I recently read some interesting slides posted online by Swiss security specialist Dominique Bongard regarding refined attacks against WiFi Protected Setup (WPS), reducing the length of time to crack a WiFi network’s WPA passphrase within seconds. It suddenly dawned on me that I probably forgot to disable this feature when I swapped out my old Linksys for a DLink Gateway around two years ago.
What is WPS?
- It is a protocol aimed at easily connecting to WiFi networks
- Gives the WPA passphrase to stations providing the right PIN
- Two main modes: Push Button and 8 digit PIN code
Sure enough I logged on the D-Link Gateway interface and found that it was in fact enabled. Needless to say, I turned it off immediately as WPS has been found to be a troubled protocol dating back to when researcher Stefan Viehböck reported an implementation flaw that makes brute-force attacks against WPS feasible.
Wikipedia has a good summary
The vulnerability centers around the acknowledgement messages sent between the registrar and enrollee when attempting to validate a PIN. The PIN is an eight-digit number used to add new WPA enrollees to the network. Since the last digit is a checksum of the previous digits, there are seven unknown digits in each PIN, yielding 107 = 10,000,000 possible combinations.
When an enrollee attempts to gain access using a PIN, the registrar reports the validity of the first and second halves of the PIN separately. Since the first half of the pin consists of four digits (10,000 possibilities) and the second half has only three active digits (1000 possibilities), at most 11,000 guesses are needed before the PIN is recovered. This is a reduction by three orders of magnitude from the number of PINs that would have to be tested. As a result, an attack can be completed in under four hours (183 minutes to be precise). The ease or difficulty of exploiting this flaw is implementation-dependent, as Wi-Fi router manufacturers could defend against such attacks by slowing or disabling the WPS feature after several failed PIN validation attempts.
Given the seriousness of the WPS vulnerability that leaves you open to brute-force attacks by anybody within the vicinity of your network, I was curious about the number of AP’s around me that have WPS enabled. I fired up Kali and performed a scan using the wash command:
The results after a brief scan show that there are four machines within range that are vulnerable to “reaver” attacks. Reaver is an open-source tool specifically designed to exploit the WPS security flaw and is available in Kali Linux. As stated on the Google code site for reaver-wps:
On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
Yikes! I strongly suggest to check your WiFi Gateway settings and turn off WPS. Here is a screen shot of where it is found on my DLink.
While you’re at it, double check your WiFi security level. The minimum security standard should be WPA with a strong passphrase known as the Pre-Shared Key (PSK).