Just a day after security researcher Stefan Viehbock released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on a given router and then recover the WPA passphrase for the router, as well.

The vulnerability reported by Viehbock to US-CERT is related to the way that the WPS standard handles failed authentication attempts in some cases. In those scenarios, it will send back too much detailed information to the user–or attacker–about the PIN that’s required to set up the router using WPS. Viehbock found that he was able to use that information to greatly reduce the amount of time it takes to recover the PIN for a router through a brute-force attack. Once the attacker has the WPS PIN, he can take control of the router.

Researchers at Tactical Network Solutions in Maryland on Wednesday released a tool called Reaver that implements an attack on the WPS vulnerability. The company released the tool as an open-source project on Google Code, but also is selling a more advanced commercial version.

“This is a capability that we at TNS have been testing, perfecting and using for nearly a year. But now that this vulnerability has been discussed publicly we have decided to announce and release Reaver, our WPS attack tool, to the open source community. Reaver is capable of breaking WPS pins and recovering the plain text WPA/WPA2 passphrase of the target access point in approximately 4-10 hours (attack time varies based on the access point),” the company said in a blog post.

The vulnerability in WPS affects a large number of routers from a variety of manufacturers, including Cisco, Buffalo, D-Link and others. The only real mitigation for the attack right now is for users to disable WPS. Viehbock said he hasn’t received much in the way of response from vendors on the vulnerability.

Categories: Cryptography, Hacks, Mobile Security

Comments (10)

  1. Ted Riot

    First comment poster sums it up. Whomever designed the WPS system obviously has no idea about security. The only response from an authentication request is “yes” or “no”, after a minimum of 3 seconds. Furthermore, the unfortunate thing is that all its users believe it is secure. Trust is a funny thing though. Most people have great difficulty placing trust in a person, but very freely place trust in technology…

    Personally, I have disabled WPS on all systems since the first time I saw it (this is my inherent/healthy distrust in technology). I always will, even if “they” fix this issue.

  2. Anonymous

    Silly me – I always assumed that pushing the physical button on the router was what made the PIN work for a short period of time to provision a device, not that the PIN always works.  What a total joke!  I guess I should have known better.

    Now I have to find out if the stupid PIN support is active on my device even though I did manual setup with a strong passphrase.  Argh.


  3. Anonymous

    Just got done listening to the Security Now podcast on this issue. I’ve never used Wifi routers. Never will. Every Punk A## in the world gets bored mastrubating to pics of Rosanne Baar, then decides to try and break into your broadcast. No thanks. Trust no one. 

  4. Anonymous

    Linksys routers are vulnerable, but disabling WPS in the web admin page has no effect. The only defense before new firmware is released it to install 3rd party firmware, such as wrt or tomato.

  5. Anonymous

    Just Penetration tested my Netgear N150 wireless router using this tool on a laptop with a 1.6Ghz celeron CPU using 2Gb of memory

    It took 2 hours before the router gave the tool the 20 digit WPA key that has numbers, upper and lowercase letters in it. so much for complex password wireless security. whats worse? theres no way to disable WPS short of disabling wireless, at least on this router

  6. internetspider

    Good Work!

    I hereby thank to all who create and develop new things every day.

    I successfully cracked WPA and WPA2 with that tool.

    it is a very good tool Please use it to increase knowledge and as study base.

    Not for hacking or hurting people.

    Thanks One more.

    Jk as internetspider.

  7. Anonymous

    Let’s see.  An exploit is published and soon afterwards it is taken advantage of.  You don’t suppose there is a connection, do you?  We need a genius to figure this out so we can stop/minimize it!


Comments are closed.