Secure Wi-Fi? Not so Much -- Gaping Hole Found in WPS Pin System
December 29, 2011 12:42 PM
comment(s) - last by
The Department of Homeland Security suggests the only solution is to disable WPS
NETGEAR, Inc. (
), Cisco System, Inc.'s (
) Linksys, D-Link Corp (
), and Belkin, Inc. are some of the biggest makers of routers. If you own a router, there's a good chance you own a router from one of these manufacturers. And if you own a router from them, there's a good chance you used Wi-Fi Protected Setup (WPS) -- a PIN protected method -- to easily set up your home network. And that means that there's a good chance your security is now at serious risk.
WPS was dreamed up by
the Wi-Fi Alliance
as a means of easing the pain of home networking. But by including a flag in the EAP-NACK message, the standard unwittingly left a gaping hole that can be exploited by hackers to subvert your router.
The message tells the user if the first half of the pin they typed was right. Thus it drastically reduces the time needed to crack the PIN using a brute force attack. Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster.
[Image Source: Best Wireless Internet Routers Blog]
The flaw reduces the time it takes to crack your average PIN from 10
attempts to 10
attempts (11,000 attempts total). Assuming you can fire off ten requests or more a second, you should be able to crack routers in minutes.
U.S. Department of Homeland Security
issued a warning
to the public
about the flaw. It
disabling WPS. This may be a painful option for less savvy operators, though, as setting up a network with more sophisticated protections can require a bit of learning.
the vulnerability and reported it to the DHS. He claims that none of the major manufacturers stepped up to the plate with a patch. He is going to release a C-coded exploitation tool shortly -- perhaps that will help prompt the business into action.
.BrainDump (Stefan Viehbock)
Department of Homeland Security
This article is over a month old, voting and posting comments is disabled
12/29/2011 3:46:25 PM
Yeah, WEP is also useless.
With just a couple minutes worth of packets sniffed out of the air and a few seconds of computation time, it'll have a good chance of being cracked.
Given 10 minutes where the WEP connection is actually being used and it'll definitely be cracked wide open.
Don't bother with all the sideshow stuff, just use WPA2 encryption (just don't use a silly password like "12345")
12/31/2011 7:56:15 PM
That's the combination on my luggage!
"Nowadays you can buy a CPU cheaper than the CPU fan." -- Unnamed AMD executive
Homeland Security Warns About Latest Dangerous Apple Browser Bug
May 10, 2010, 5:20 PM
WiGig Specifications Completed
December 10, 2009, 11:16 AM
Comcast Memo: Harassing Customers During Retention Calls Actually IS Our Policy
July 22, 2014, 5:19 PM
Aereo Now Claims It's a Cable Company, Reveals it Has Very Few Customers
July 22, 2014, 4:20 PM
Edward Snowden Presents Tech to Stop Government Spying
July 21, 2014, 12:00 PM
Verizon FiOS Network Upgrade Brings Symmetrical Upload/Download Speeds
July 21, 2014, 8:33 AM
Amazon Launches First Fire Phone TV Spot, Spends 30 Seconds Promoting Prime
July 18, 2014, 11:17 AM
Samsung Continues to Pick on Apple's iPad in Two New Commercials
July 13, 2014, 5:35 PM
Most Popular Articles
Microsoft Kills Entertainment Unit, May Shelve Flagship Lumia "McLaren"
July 18, 2014, 7:40 PM
Boeing 777 Malaysian Airlines Flight 17 Crashes in Ukraine
July 17, 2014, 1:00 PM
Google Signs Controversial Deal With Pharmaceutical Giant Novartis
July 16, 2014, 7:32 PM
Toyota Scientist: Autonomous Vehicles May Lead to Increased Fuel Consumption, Pollution
July 18, 2014, 2:42 PM
JJ Abrams Unveils X-Wing Starfighter for New "Star Wars" Movie
July 21, 2014, 12:24 PM
Latest Blog Posts
Space Terrorism is a Looming Threat For the United States
Apr 23, 2014, 7:47 PM
Facebook Aims to Provide Internet to "Every Person in the World" with Drones, Satellites
Apr 1, 2014, 10:20 AM
Retail Mobile Sites Experience Outages in Light of Simplexity's Bankruptcy
Mar 14, 2014, 8:48 AM
Tesla vs. BMW: Who Has the Safer EV?
Feb 1, 2014, 2:56 PM
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information