A chink in the armor of WPA/WPA2 WiFi security

Looks like your WiFi might not be quite as secure as you thought it was. A paper recently published by [Stefan Viehböck] details a security flaw in the supposedly robust WPA/WPA2 WiFi security protocol. It’s not actually that protocol which is the culprit, but an in-built feature called Wi-Fi Protected Setup. This is an additional security protocol that allows you to easily setup network devices like printers without the need to give them the WPA passphrase. [Stephan's] proof-of-concept allows him to get the WPS pin in 4-10 hours using brute force. Once an attacker has that pin, they can immediately get the WPA passphrase with it. This works even if the passphrase is frequently changed.

Apparently, most WiFi access points not only offer WPS, but have it enabled by default. To further muck up the situation, some hardware settings dashboards offer a disable switch that doesn’t actually do anything!

It looks like [Stephan] wasn’t the only one working on this exploit. [Craig] wrote in to let us know he’s already released software to exploit the hole.

Comments

  1. NatureTM says:

    Oh good you had me worried for a second there. I don’t use that junk anyway. :-) I’ll bet most of us readers actually enjoy setting up our new networking hardware and never bothered with WPS. It is a little scary, however, to read that in some routers turning it off doesn’t actually do anything.

  2. Someone says:

    And some routers, like mine (WNDR3700), don’t even have an option to disable WPS without flashing custom firmware.

    • Red Five says:

      I flashed DD-WRT onto my WNDR3700 months ago, and have it’s WPS support turned off.

      • HaDAk says:

        Drat. I’ve got that routed, but I’ve been looking at it sideways for months now. It only serves as a wireless access point and a switch… but I’ll be damned if I didn’t lose the thing on my network. It doesn’t show up in a ping sweep anywhere. It doesn’t show up as a hop. It’s just…missing.

  3. evs says:

    I just checked mine, and yup, it’s enabled by default (now disabled). I never used WPS, so I didn’t even think about its vulnerability, and I didn’t know it was always on. That really shouldn’t be enabled by default.

  4. This Guy says:

    I have my E3000 set to manual configuration but does anyone know if it’s actually disabled?

  5. Vince says:

    Wow, this is such an obvious attack vector, and I had never thought of it before. Thanks for the eye opening article.

    I just always turn it off because I never needed it, turns out it is better to be lucky than smart :)

  6. Rodders says:

    My Microtik router does not seem to have any WPS functionality in it. I’m guessing that’s a good thing.

  7. supershwa says:

    Saw this hit the news in the last couple of days. I always figured WPS was silly anyway.

    WPS aside, it’s still possible to crack WPA with a pair of computers and the know-how. ;)

  8. DeadlyFoez says:

    I’m already testing out this software. It works pretty good so far. It has a few minor bugs but the author is on top of them and has already released some updates to the code.
    I’m using it on a VM of BT4R2 with an Alfa AWUS036H. It’s slow, but fast as shit compared to trying to crack WPA using a wordlist with the huge possibility of it not succeeding.
    So far, every network around me is vulnerable to this attack. There isn’t a single one where WPS is disabled. And some of the people around me are supposedly tech experts working for comcast and verizon.
    Something about WPS never seemed all that safe to me. I’ve always had it disabled. I’m surprised it took this long for someone to find an easily exploitable flaw.

    • NNM says:

      Should the router makers care about the 1% of users who care about security?
      Or the 99% who just want to plug in a printer and see it work? (and they don’t give a fuck about security)
      HMM. That’s a tough choice, huh… lol
      Defaults are for the 99%… They don’t even need to know the printer has an “Aye-pee”. (IP)
      The paper just travels like magic from the computer to the tray.

      *mimics caveman bashing on broken printer* << average printer user.

  9. oodain says:

    that or you simply wait it out and sniff the pass

  10. Alex Rossie says:

    I haven’t been able to get this to work yet

  11. james says:

    Such a racist title :(

    • cantido says:

      Oh please. Yes, lets stop using valid English words because some people have over sensitive “hate crime” sensors.

      Will somebody think of the children!!!!!

    • I think we should forbid Hamlet too because Polonius is killed because Hamlet thinks is another one behind the curtain. Curtains don’t kill people, people kill people. And we should stop with The Merchant of Venice too because of its antisemitism. We should call black tie dressing afro-american tie, we should call women people of female gender, and specially people like you of mentally challenged and not retarded.

    • barry99705 says:

      What color are car tires? Now don’t give the color a racist name…. Friggen moron.

      chink [chingk]  
      noun
      1.
      a crack, cleft, or fissure: a chink in a wall.
      2.
      a narrow opening: a chink between two buildings.

  12. vtl says:

    Good ol Openwrt, it has the lovely ‘feature’ of not supporting WPS at all in the Luci interface. Sure hostapd supports it but theres no frontend unless you feel like coding up your own, how thoughful of them.

