Attack Tool Released For WPS Setup Flaw

Trailrunner7 writes "Just a day after security researcher Stefan Viehbock released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on a given router and then recover the WPA passphrase for the router, as well. Tactical Network Solutions has released the tool as an open-source project on Google Code, but also is selling a more advanced commercial version."

Re:WTF is WPS?

[errandum]

The problem is not the need for the giant button, it's that it is on by default in some routers.

I own a D-Link and I did set up everything by hand, but since I didn't want to use this, I simply didn't touch the option - assuming that, by default, this would be off.

I was wrong, and corrected that, but I wonder how many of those people that use the setup wizard know enough to even get to the advanced features, much less turning this off because it is a security risk.

Re:WTF is WPS?

[neokushan]

The reason such a thing exists is because the good ol' secure password was too complicated for average-joe users to deal with. The precursor to this is Wireless routers that don't actually have a password set. To this day, you can still find unsecured wireless routers nearby and we all know what that leads to. The "easy" solution was put there so that routers could have security set by default, yet not confuse average-joe to the point where he just disabled it because it was the easiest thing to do.

And believe me, I worked for an ISP up until a few months ago - our Router/Modems (or Hubs, as they called them) now come with wireless security enabled. The default password (unique per hub) is written on the side of the device - and people still get confused and don't know what to do to connect their wireless.

Unfortunately, the implementation of the "easy" solution is the issue, not the solution itself. I mean, what's the point in having a secure PIN if you tell the user when they got the first half of it right? Especially if you don't prevent people from attempting thousands of connections.

Re:Doesn't compile on OS X

[buchanmilne]

yum install libpcap-devel

No, it's not on the RHEL6 installation media, you have to have registered the box for RHN.

(RH is really pathetic this way, lots of useful packages are left off the installation media, seems they are forcing you towards satellite, but if you don't have the bandwidth for satellite, or need to setup a box without internet access, sorry for you if you want to something like use oscap - they give you openscap, but not openscap-utils). Oracle is better in this regard, with a public yum repo for release packages (not updates). Of course, CentOS gives you everything, as do all other community-oriented distros.

Re:WTF is WPS?

[neokushan]

It's on by default because it's there for the average user to easily connect their equipment. If it was off by default, it would require connecting (either via password or cable) and enabling it manually via the setup page - and by that point, you'd just connect the usual way.
In a similar vein, it'd be like UAC being disabled by default - average user won't turn it on, even if it does help them.

Re:incredible

[Njovich]

Err, sorry, guess I was wrong, there is some rate limiting, just they have this other insanity (from el reg):
 

Eight digits should produce 100,000,000 possible combinations, and testing various routers Viehböck found it took an average of around two seconds to test each combination. So brute forcing should take several years unless the router was particularly responsive.

But the protocol used by Wi-Fi Protected Setup reports back after the first four digits have been entered, and indicates if they are right, which means they can be attacked separately. The last of the eight digits is just a checksum, so having got the first four the attacker only then has to try another 1,000 combinations (identifying the other three digits) and the entire PIN is known.

That combination means that our attacker only has to try 11,000 different combinations to find the right PIN, reducing the attack time to a couple of hours.

Re:WTF is WPS?

[kbolino]

I've been using and administering Windows since the 3.0 days, and not only do I leave UAC on, but I turn it up to the highest level (7 has variable levels, where the highest level corresponds to the only one available on Vista). I agree it can be a nuisance, and 95% of the time I just click through it (knowing what I did beforehand to trigger it). But every once in a while, it pops up when I know it shouldn't, and that tells me right away that something is doing something it's not supposed to be doing. Not only that, but I can decline to allow it to continue, which to me is UAC's most useful property: the ability to say no. Then it's much easier to locate the problem and remove it. I practice safe browsing and safe e-mail reading as much as possible, and I have a router with a drop-all-unknown-packets (ghost? stealth?) firewall, but I know that I'm not perfect--and neither are the other people who use the computers. YMMV but I've found it to be one of the best improvements over Windows XP.

Re:WTF is WPS?

[gnasher719]

Erm, 8 digit PIN is fine. Routers can limit PIN guesses y'know...

You didn't read the article, did you? The routers tell you that the pin is wrong after four digits. So you need 10,000 tries at most to get the first four digits. The last digit is a checksum, so you need at most another 1000 tries to get the complete number.

Of all the routers tested, only _one_ model limited PIN guesses (you can't turn PIN guesses off obviously because that would just enable a DOS attack) to about one guess every 20 seconds, which means it is cracked within a few days.