The Wi-Fi Protected Setup model may not be as secure as the designers would have you believe. According to security researcher Stefan Viehböck, the simple configuration method available in networking devices suffers from a dangerous vulnerability that can be cracked quickly and easily.
Viehböck wrote a white paper (.pdf) titled "Brute forcing Wi-Fi Protected Setup" to illustrate two major flaws he described as "poor design meets poor implementation." He found that both stem from the WPS' standard use of an 8-digit authentication PIN.
The first design flaw exploits a Wi-Fi router's External Registrar option which is used to start a new network. Because this set-up method only requires the WPS PIN, he explained, hackers could potentially break it open with brute force-style attack programs.
The second design flaw Viehböck discussed is far more likely to be exploited, as it actually provides information regarding the PIN to the person hacking it. Two distinct error messages relayed upon an incorrect PIN entry can help unauthorized users deduce which half of the code was correct, essentially splitting the normally single exponent into a much more easily-cracked two. He also noted that the eighth number of the PIN is merely a checksum of the first seven.
In layman's terms: the number of attempts needed before stumbling upon the correct PIN decreases from 100,000,000 to a mere 11,000. Needless to say, this also reduces the amount of time needed to crack a PIN.
"Some vendors did not implement any kind of blocking mechanism to prevent brute force attacks," wrote Viehböck. "This allows an attacker to try all possible PIN combinations in less than four hours (at 1.3 seconds/attempt). On average an attack will succeed in half the time."
Viehböck has published the tool he designed to prove his claim (which he openly admits doesn't work with some routers) and reported the findings to Internet security vulnerability group CERT.
Craig Heffner at Tactical Network Solutions also discovered the WPS flaws. The security group released its own "Reaver" WPS attack tool on Wednesday.
The Wi-Fi Protected Setup was launched in 2007, a concerted effort by a group called the Wi-Fi Alliance to simplify home and small business networking. (via Naked Security)
