Implications of Wi-Fi Protected Setup Vulnerability

Written by

After mentioning briefly about the recently discovered Wi-Fi Protected Setup (WPS) vulnerability due to certain design flaws in various routers of major Wi-Fi Vendors, the present blog tries to capture the potential implications of the WPS vulnerability.

Unauthorized Access to Wi-Fi network: With the correct WPS PIN recovered after launching a successful brute-force attack on a Wi-Fi router (afflicted with WPS vulnerability), an attacker obtains necessary credentials to gain unauthorized access to a secured Wi-Fi network served by the router. Having access to the network, an attacker can leech the Internet bandwidth for his/her private use, possibly malicious in nature. Also, the attacker can potentially gain access to other devices connected to the Wi-Fi network, such as cameras, printers, smartphones, tablets, etc., to steal private information, implant malware on them or illegally use their services.

Eavesdrop on secured private communications: Breaking the WPS PIN of a WPA/WPA2-PSK configured Wi-Fi router results in leaking the pre shared key (PSK) and SSID to the hands of attackers. Therefore, the attacker can potentially use the obtained PSK to eavesdrop on the private communications happening over the secured Wi-Fi network (served by the router), by first sniffing the Wi-Fi packets related to those communications, and then feeding the captured packets and the obtained PSK to the popular Wi-Fi tools, such as Wireshark for necessary decryption. Eavesdropping can potentially result in leaking of passwords, private texts/information, and browser cookies to the attacker, leading to host of potential security breaches for authorized users of the Wi-Fi network. Tools such as Wireshark are freely available and easy to use for sniffing and decrypting Wi-Fi traffic, therefore making eavesdropping very easy for an attacker, once he/she cracks the WPS PIN.

Man-In-Middle Attack on authorized users/devices: After cracking the WPS PIN and obtaining the WPA/WPA2 pre shared key of a WPS enabled router, an attacker can potentially set up a fake Wi-Fi router configured with cracked PIN and/or obtained WPA/WPA2 key, and advertising the similar SSID as of the attacked router.  This fake Wi-Fi router can then be used to lure the various devices either connected or trying to connect with the attacked router. Once connected to fake router, on account of similar PIN/PSK of attacked and fake routers, the attacker can potentially launch a man-in-the-middle attack on the connected devices/users to fulfill his/her malicious intent, such as stealing private pieces of information and implanting various malware on the connected devices. Although this scenario of attack is a bit sophisticated, there is easily available and simple-to-use software for setting up a fake Wi-Fi router and launching various kinds of man-in-the-middle attacks.  

Considering the fact that a simple tool, i.e. Reaver, is now available to launch a WPS brute force attack, WPS PIN method is mandatory for WPS certified routers as of now, WPS capability is available and enabled by default on most home and SOHO grade Wi-Fi routers, and many upcoming consumer devices support only WPS for secure wireless connections, the seriousness of the aforementioned implications of WPS vulnerability increases multifold for users setting up a WPS capable Wi-Fi network.

WPS is really very useful for certain consumer devices such as cameras, printers and baby monitors to connect them securely to a home Wi-Fi network. Also, for a naïve user, the WPS method is very simple to connect to a secured Wi-Fi network. However, certain design flaws (as discovered recently) in implementing the WPS function by various Vendors have made it responsible for various security implications in an otherwise secured Wi-Fi network. But, hopefully, the Vendors will soon provide the necessary software upgrade to rectify the underlying problem, and the newer products will have rectified and correct WPS implementation, to make Wi-Fi protected Setup again useful for Wi-Fi users.

Until then, people should first of all try to find if their Wi-Fi router suffers from the reported design flaw or not. If not, then they can continue using WPS capability. But, if the answer is yes, then for security cautious users, here is the list of potential solutions to minimize the security risks: 

  1. Users who do not need or can avoid WPS capability should turn off the same on their Wi-Fi routers.
  2. Users who need intermittent WPS capability to connect certain devices at various instances should turn off WPS capability after the intended use is over.
  3. Users can selectively disable external registrar WPS PIN method on Wi-Fi router if the provision of same is there, and use only push button configuration or internal registrar PIN method (although inconvenient) for light usages.
  4. Users who need ‘always-on’ WPS based on router's PIN method (external registrar) should disable WPS and wait for the necessary upgrade from their respective router vendors.

What’s hot on Infosecurity Magazine?