  13. Vonskippy says:

    What nonsense. That’s like saying the deadbolt on your front door is flawed because if you leave the side door open, people can still enter your house.

  14. M4CGYV3R says:

    Nothing – NOTHING – is ever secure as people think it is. That has been proven against every new ‘secure’ technology that comes out.

    Whether it’s tricking people into revealing their passwords, or stupid SQL administration that leads to internal document exposure that contains decryption keys, nothing will ever be completely secure.

    Now broadcast encryption information over some wireless bands and let’s see how security ratings drop precipitously.

    • cantido says:

      >>is ever secure as people think it is.

      There is a difference between things being insecure and things being badly implemented. As far as I can tell WPA/WPA2 are still fairly secure.. i.e. capturing cipther text and turning it into plain text is not trivial. Router vendors being retarded and shipping units with predictable keys etc doesn’t mean that “WPA is insecure” just that the vendors implementation is bad.

      >>That has been proven against every new
      >>‘secure’ technology that comes out.

      Has it? SSL is pretty old.. it’s still secure for the most part.

      >>Whether it’s tricking people into
      >>revealing their passwords,

      Stupid passwords doesn’t mean a cipher or protocol is insecure.

      >>or stupid SQL administration that
      >>leads to internal document exposure
      >>that contains decryption keys,

      Again, that is bad implementation. Encrypting some thing with and then attaching a post it note with the key to the media doesn’t not mean is insecure.

      >> nothing will ever be completely secure.

      s/completely secure/completely secure again bad implementation and side channel attacks/

      >>Now broadcast encryption information over
      >>some wireless bands and let’s see how
      >>security ratings drop precipitously.

      People “broadcast” sensitive information by the terabyte over this massive public network called “the interwebs” and its still possible to have a secure channel.

      • cantido says:

        wordpress stripped what it thought were tags..

        Again, that is bad implementation. Encrypting some thing with CIPHER and then attaching a post it note with the key to the media doesn’t not mean CIPHER is insecure.

      • Sven says:

        Physical access is a massive issue.

        An undisclosed company was booted from the datacenter I work in, as they were dumping CC information from their customers servers and virtual servers.

        Though all communication out of the servers would have been secure, the encryption keys were still on the server, so physical access by a corrupt admin was still an inherent issue.

  15. Pilotgeek says:

    You sure “chink” is the best phrase to use?

    http://en.wikipedia.org/wiki/Chink

    I know what you meant, but…

  16. alan turing's dog says:

    Actually, it’s WAAAY worse than you think. ALL common consumer/prosumer/commercial network connected hardware bleeds information by design. From your printers to your network interface hardware, from your cell phone to your TV, data leaks out your network like heat from an incandescent bulb. Yawn.

    How many people know that cameras double as the IR remote interfaces on many big screen TVs?

    Yeah, this isn’t such a big deal in the grand scheme of things.

    • Dax says:

      “How many people know that cameras double as the IR remote interfaces on many big screen TVs?”

      Not many, considering the fact that a CMOS/CCD sensor isn’t nearly fast enough too see anything else than the fact that the remote IR is on.

      The signal is on a kilohertz frequency range carrier, so you’d need a camera that can do tens to hundreds of thousands of frames per second to receive it.

  17. manucho says:

    nice post

  18. xorpunk says:

    when did brute forcing over a protocol handshake become an “exploit”?

  19. Yo says:

    I have WPS disabled. However, now I’m wondering, how do I tell if it is really disabled, especially when I read the below line:

    “To further muck up the situation, some hardware settings dashboards offer a disable switch that doesn’t actually do anything!”

  20. After using reaver an a brand new Asus router with WPS turned off, we were shocked to see it print out our multi-word and symbol WPA2 passphrase in less than two hours.

    Other routers were getting timeout errors, but after adjusting the timeout to 20 seconds 3 of them fell prey to reaver in less than a day. We may try a timeout of 25 seconds for the ones that are resisting.

    Perhaps WPA isn’t cracked, but WPA *ROUTERS* are dropping like flies around here.

    And by the way, most of them (multiple different brands) have a PIN code of 12345670, and most of them have WPS off. We could have gotten this done a LOT quicker if reaver checked that “standard default” PIN first.

    Interesting, that new router that spilled its secrets so fast was from Asus, whose products are not even listed in the Cert advisory list of vulnerable routers.

  21. Irish says:

    When I first started setting up wireless nets, there was no such thing as WPS. I just got used to setting everything up by hand. When I bought my first router that did have WPS, I couldn’t get the thing to work using the WPS, so I just set it up manually and disabled the WPS. So, even now I still set up my nets manually, and disable WPS every time. I guess sometimes it’s good to be set in your ways.

  22. SIFOO says:

    WIFI PENTEST TOOLS WEP WPA WPS

  23. ArtOfNoise says:

    some 6 months before this article was published i was trying to connect to some network in windows and when got prompt for entering pin an idea crossed my mind: this shit might be easy to bruteforce :D

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,656 other followers