Just a day after security researcher Stefan Viehbock released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on a given router and then recover the WPA passphrase for the router, as well.
The vulnerability reported by Viehbock to US-CERT is related to the way that the WPS standard handles failed authentication attempts in some cases. In those scenarios, it will send back too much detailed information to the user–or attacker–about the PIN that’s required to set up the router using WPS. Viehbock found that he was able to use that information to greatly reduce the amount of time it takes to recover the PIN for a router through a brute-force attack. Once the attacker has the WPS PIN, he can take control of the router.
Researchers at Tactical Network Solutions in Maryland on Wednesday released a tool called Reaver that implements an attack on the WPS vulnerability. The company released the tool as an open-source project on Google Code, but also is selling a more advanced commercial version.
“This is a capability that we at TNS have been testing, perfecting and using for nearly a year. But now that this vulnerability has been discussed publicly we have decided to announce and release Reaver, our WPS attack tool, to the open source community. Reaver is capable of breaking WPS pins and recovering the plain text WPA/WPA2 passphrase of the target access point in approximately 4-10 hours (attack time varies based on the access point),” the company said in a blog post.
The vulnerability in WPS affects a large number of routers from a variety of manufacturers, including Cisco, Buffalo, D-Link and others. The only real mitigation for the attack right now is for users to disable WPS. Viehbock said he hasn’t received much in the way of response from vendors on the vulnerability.