Forgot your password?
typodupeerror
Networking Security Wireless Networking

New WiFi Setup Flaw Allows Easy Router PIN Guessing 86

Posted by Soulskill
from the orders-of-magnitude dept.
Trailrunner7 writes "There is a newly discovered vulnerability in the WiFi Protected Setup standard that reduces the number of attempts it would take an attacker to brute-force the PIN for a wireless router's setup process. The flaw results in too much information about the PIN being returned to an attacker and makes the PIN quite weak, affecting the security of millions of WiFi routers and access points. Security researcher Stefan Viehbock discovered the vulnerability (PDF) and reported it to US-CERT. The problem affects a number of vendors' products, including D-Link, Netgear, Linksys and Buffalo. 'I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide,' Viehbock said."
This discussion has been archived. No new comments can be posted.

New WiFi Setup Flaw Allows Easy Router PIN Guessing

Comments Filter:
  • WPS (Score:4, Insightful)

    by Shadyman (939863) on Tuesday December 27, 2011 @08:00PM (#38509172) Homepage

    As all of the of the more recent router models come with WPS enabled by default...

    Don't you still have to physically push a button to (temporarily) enable WPS? If not, whose bright idea was *that*?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      There's push button mode, and there's a shared PIN mode.

      • Re:WPS (Score:4, Insightful)

        by mkraft (200694) on Tuesday December 27, 2011 @08:36PM (#38509526)

        I believe you still have to put the router into setup mode even when using shared PIN mode. That limits the times this attack could possibly work.

        • by AmiMoJo (196126)

          There are ways around that. You could just keep your computer on 24/7 until the unsuspecting victim pairs something with their router, but it is more efficient to use a trick similar to that used to force WPA authentication which is required for attacking WPA keys. In the case of WPA the attacker forces a client to re-connect, e.g. by sending de-auth packets appearing to come from said client.

          For WPS you can use the same technique until the victim thinks their wifi is broken and tries to re-pair their devic

        • by jroysdon (201893)

          This is incorrect. Look at the paper. It states WPS has three methods:
          Push-button-connect
          PIN - Internal Registrar (web interface)
          PIN - External Registrar (PIN)

          Default on the Buffalo WHR-HP-G300N I just reviewed is to have External Registrar (PIN) enabled.

          The paper further states that if a device is WPS certified then it must have the External Registrar (PIN). To make it "user friendly" it will be enabled by default. Hopefully your devices have the ability to disable it.

          Side note: trust no wireless. Bes

        • by jroysdon (201893)

          That is incorrect. With External Registrar (PIN) method nothing has to be done on the router and it is all done remote. Per the paper, External Registrar (PIN) is a required feature for all WPS-certified devices. (Note, it doesn't have to be enabled by default, but that wouldn't be user friendly, would it?).

          Two flaws:
          1. The WPS access point should not NACK the PIN before the entire PIN is transmitted. This cut the amount of guesses down from 100,000,000 (10^8) to 11,000 (10^4 + 10^3).
          2. Most access poin

    • Re:WPS (Score:5, Funny)

      by b4dc0d3r (1268512) on Tuesday December 27, 2011 @09:39PM (#38510208)

      HAHAHAHA I got a new Linksys. My WPS doesn't work at all. Joke's on them! HAHAHAHAWAit a minute.

    • Most of routers implementations allow a few attempts and then black list the MAC address of the attacker for a while (according to TFA the program would have to try at most 11,000 times).
      Thus the attacker program should be low-level enough to fake its own MAC address all the time.
      • by X0563511 (793323)

        Much fun to be had by de-authing an existing client and spamming WPS with their MAC, thus booting them off for whatever the cooldown period was.

        Oops?

  • by viperidaenz (2515578) on Tuesday December 27, 2011 @08:02PM (#38509194)
    So I'm still safe-ish using plain old WPA2/PSK?
    • Re:ok... (Score:5, Informative)

      by stevel (64802) on Tuesday December 27, 2011 @08:18PM (#38509356) Homepage

      No. If your router supports the "external" authentication mode using only a PIN, it is vulnerable no matter which encryption type you use or how good your password is. I did not realize that there was such a mode - I too thought it required the pushbutton.

