We would love to stay in touch with you!

Enter your details to join our mailing list and we'll send you a link to exclusive content.

* indicates required
Close

Bypassing WPS Router Security

by Jago Maniscalchi  //  January 4, 2012  //  Exploits and Malware, News  //  No comments

Security researcher Stefan Viehbock recently released information about a method that can be used to bypass the security on a Wi-Fi Protected Security (WPS) router.

WPS is a mechanism that was developed to make it simple for new devices to be added to an existing wireless network without having to understand the complex configuration required for a WPA2 protected network. The WPS enabled router has a PIN printed on the back which is entered into a wizard on the new client. The client communications with the router or access point over the wireless network using a series of EAP messages. At the end of the process, the access point disassociates from the client and waits for the client to connect with its new configuration.

WPS PINS are eight digits long, giving a brute-force complexity of 10^8 (100 million attempts required to guarantee success). The last digit of the PIN is a checksum, so can be calculated. This reduces the complexity to 10^7 (10 million attempts). Viehbock’s discovery, which alters the playing field completely, is that devices behave differently if the first four characters of an incorrect PIN are correct. It is therefore possible to brute-force the first four characters, followed by the last three characters, instead of having to guess all seven characters at once. As a result, the complexity of the problem is reduced to 10^4 followed by 10^3 (11,000 tries in total). In addition, Viehbock discovered that a number of popular routers do not have any brute force protection, allowing PIN guesses to be made in rapid succession.

In a video posted on Viehbock’s blog, he demonstrates an attack that completes in 45 minutes.

wpscrack vs. TP-Link TL-WR1043ND – Demo from Stefan Viehboeck on Vimeo.

US-CERT have confirmed the vulnerability:

An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.

We are currently unaware of a practical solution to this problem.

Please consider the following workaround – within the wireless router’s configuration menu, disable the external registrar feature of WiFi Protected Setup (WPS). Depending on the vendor, this may be labeled as external registrar, router PIN, or WiFi Protected Setup.

A number of tools have been released that weaponise the vulnerability, including Viehbock’s proof of concept tool WPS-crack and Craig Heffner’s tool Reaver.

About the Author

Jago Maniscalchi is a Cyber security consultant, though he tries to avoid the word "Cyber" at all costs. He has spent 15 years working with Information Systems and has experience in website hosting, software engineering, infrastructure management, data analysis and security assessment. Jago lives in London with his family, enough pets to start a small zooalogical society, and a Samsung NaviBot Robotic Vacuum Cleaner. Despite an aptitude for learning computer languages, his repeated attempts to learn Italian have resulted in spectacular failure.

Leave a Comment

comm comm comm