Wi-Fi Protected Setup (WPS) Insecurities

At the end of 2011, Stefan Viehböck published a paper on the insecurity of the Wi-Fi Protected Setup (WPS) protocol and how implementation flaws make it even worse. With code to exploit these weaknesses now in the public domain, WPS enabled routers are easily crackable under certain circumstances that seem to be widespread. There's lots of information on this to be found on the web in the meantime and since I think this is an issue not to be underestimated if your neighbors have kids who spend their afternoons with the latest hacker tools I thought it was time to learn a bit more about it and collect some sources for further reading. Here's the result:

The initial weakness found was that many routers on the market today have WPS activated by default with a PIN printed on the device which allow an unlimited number of WPS pairing attempts. Due to the length of the WPS pin, a brute force attack on the system is successful within a few hours. This is the what was discovered by Stefan and described here, with a Wikipedia entry here and a US CERT vulnerability note note here.

If a router implements WPS in this faulty way the only solution is to turn WPS off, hope for a software update in the future and for the moment rely on the WPA-PSK password authentication scheme, which is just as simple to use and much more secure anyway. As it turns out, there are products out there where WPS can't be switched off at all, or, what's even worse, where the Web GUI has an option to turn it off but it remains activte nevertheless.

Better WPS implementations have a safeguard against this by:

  • limiting the number of attempts that can be made before WPS pairing is blocked for some time
  • using a different PIN for every pairing attempt
  • limiting the pairing time to two minutes

Unfortunately that does not solve the whole problem. If an attacker is able to record a successful WPS pairing between two devices it's possible to retrieve the authentication details in an offline brute force attack in a reasonable amount of time due to the length of the PIN of 7 characters + 1 checksum character. Fortunately, the odds of being able to intercept a WPS pairing and then performing an offline brute force calculation of the credentials are much smaller than an active brute for attack, as the attacker has to intercept the WPS. A good explanation of this can be found in episode 337 of my favourite weekly security podcast 'Security Now'.

So for people who like their home networks to be secure, the best advice is to turn WPS off. Good luck!

Update, 6. Feb. 2012: Episode 338 of Security Now has an errata early on in the podcast in which it is made clear that it's NOT possible to get the WPS PIN and WPA key by observing a successful pairing and then cracking it offline. This is because at the beginning of the PIN exchange a Diffie-Hellman key exchange is performed to encrypt (not authenticate!) the reset of the conversation. This prevents the offline cracking approach.