      The easiest mitigation is to disable the WPS PIN on your router, re-enabling it when you want to add a device. Some routers may not have such an option, but at least mine does.

      Scary.

      • No. If your router supports the "external" authentication mode using only a PIN, it is vulnerable no matter which encryption type you use or how good your password is.

        I didn't see Apple mentioned anywhere. Apparently the recent Airport Extremes do support WPS mode, but (when I checked my router's preferences) it appears there's no set PIN enabled by default. When I go to see how it works, it asks me to enter a PIN that's been chosen by the client. If true, that shouldn't be problematic - although I haven't ever used that "feature" since I never found WPA2 to be particularly difficult to set up in the first place.

        • In can be difficult when you use a sufficiently long WPA2 passkey, but that's largely due to how well you can type a password that could be 60+ characters.

          That being said, I have never had a problem typing my passkey, and have never had a need to use WPS to set up my router. Mine does support the pushbutton authentication mode, as well as the pre-generated PIN mode, but the PIN is disabled by default, which is exactly how it should be... and I think (I'd have to check the documentation) that if you enable t

      • I have no WPS since I bought a $20 TP link router when a power surge fried my asus wl-500
  • by Anonymous Coward
    I've never trusted the WiFi protected setup scheme because if it seems too easy to be secure, well then it probably is. If you don't use Tomato or DD-WRT on your router you obviously don't really care about security anyway so who cares? The OOB ROMs on most consumer routers are full of more holes than a breadboard.
    • Re: (Score:2, Informative)

      by LordLimecat (1103839)

      If you don't use Tomato or DD-WRT on your router you obviously don't really care about security anyway so who cares? The OOB ROMs on most consumer routers are full of more holes than a breadboard.

      A) Citation needed.
      B) Apparently youre not aware of the issues that historically plagued DD-WRT, what with their broken HTTPS daemon which would either spike your cpu to 100% or require you to use HTTP only. Thats some mighty good security there.
      C) Apparently youre also not aware that the old WRT-54Gs were the starting point for DD-WRT, and were linux based. What makes you think theres more security in DD-WRT?
      D) Security has never been a chief concern of either Tomato or DD-WRT.

    • If you don't use Tomato or DD-WRT on your router you obviously don't really care about security anyway so who cares? The OOB ROMs on most consumer routers are full of more holes than a breadboard.

      BS. I can't speak to some brands, but the main reason to install Tomato or DD-WRT is *not* security, it's features. If you're not using one of those firmwares, then it's because you don't need the added features that they offer (or perhaps, you have a router which came with every single one of those features out of the box, and see no point in installing them). There is absolutely nothing that Tomato can do which can't be done with the default firmware on my TP-Link router, because the default firmware is t

    • by yuhong (1378501)

      I think they designed the protocol to use Diffie-Hellman to prevent offline attacks.

  • Does it matter? (Score:3, Interesting)

    by wbr1 (2538558) on Tuesday December 27, 2011 @08:05PM (#38509218)
    Since most people (home consumers) can't be bothered to change a default name/password/ssid on damn things anyway about 80% or more are unsecure as it it. If you want a secure connection, don't use the air, use a wire, and better yet, make sure you own and monitor its entire length.
    • by davester666 (731373) on Tuesday December 27, 2011 @08:25PM (#38509418) Journal

      Rubbish. That's just half-assed security.

      If you want real security, you need to personally design the chips, fab them [then microwave the resulting chips to make sure they actually fabbed your design], then put fabricate the pcb, solder it all together, then write the router's OS.

      Oh, and for extra credit, implement your own personal wireless protocol [using either/both of the public 2.4/5 GHz frequencies] for both the router you just fabbed as well as for your computing devices.

      • by mbkennel (97636)

        For Very Sensitive national security projects that's just what they do.

        Sandia National Laboratory has a semiconductor fab. No doubt they're few generations behind Intel in process, but that isn't the point of these.

        It is because They have discovered very subtle and apparently intentional hardware flaws inserted into chips made in the East. Not mistakes.

      • by operagost (62405)
        You forgot to write your own encryption algorithm. FAIL
    • if you don't have any laptops and just desktops then don't get a wifi router if you want a secure connection.

