WirelessThe US-CERT is warning about a vulnerability in the WiFi Protected Setup standard that reduces the number of attempts it would take an attacker to brute-force the PIN for a wireless router’s setup process. The flaw results in too much information about the PIN being returned to an attacker and makes the PIN quite weak, affecting the security of millions of WiFi routers and access points.

WPS is a method for setting up a new wireless router for a home network and it includes a way for users to set up the network via an external or internal registrar. In this method, the standard requires a PIN to be used during the setup phase. The PIN often is printed somewhere on the wireless router or access point. The vulnerability discovered in WPS makes that PIN highly susceptible to brute force attempts.

“When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total,” the US-CERT advisory says.

“It has been reported that some wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.”

Security researcher Stefan Viehbock discovered the vulnerability and reported it to US-CERT.The problem affects a number of vendors’ products, including D-Link, Netgear, Linksys and Buffalo. He said via email that he has received essentially no response from vendors about the problem.

“I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide,” Viehbock said in a blog post.

Viehbock has written a paper on the WPS vulnerability and his research and also developed a Python tool to brute-force the PINs. He hasn’t released the tool yet, but says he may do so once the code is in better shape. None of the affected vendors have released fixes or workarounds for the bug, but Viehbock says in his paper that disabling WPS looks to be the main practical mitigation, Implementing long lock-out times for multiple authentication failures would help as well.

“One authentication attempt usually took between 0.5 and 3 seconds to complete. It was observed that the calculation of the Diffie-Hellman Shared Key (needs to be done before generating M3) on the AP took a big part of the authentication time. This can be speeded up by choosing a very small DH Secret Number, thus generating a very small DH Public Key and making Shared Key calculation on the AP’s side easier.,” he says in the paper.

Categories: Hacks, Mobile Security

Comments (9)

  1. Anonymous

    Ok, maybe I’m paranoid but I disabled WPS and plug and play on my router first thing out of the box. I’m sure every Threat Post reader does too.

  2. Anonymous

    Yeah I haven’t used WPS on any router… just assumed it wasn’t as secure from the get-go. Plus I’m not afraid of typing in a full key vs. a PIN.

  3. Anonymous

    I’ve never used WPS myself.  Never seen the need to use it myself.  I use DD-WRT firmware and always turn off WPS, UPnP, and QoS as well as make sure MAC filtering is disabled.  I just use 64 alpha-numeric key with WPA-TKIP/WPA2-AES.

  4. Anonymous

    Just got the Kodak pulse as a gift and need to set up wireless in my home; gave away router to kids. Any suggestions on what router to buy? If I disable the WPS I should be able to set the frame up shouldn’t I? I’m not an expert but want the wi fi secured.



  5. Anonymous

    Go for mid-priced SoHo, for example,  ZyWALL USG20W 802.11n Wireless Internet Security Firewall { with 4Gigabit LAN/DMZ Ports, 2IPSec VPN, SSL VPN , and 3G WAN Support}

    It may not be easy to use (a little know how is needed), but it can be a better at blocking out all International Domains (e.g. .cn; .tw; .il; .cc, .ws, etc…) so that only domains you deal with are US, UK, DE, FR hosting some 35% of the hackers, malware and virus creators.

    Even better, do not use internet at all. Read Newspaper.


    Warren Buffet is now buying into Newspapers as a media (yes, he invested in Burlington Northern and US Steel when both has PE of 2-3). Gannett has PE of 4.


  6. Anonymous

    Where can a service subscriber find a list of wireless routers that either do or do not offer WPA-TKIP/WPA2-AES and demand that their service provide them with only those that do?

  7. Anonymous

    I notice that the Wifi-Analyzer app on my android tablet shows immediately which APs have WPS enabled.

Comments are closed.