The PIN-based method is mandatory for WPS-certified devices, which support it by default. Devices that are WPS-capable, but aren't certified, are also likely to use the method.

The WPS PIN is an eight-digit random number. Under normal circumstances, it would take 100 million attempts to crack it. However, because of some bad design choices, this can be reduced to only 11,000 attempts, Viehbock said in a research paper published on Tuesday.

The main problem lies with how devices respond to failed WPS authentication attempts. The replies can indicate if the first or second halves of the PIN number are correct, significantly reducing the complexity of a brute-force attack. The fact that the last digit is actually the checksum of the other seven makes it even easier.

An authentication attempt takes between 0.5 and 3 seconds, allowing an attacker to go through all 11,000 combinations in less than four hours. "On average an attack will succeed in half the time," Viehbock said.

The researcher identified vulnerable devices from multiple vendors including Linksys, Netgear, D-Link, Buffalo, Belkin, ZyXEL, TP-Link and Technicolor, but he believes that others are affected as well.

The majority of router manufacturers don't implement lock-down periods after failed WPS authentication attempts. During Viehbock's tests, only a Netgear device was found to have such protection, but it was insufficiently aggressive and allowed the attack to be performed in less than a day.

The U.S. Computer Emergency Readiness Team (US-CERT) was alerted about the vulnerabilities at the beginning of December and notified some of the affected vendors. The only known workaround at the moment is to disable WPS, US-CERT said in its advisory.


IDG UK Sites

LG G Watch review: Android Wear smartwatch is the best around, so far

IDG UK Sites

How to join Apple's OS X Beta Seed Program: Get OS X Yosemite on your Mac before public release

IDG UK Sites

Why the BBC iPlayer outage was caused by a DDoS attack: Topsy and Tim isn't *that* popular

IDG UK Sites

See Glasgow 2014 in UHD as history is made