    • Re:Does it matter? (Score:4, Interesting)

      by LordLimecat (1103839) on Wednesday December 28, 2011 @01:52AM (#38512006)

      WPA2-PSK is, I would argue, more secure than bog-standard wired ethernet. Wired ethernet is trivial to tap with a laptop with a USB-ethernet port bridged to its internal NIC. Its also possible to tap by simply capturing the EM emissions from the line. ARP poisoning could also trivially reveal plaintext passwords, and what sites you visit.

      With properly set up wifi, on the other hand, every communication is encrypted, HTTPS or not. Im not sure as Ive never tried, but I do not believe that you can arp-poison a wifi connection that has been secured with WPA2.

      Of course you can throw in IPsec, but you can do that regardless of the physical layer involved.

      • Of course you can use arp poisoning on a WPA2 connection, as long as you have access to the broadcast domain. This means either a valid WPA2 passphrase to connect to the network via air or access to the wired part of the network (which is usually bridged). Remember: WPA2 encryption is only a way of preventing anyone from connecting to your network, it is not a sufficient way to protect your data: What use is an encrypted wifi link if the data is travelling the next 1000 miles beyond that purely unencrypted
      • I would argue that WPA2-PSK is not nearly as secure as ethernet, especially 802.1x protected ethernet (which is rare). Here's why:

        * WiFi is wireless. Most hackers are more apt to hack from a coffee shop across the street with a nice 1-Watt WiFi radio/9+db antenna than try to gain physical access. You have to physically intrude into the network in order to get ethernet access -- and if you've gone this far, can't you just break into the server room and take the disks out of the servers!?!
        * WPA2-PSK use

        • * WiFi is wireless. Most hackers are more apt to hack from a coffee shop across the street with a nice 1-Watt WiFi radio/9+db antenna than try to gain physical access. You have to physically intrude into the network in order to get ethernet access

          The problem is, youre looking at the best case scenarios for each, and I would agree-- on a hardened network with a managed switch and security policies in place, a wired solution can be more secure. But in an average scenario, wired setups are horribly vulnerable to ARP sniffing, DHCP spoofing, inserting a tap between wall jack and workstation, etc. No authentication is needed for ANY of those-- your attacker doesnt even need authorization, just physical access, which is terribly easy in 90% of offices a

    • by Bengie (1121981)

      Wifi on my Netgear didn't even work until I assigned my own password. It wouldn't even allow open Wifi until I created a secure wifi at least once.

  • Nothing new (Score:4, Informative)

    by ewanm89 (1052822) on Tuesday December 27, 2011 @08:15PM (#38509320) Homepage
    Same old thing, default configuration is bad.
    • Re:Nothing new (Score:4, Interesting)

      by gadzook33 (740455) on Tuesday December 27, 2011 @09:22PM (#38510002)
      I guess. Except that shouldn't be (isn't?) true. Is the default mode I use SSL in bad? Is Amazon's security bad?

      I just can't believe how incredibly poor this implementation was. For that matter, I can't believe no one noticed it up until now. This just seems like security 101 stuff. If nothing else it shouldn't have passed the you-don't-get-something-for-nothing common sense check.
      • Is Amazon's security bad?

        Yes. Yes it is.

      • by ewanm89 (1052822)
        I won't go into how many certificate authority breeches in the last year. One CA actually managed to get itself revoked off every browser's list, but the bigger ones are not much better.
        • by dkf (304284)

          I won't go into how many certificate authority breeches in the last year.

          Yeah, they're all just pants [wikipedia.org].

    • Re:Nothing new (Score:4, Informative)

      by swillden (191260) <shawn-ds@willden.org> on Tuesday December 27, 2011 @10:07PM (#38510512) Homepage Journal

      Same old thing, default configuration is bad.

      Not really. That would imply that changing the default configuration to something else would fix the problem, but it doesn't. The only thing that fixes it is disabling WPS. Well, I suppose setting a really long PIN -- but the default is 8 digits which most people would expect is reasonable anyway. If the protocol didn't leak information about the PIN, or the device didn't allow brute force searches, this wouldn't be a problem.

      This isn't a default configuration problem, this is a security protocol defect coupled with an implementation error.

