A design flaw in the WiFi protected setup (WPS) specification for the PIN authentication used by many wireless routers “significantly” reduces the time required to launch a brute force attack against the PIN because the flaw allows an attacker to know when the first half of the eight digit PIN is correct, warned the US Computer Emergency Readiness Team (US-CERT) in a vulnerability note.
The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on wireless routers makes this brute force attack that much more feasible.
“An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service”, US-CERT said.
WPS is a standard developed by the WiFi Alliance to ease the set up of a wireless home network. WPS contains an authentication method called “external registrar” that only requires the router’s PIN, US-CERT said.
The vulnerability was reported to US-CERT by researcher Stefan Viehboeck, who said in a blog that the flaw was the result of “few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide.”