Secure Wi-Fi? Not so Much -- Gaping Hole Found in WPS Pin System
December 29, 2011 12:42 PM
comment(s) - last by
The Department of Homeland Security suggests the only solution is to disable WPS
NETGEAR, Inc. (
), Cisco System, Inc.'s (
) Linksys, D-Link Corp (
), and Belkin, Inc. are some of the biggest makers of routers. If you own a router, there's a good chance you own a router from one of these manufacturers. And if you own a router from them, there's a good chance you used Wi-Fi Protected Setup (WPS) -- a PIN protected method -- to easily set up your home network. And that means that there's a good chance your security is now at serious risk.
WPS was dreamed up by
the Wi-Fi Alliance
as a means of easing the pain of home networking. But by including a flag in the EAP-NACK message, the standard unwittingly left a gaping hole that can be exploited by hackers to subvert your router.
The message tells the user if the first half of the pin they typed was right. Thus it drastically reduces the time needed to crack the PIN using a brute force attack. Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster.
[Image Source: Best Wireless Internet Routers Blog]
The flaw reduces the time it takes to crack your average PIN from 10
attempts to 10
attempts (11,000 attempts total). Assuming you can fire off ten requests or more a second, you should be able to crack routers in minutes.
U.S. Department of Homeland Security
issued a warning
to the public
about the flaw. It
disabling WPS. This may be a painful option for less savvy operators, though, as setting up a network with more sophisticated protections can require a bit of learning.
the vulnerability and reported it to the DHS. He claims that none of the major manufacturers stepped up to the plate with a patch. He is going to release a C-coded exploitation tool shortly -- perhaps that will help prompt the business into action.
.BrainDump (Stefan Viehbock)
Department of Homeland Security
This article is over a month old, voting and posting comments is disabled
RE: Setting Up WPA2 Isn't Rocket Science
12/29/2011 5:54:29 PM
It seems to me WPS and WPA are separate technologies.
WPS helps you get on the network, WPA is how you secure the network. As such I do not understand your statment "and yeah agreed. no reason not to use WPA2." as you can use WPA2 and WPS at the same time.
RE: Setting Up WPA2 Isn't Rocket Science
1/1/2012 4:00:16 PM
If you break WPS then you have access to the network. WPS does use WPA as security, but the flaw is in how WPS works so no amount of security in the world is gonna help you if the exploit lets you bypass it all.
"I'm an Internet expert too. It's all right to wire the industrial zone only, but there are many problems if other regions of the North are wired." -- North Korean Supreme Commander Kim Jong-il
Homeland Security Warns About Latest Dangerous Apple Browser Bug
May 10, 2010, 5:20 PM
WiGig Specifications Completed
December 10, 2009, 11:16 AM
Twitter Senior VP: "Diversity is Important, But We Can’t Lower the Bar"
November 9, 2015, 9:59 AM
CNN Resorts to Internet Censorship to Promote Clinton Over Senator Sanders
October 15, 2015, 2:47 PM
Breaking Bad: How to Crash Google's Chrome Browser With Just 8 Characters
September 23, 2015, 11:08 AM
Quick Note: Amazon UK Offers £10 Back on Any Order £50 or Over
August 3, 2015, 12:05 PM
Editorial: Reddit Allows Itself to be Hijacked as a Hate Platform For Racist Bigots
July 21, 2015, 6:32 PM
Mozilla and Facebook to Adobe: It's Time to Kill Flash
July 20, 2015, 6:30 PM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2016 DailyTech LLC. -
Terms, Conditions & Privacy Information