WiFi Protected Setup Vulnerable to Brute Force Attacks

By Ariel Jones
Design flaws in the WiFi Protected Setup (WPS) PIN protocol significantly reduces the time required to brute force the password for a wireless network, making networks exceptionally vulnerable to these attacks.

With enough computing force, an attacker in range of a wireless access point may be able to determine the PIN and password for a wireless network, and then to change the configuration of the access point or cause a denial of service.

The United States Computer Emergency Readiness Team (US CERT) issued a vulnerability note for the issue, recommending that users disable WPS as a temporary solution to the problem.

Design Flaws and Poor Implementation Create Vulnerabilities

The WPS tool is on-by-default in routers by several different vendors, including Belkin, Linksys, and Netgear. The tool was created by the WiFi Alliance in 2007 with the intent of simplifying wireless network setup, allowing users to bypass technical configuration issues.

Users connect a device to the WiFI network by pushing a button to start authentication, entering a PIN number from the new client into the access point or entering an eight-digit PIN from the access point to configure the connection.

"WPS contains an authentication method called 'external registrar' that only requires the router's PIN," the US CERT vulnerability note states. According to the organization and other researchers, this is where the problem lies. "When the PIN authentication fails, the access point will send an EAP-NACK message back to the client," the advisory explains.

"The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN." When this information is made available to the attacker, it significantly reduces the maximum possible number of authentication attempts needed.

Researchers Released Tools to Break the WPS Protocol

To demonstrate the severity of this vulnerability issue, two independent researchers developed attack tools that were capable of breaking the WPS protocol within hours.

Security researcher Stefan Viehböck was credited as the first to report the flaw to the US CERT in a published paper titled "Brute Forcing WiFi Protected Setup: When Poor Design Meets Poor Implementation"; he subsequently released a WPS brute-forcing, proof-of-concept application written in Python. Researcher Craig Heffner from Tactical Network Solutions also located the vulnerability and released his own brute-force tool as a GPLv2-licensed, limited functionality open source version and as an enhanced commercial version.

During testing of the vulnerability, US CERT found that certain routers locked out devices entering incorrect PINs but not long enough to avoid a brute force attack, and many more are not equipped with a lockout policy.

"It has been reported that some wireless routers do not implement any kind of lockout policy for brute force attempts," the US CERT vulnerability note stated. "This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot."

Currently, there is no definite practical solution to the security problem, but the US CERT note advises users to only use WPA2 encryption with a strong password, disable UPnP, and enable MAC address filtering so only trusted computers and devices can connect to the wireless network.