Wi-Fi Protected Setup Vulnerability Leaves Home Networks Exposed
For the most part, people seem to fall into one of two categories when it comes to setting up their home networks. There are the control freaks such as myself who like to set everything up manually, perhaps even going so far as to provide static ip addresses for each new device. Then there are the folks who set their networks up for ease of use, expecting most functions to occur without administrative interaction. For those folks, Wi-Fi Protected Setup has been a godsend, enabling devices to easily join and leave the home network with minimal oversight. Technologies such as WPS have certainly made it easier for mainstream users to take advantage of their home networks and we have increasingly seen media streamers and networked home theater devices adopt WPS to spur mainstream adoption.
Unfortunately, a serious vulnerability has been found in WPS that makes brute force attacks relatively easy to run. Indeed, for the majority of routers an attacker could brute force WPS in just 2-4 hours. I know the odds of anyone wanting to access my home network are vanishingly small, but then again the whole reason I secure my network is to avoid that remote possibility. The worst part is that there is no fix right now, prompting experts to recommend turning off WPS. Should the issue be correctable by a software fix, it will require users to update their router's firmware. I already turn of WPS on my router simply because I do not use it, but are there any WPS users out there who feel like this a serious concern?
In his tests, Viehböck found that an authentication attempt takes between 0.5 and 3 seconds and the majority of routers don't implement lock-down periods after several consecutive failed WPS authentication attempts. Only one router from Netgear slowed its responses to failed authentication attempts in order to mitigate against the attack, but that only extended the attack time to a day or so -- otherwise it can take 2-4 hours.
Turns out that Viehbock wasn't the only researcher looking into this issue. Researchers at Tactical Network Solutions have been conducting similar research and have now released an open source tool for conducting WPS attacks. I think I might have to try and see if I can hack into my router.
Now the company has released an open-source version of its tool, Reaver, which Heffner says is capable of cracking the PIN codes of routers and gaining access to their WPA2 passwords "in approximately 4 [to] 10 hours."