WiFi Protected Setup (WPS) was introduced by the WiFi Alliance in 2006 with the aim of allowing users to easily setup a secure WiFi network. In reality simple security just doesn't exist and a poor design has resulted in WPS becoming a weak link in the chain.
IntroductionThe idea behind WPS is to allow a user to easily setup a secure WiFi network. Creating a strong WPA PSK (Pre Shared Key) and then inserting that into all of your WiFi client devices is difficult and leads to bad practices, like a weak key. WPS allows a user to enter an 8 digit PIN number on the client device which is verified by the AP. If the PIN number is accepted the AP sends the WPA PSK and the client device can then connect to the network. This allows the WPA PSK to be as strong as possible without being an inconvenience to the user when then try to type it in to their new tablet for example.
The ProblemBecause of the poor design when creating WPS it was left vulnerable to a brute force attack. This is where an attacker simply guesses all possible combintations of the PIN until they find the correct one. With an 8 digit PIN using the numbers 0-9 that would present 100,000,000 possible combinations (108). If you could guess at a rate of 1 PIN per second (there is a delay waiting for a response from the AP) it would take 1,157.4 days to test all possible combinations. Statistically speaking you could expect to crack the PIN in roughly half that which would be 578.7 days. Obviously this isn't a viable attack vector but fortunately for us, there are some flaws in the WPS protocol that we can exploit to speed things up.
The 8th digit of the PIN isn't actually used as part of the PIN but is instead a checksum for the prior 7 digits. This reduces the possible combinations from 100,000,000 to 10,000,000 (107). This instantly reduces the attack to 115.7 days to try all possible combinations or 57.8 days to try 50% based on a rate of 1 PIN per second.
Ok, so 58 days, that's not too bad. It's certainly faster than trying to crack a strong WPA PSK, but it's still not fast enough to be considered a viable attack vector. Fortunately there is another flaw in the WPS protocol that can be exploited to reduce these times even further.
When presenting the PIN number for verification it is actually sent in 2 halves, the first 4 digits and the last 4 digits. These separate halves are then verified independently. This presents a huge weakness in what would otherwise be a much stronger key as the effective key space has now been reduced considerably. The first half of the PIN only has 10,000 (104) possible combinations and at our rate of 1 PIN per second would only take 2.7 hours to guess all possible combinations. The second half of the PIN, due to the checksum value, only has 1,000 (103) combinations and would take a meager 16 minutes to guess all possible combinations. To go from a total time of 4 months down to 3 hours to try all possible combinations shows how the WPS protocol does not take advantage of the security offered by an 8 digit PIN. This is one of the main reasons WPS presents a weak link in the chain of your WiFi security.
Cracking WPSAfter the weaknesses in WPS were exposed it didn't take long for tools to exploit them to become available. In the video below I'm going to demonstrate how to use Wash to identify vulnerable WPS networks (not all Access Points have WPS) and then how to use Reaver to crack the WPS PIN.
MitigationThe most obvious way to mitigate this threat would be to simply disable WPS on your router or access point. Unfortunately a lot of routers don't provide the ability to disable WPS and even those that do may disable the little WPS light on the router but still allow an attacker to crack your PIN because it's really still enabled. Some manufacturers have released firmware to resolve this issue but when was the last time you updated the firmware on your router?
Ok then, if we can't be sure that WPS is disabled then perhaps we should change the PIN number regularly to thwart a would be attacker. Nope! Out of the 4 different devices I have tested against so far none of them allow you to change the WPS PIN. The number is hard coded into the device and printed on a sticker stuck to the bottom or side of the router. This is where the real trouble comes in. As demonstrated above, any person with the WPS PIN can retrieve the WPA PSK. If you noticed that someone was using your WiFi network without authorisation and decided to change your WPA PSK to deny them access, as long as they had made note of your WPS PIN they can simply request the new WPA PSK from the access point. There is no need to brute force the WPS PIN again and subsequent changes of your WPA PSK are only going to delay an attacker by a matter of seconds. From this point on you can consider your WiFi network to be permanently compromised with no effective solution other than buying new hardware or hoping for a firmware update.
Some of the leading manufactures have started to address the weaknesses in WPS and have introduced a "lock out" period after a given number of incorrect PIN attempts. This is usually in the range of 3-5 failed attempts and results in the access point not responding to subsequent requests for anything from 1-5 minutes. Even if the the access point allowed 5 attempts and the lock out was as short as 1 minute this changes the rate of PIN attempts drastically. This would restrict an attacker to only trying one PIN every ~13 seconds and takes the total time for 11,000 combinations up to 39.7 hours from 3 hours. If the access point were to only allow 3 PIN attempts before a lock out of 5 minutes the same attack would increase to 12.8 days. Whilst this moves the attack from being trivial to somewhat lengthy, it still only adds a time delay. Once the attacker eventually gets the PIN, the security is still broken. There are also ways, of course, to try and bypass the lock out period. On one of the routers I tested against it based the lock out on the devices MAC and refused to respond to subsequent PIN attempts form the same MAC address, a security measure easily overcome using MAC spoofing.
Denial of Service (DoS)In addition to the PIN weakness present in WPS it seems to have, in many cases, presented an opportunity for a Denial of Service attack. All of the 4 routers I have tested this attack against were unable to withstand the continued assault of a brute force attack on the WPS PIN. The constant load on the CPU caused the temperature of one of the devices to rise quite dramatically. Whilst sat in the open air on my desk it didn't cause too many problems, in a confined space with restricted airflow the device could have overheated and perhaps shutdown (or worse?). After an attack duration of anything from 1 to 6 hours (one of the devices implemented a lock out) the sustained load started to show. Authenticated clients would start dropping and would not be able to re-connect and the web interface of 2 of the routers became completely un-responsive. On one particular device the attack took such a toll that even after I stopped the attack, the device could not recover and had to be power cycled. The main cause for these interruptions isn't down to traffic through the access point but actually load on the CPU of the device. Because WPS uses the Diffie-Hellman key exchange it needs to generate a new shared key for every PIN attempt. This involves some fairly complex mathematics which causes the load on the CPU and the delay when we attempt each PIN combination. It's known to cause so much load that some devices can't cope and one of the options in Reaver actually allows you to specify a smaller secret number to make the generation of the shared key much easier on the AP.