      • by ewanm89 (1052822)
        I can try 8 digit pin (0-9 only?) in mere seconds on modern hardware just a bruteforce. The problem is bad security options set as default, do we remember when they turned WPA on and then used a hashed router serial number + ESSID for the key so the autoconfig software could figure it out remotely?... Same badness there. Now if you are using default security on your routers, this is to be expected.
        • by swillden (191260)

          I can try 8 digit pin (0-9 only?) in mere seconds on modern hardware just a bruteforce.

          Only if the router is stupid. A proper implementation should at a minimum impose a second or two delay after failed attempts, and a good one should implement exponentially increasing delays.

          Actually, "mere seconds" is likely impossible even without any delays. 10^8 values tested in, say, 10 seconds, means you have to be able to test 10^7 keys per second -- that's ten keys per microsecond. Given wireless protocol overheads, inter-frame delays, etc., plus the fact that the router hardware isn't tremendou

          • by ewanm89 (1052822)
            Actually. it is achievable, it's not about speed it's about being extremely parallel, if I try a different key across each 200+ processor cores. A S2050 1U GPU Computing System from Nvidia has 4 GPU's each with 448 Thread processors in them giving a total of 1792 parallel processing cores. Even if each one can only try 1 key a millisecond (this is slow but algorithm dependent!) we are talking about ~55,804 milliseconds, which is just under a minute. So your only defense now is that I can't capture a packet
            • by swillden (191260)

              Actually. it is achievable, it's not about speed it's about being extremely parallel, if I try a different key across each 200+ processor cores.

              You only have one router to test against. Every key you want to try must be transmitted to the router, as part of a multi-step protocol. I don't care how many cores you have, the router is the bottleneck.

              This is different from a situation where you have, say, a hash of a password and can parallelize hashing operations, trying to find a password that hashes to a known value. Ditto for brute forcing a cryptographic key space searching for one that decrypts a known ciphertext to a known plaintext (or a pl

            • by swillden (191260)

              So your only defense now is that I can't capture a packet and do an offline attack?

              Ah, sorry, I missed this part.

              Yes, that's exactly the problem. You can't capture a packet and do an offline attack. There is no packet to capture which will enable you to test many values offline. Each attempt to guess the PIN must be an on-line attack, transmitted to the router.

              • by ewanm89 (1052822)
                Yes, as in this specific case one does a Diffie-Hellman key exchange before an attack. But when proofing anything against bruteforce style attacks on assumes that it's going to be an offline attack. We assume worse case in cryptography research, not best case and hope someone doesn't work out how to make it offline. but I'm just pointing out, generally speaking *any brute-force* 10^8 keys is not a lot, infact an 8 digit full alphanumeric + symbol password.passphrase is nolonger considered secure. And enforc
                • by swillden (191260)

                  Yes, as in this specific case one does a Diffie-Hellman key exchange before an attack. But when proofing anything against bruteforce style attacks on assumes that it's going to be an offline attack.

                  Depends on the context. Structuring the protocol to eliminate off-line attacks and then implementing countermeasures to defeat on-line attacks is a common and perfectly valid strategy. Particularly when you want to have human-usable keys, as in this case.

                  We assume worse case in cryptography research, not best case and hope someone doesn't work out how to make it offline.

                  No, we don't assume worst case. The right way to build cryptographic security systems is to define the threat model, identify the avenues of attack and implement necessary threat mitigation countermeasures -- with an appropriate level of conservatism, of

  • by edsousa (1201831)
    While the content seems sound... Arrgh! Papers made on Word with default template. Yuck.
  • Since my ISP uses MAC registering, I have to setup the damn router with a specific MAC address and since I'm in there doing that, I may as well configure the rest of the damn thing with it's passphrase and name. This actually saves me lots of trouble as I don't have to reconfigure the damn authorized systems again (they already have the needed connection information) so they're connected as soon as I'm done configuring the router.

  • by jsm18 (1317959) on Tuesday December 27, 2011 @09:35PM (#38510164)

    "The flaw results in too much information about the PIN being returned to an attacker and makes the PIN quite weak"

    Does anyone else visualize a router responding with: "Getting warmer!"

  • Is this the "Secure Easy Setup" option on the "Wireless" menu, which by default is enabled, and of which there's no info on the help screen of my WRT54G?

    • by wytcld (179112)

      Answering myself: Looks like Secure Easy Setup was the prior version, before the standard was set. No notion if it has the vulnerability. But I've turned it off anyway. Wouldn't have had it on if I'd notice it before in the menu, since I never use it anyway.

      • I wondered, as well, and was surprised at how little information is available -- both in the Linksys literature and online -- on this feature. Reprehensible.

  • I use OpenWRT on my private router. As can be said of ALL default installed software: SCREW the firmware that comes with the routers.

    It's just like my Laptop, Servers, Workstations, and Phone: If I can't install MY OS on it, it's not worth any of my time. If I haven't installed my OS on it, I DON'T USE IT.

    That "easy setup" button on my router now gives me a minimal window of time during which I can SSH in to the router itself -- I have to be connected to the router already to do so over Ethernet or WPA2 w/ AES.

    If you don't know how to drive GET THE HELL OUT from behind the steering wheel! The same can be said for networks, security, computers in general. If you can't configure your network, get someone who can to do so. Otherwise, expect to lose control and have a horrible accident when you brake instead of clutch, or WPS or WEP instead of WPA PSK w/ custom firmware.

    • by Anonymous Coward

      I just bought a new router. I must confess, I have no clue what it's default firmware even looks like. First thing I did was install DD-WRT on it and tweak almost everything.

    • by plover (150551) *

      Let me carry that vehicle analogy just one step further to the infrastructure level, and then you can answer some questions: Do you know how thick the class 5 limestone needs to be to support a four lane concrete freeway when building a road on a clay-silt base? What's the weight required for the tamping machine to ensure it's adequately packed down so the roadbed doesn't crack? How much reinforcing mesh do you have to put in the concrete, and how close to the road surface can it be? What is the proper

  • I have a regular non-wifi router and then behind that a separate wifi access point (WPA2 protected)... Am I safe from this attack then?

  • by romiz (757548) on Wednesday December 28, 2011 @04:13AM (#38512724)

    From the PDF, the implementation mistake is to give the attacker feedback on whether the tried key is correct after the first half of authentication (phase M4), and then after the complete authentication (phase M6). Since the PIN is only 8 digits, and the last one is a checksum, the problem is reduced to guessing 1 number in 10000, and then 1 in 1000.

    The document states that there are few possible mitigations for the problem. However, it skips the obvious one: do not notify authentication success/failure until the response to the M6 message. This would restore the 1 in 10,000,000 guessing complexity of the PIN code, without changing the protocol. It should even be a new issue tested by the compliance suite the vendors need to pass to get the WPS certification.

    • by Anonymous Coward

      Unfortunately, allowing the protocol to always run to M6 is likely to be even more disasterous as it exposes an offline attack which allows the first half of the PIN to be determined with ease. Only the second half of the PIN then has to be cracked in a maximum of 1000 trials.

  • by gweihir (88907) on Wednesday December 28, 2011 @04:48AM (#38512880)

    The attack in short: WPS NACKs a partially transmitted PIN if the first part is wrong. This leaves 20k trials needed for brute-force, instead of 1M.

    I have no idea how people this incompetent get to design widely used protocols.

    • by phizi0n (1237812)

      From the article:

      The number of attempts goes from 10^8 to 10^4 + 10^3 which is 11,000 attempts in total," the US-CERT advisory says.

      It goes from 100M down to 11k, not 1M down to 20k. It's ~9091 times faster and now take mere hours (0.5-3 secs per attempt according to the article) rather than years.

    • by plover (150551) *

      I have no idea how people this incompetent get to design widely used protocols.

      The guys who wrote WEP were willing to work for cheap.

  • Very interesting. But how can we test for this vulnerability in practice? I guess there isn't a readily available exploit for it. So if we don't want to check all configuration pages of all our wifi routers to see if they support WPS and whether it is enabled, what can we do? Is there an easy way to send an appropriate packet and see in the response if the router may be vulnerable or not?

  • Please hack my unsecured wifi network with default router login credentials. I don't live in an apartment building full of teenagers, so I can get away with it. Using passwords is really a pain for guests. Plus, my next door neighbors secretly think I'm the man for giving them free wifi. It's kind of the Google mindset applied to running my wifi network although it is just a mere byproduct of my carefree nature towards it. I think everyone should have their own broadband plus an open wifi network, that
  • by Anonymous Coward

    Code for this attack has been posted: http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.html

White dwarf seeks red giant for binary relationship.

Working...