Hacking WiFi Routers

December 30, 2011

Earlier this week, the US Computer Emergency Readiness Team [US-CERT] issued a warning about a new vulnerability in WiFi routers that implement the WiFi Protected Setup [WPS] standard.   The WPS standard, established by the WiFi Alliance, provides a simple means of setting up and configuring wireless routers, requiring the user to enter an eight-digit PIN, typically from a label or display on the device.

Stefan Viehböck discovered that the design of this protocol makes it susceptible to a particular form of brute-force attack.  Specifically, if an attacker sends an incorrect PIN to the router, the error response allows him to know when the first half of the PIN is correct.  Also, the last digit of the PIN is a check digit, and hence is known.  So, while one might naively assume that there are 108 possible PINs, in fact only 104 + 103 = 11,000 need to be tried.  The vulnerability is made worse because some routers do not have any lock-out provision after the entry of several consecutive incorrect PINs.  Mr. VIehböck’s technical paper can be downloaded here [PDF].

US-CERT summarizes the impact of this vulnerability:

An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration downloaded hereof the access point, or cause a denial of service.

Most major brands of wireless equipment are affected (there is a list in the US-CERT Vulnerability Note).   Frequently, WPS is enabled by default.  The SANS Internet Storm Center also has a diary entry on this vulnerability; they suggest, as does US-CERT, that the only available mitigation in the near term is to disable WPS.

I will post again if I discover any significant new information on this.

%d bloggers like this: