Now it is shown to be weak, and is already exploited. On December 27, Stefan Viehböck announced that he had discovered design flaws in WPS and published a paper called Brute forcing Wi-Fi Protected Setup. In essence, these flaws reduce the length of the PIN password and leave it vulnerable to a brute force attack (testing every possible password). He announced that he was working on a script to undertake such an attack.
But the same flaws had been discovered independently by Craig Heffner of Tactical Network Solutions (TNS). TNS had been working on a tool to to exploit this weakness for about a year, and decided to release its code as open source on the very next day. It describes its Reaver product as “a WPA attack tool... that exploits a protocol design flaw in WiFi Protected Setup (WPS).”
Viehböck has now completed his proof of concept tool, which he claims to be faster but doesn’t work with all WiFi adapters. The problem for home users is that they are likely to have WPS pre-configured and that there is no known way to solve the problem other than by disabling WPS itself – which may well be beyond their technical capability. And there are freely available tools to exploit this vulnerability.
It raises a moral issue. Finding and publishing vulnerabilities is contentious in itself; but developing and publicly releasing what is described as ‘an attack tool’ raises even more eyebrows. The key word is ‘attack’. There is an argument for releasing brute force password cracking tools because they allow system admins to audit the strength of their passwords. No such justification can be used for Reaver.
“TNS unequivocally describes Reaver as an attack tool,” comments David Harley, senior research fellow at ESET, “and it will be of as much interest to prospective attackers as to sysadmins. There are two classic issues with this kind of tool in a corporate context: one is that you have a responsibility not to step over legal or quasi-legal boundaries by misusing access, or even by using the knowledge it may give you to gain unauthorized access. The other is that you don't want its authorized presence on a system to give a real attacker an extra tool. It seems to me that by building in the WPS attack, the tool is actually rendered of questionable use to a conscientious sysadmin, since he can only use it effectively by leaving systems at risk from a potentially broken defensive system.”
Anders Hansson, CTO of Cryptzone, thinks the whole WPS vulnerability is rather academic, since existing password crackers (such as, he says, Elcomsoft’s Wireless Security Auditor) can already break into WPA2-passphrase protected wireless systems in just a couple of hours.
For businesses, he says, “the solution to this issue is that companies should not rely on wireless networks to distribute their networks across and around the office. Hard-wired Ethernet connections, in all their various shapes and forms, are the only truly secure means of connecting to a network resource.”
For the average wireless home user it remains a problem unless without the technical ability to disable WPS and adequately configure WPA2.