Adding to the users convenience, Wi-Fi is increasingly becoming a default capability of many consumer devices, including smartphones, printers, cameras, TVs, etc. to wirelessly share contents, access Internet or connect to a particular network.
However, configuring the correct Wi-Fi settings, including the network name (SSID) and the security passphrase (for a secured Wi-Fi connection) can be a potential problem either from the device’s or user’s perspective, or both. Therefore, considering the configuration constraints of various devices, such as printers and cameras, and lack of technical knowhow on the part of users, Wi-Fi Alliance has come up with WPS (Wi-Fi protected setup) in 2007, to simplify the configuration procedure for a secured Wi-Fi network. Since then, the support of WPS has arrived in a number of Wi-Fi routers and client devices, belonging to various vendors.
WPS comes in various flavours, but considering the general usage, simplicity and security, 8 digits PIN-based method is mandatory for WPS certified devices. Therefore, many of the WPS capable Wi-Fi Access Points available in the market support PIN-based method. But, as reported very recently by the security researcher, Stefan Viehbock, certain design flaws in implementing the PIN-based WPS standard can make the life of a hacker easier in obtaining the configuration details, SSID and security passphrase, about a Wi-Fi router, when WPS setting is enabled on the same.
The design flaw is mainly focussed towards the way in which WPS enabled device responds to failed WPS authentication attempts. As reported by Viehbock, when the AP responds separately (with a EAP-NACK message) to the first and second halves of the PIN validation procedure (of the WPS handshake) respectively, the number of attempts to brute-force the WPS PIN can be reduced to only 11,000 attempts from around 100 million attempts in normal circumstances. Further, taking in to account, the time of an attempt to be in range of 0.5 to 3 seconds, the attack relatively takes less time (maximum 4 hours for 1.3 secs/attempt) to be successful. On average, the attack can succeed in half of the maximum time.
Although, lockdown periods are enabled by few Wi-Fi routers on detection of continuous unauthenticated attempts, but the same are not long enough to make the attack impractical, as indicated in the published paper by Viehbock. Further, even in presence of long lock down periods, Viehbock said that a determined attacker might still be able to successfully attack a WPS enabled AP if the later runs for several months. He also indicated that the design flaw is present in various devices from multiple vendors including the major ones, such as D-Link, Netgear, TP-Link, etc., making many of the users vulnerable while using WPS capability of these devices.
Considering the attack details and its presence in various products of major Wi-Fi vendors, the same seems to be really bad news for users who have configured their routers with WPA/WPA2-PSK for stronger Wi-Fi security and also enabled WPS for their ease. Also, the fact, as reported by Viehbock, that the attack is a low cost and has high success guarantee compared to cracking WPA/WPA2-PSK passphrase make it a greater security concern. Once the attack is successful, the attacker will have illegal access to Wi-Fi router and its services. Also, he will be able to decrypt the Wi-Fi communication encrypted with WPA/WPA2-PSK security thereby further breaching the user’s privacy.
The only safety net for security cautious users for now is to disable WPS (on their routers suffering from reported vulnerability). But, there can be times when a user needs WPS function, in such cases, the user should make sure that they turn off the WPS capability after the intended use to decrease the attack probability. For users, who require always on WPS capability for some of their Wi-Fi devices to connect, there is no solution other than waiting for the suitable firmware upgrade which will have the required fix for the underlying design flaw leading to the attack.
The US-CERT also provides the information about the attack and affected vendors.