Secure Wi-Fi? Not so Much -- Gaping Hole Found in WPS Pin System
December 29, 2011 12:42 PM
comment(s) - last by
The Department of Homeland Security suggests the only solution is to disable WPS
NETGEAR, Inc. (
), Cisco System, Inc.'s (
) Linksys, D-Link Corp (
), and Belkin, Inc. are some of the biggest makers of routers. If you own a router, there's a good chance you own a router from one of these manufacturers. And if you own a router from them, there's a good chance you used Wi-Fi Protected Setup (WPS) -- a PIN protected method -- to easily set up your home network. And that means that there's a good chance your security is now at serious risk.
WPS was dreamed up by
the Wi-Fi Alliance
as a means of easing the pain of home networking. But by including a flag in the EAP-NACK message, the standard unwittingly left a gaping hole that can be exploited by hackers to subvert your router.
The message tells the user if the first half of the pin they typed was right. Thus it drastically reduces the time needed to crack the PIN using a brute force attack. Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster.
[Image Source: Best Wireless Internet Routers Blog]
The flaw reduces the time it takes to crack your average PIN from 10
attempts to 10
attempts (11,000 attempts total). Assuming you can fire off ten requests or more a second, you should be able to crack routers in minutes.
U.S. Department of Homeland Security
issued a warning
to the public
about the flaw. It
disabling WPS. This may be a painful option for less savvy operators, though, as setting up a network with more sophisticated protections can require a bit of learning.
the vulnerability and reported it to the DHS. He claims that none of the major manufacturers stepped up to the plate with a patch. He is going to release a C-coded exploitation tool shortly -- perhaps that will help prompt the business into action.
.BrainDump (Stefan Viehbock)
Department of Homeland Security
This article is over a month old, voting and posting comments is disabled
12/30/2011 8:29:11 PM
As far as his actual password generation advice goes: its complete drivel! People are far more predictable than we like to think (I have don't several password audits and EVERYONE uses the exact same substitutions - no sorry none of you are at all original). This the reason tools like john-the-ripper exist, Gibson is stating something know to be factually wrong. Do not use his advice, its very bad. Don't use words with substations they are just not secure. Ideally try Diceroll or failing that try dingbats type representations of a long nonsensical passphrase (that is unique to you) movie quotes etc.
Cheese but not Ties repel Cats because they are bigger than peas = Chse!&->"_">ppp
using "_" for a cat as it reminds me of the Cheshire cat in Alice in wonderland
and & for a tie
12/30/2011 8:31:22 PM
Arrg sorry that should read "NO movie quotes".
"This week I got an iPhone. This weekend I got four chargers so I can keep it charged everywhere I go and a land line so I can actually make phone calls." -- Facebook CEO Mark Zuckerberg
Homeland Security Warns About Latest Dangerous Apple Browser Bug
May 10, 2010, 5:20 PM
WiGig Specifications Completed
December 10, 2009, 11:16 AM
Record Labels Sue Pandora for Royalties on Songs Made Pre-1972
April 21, 2014, 9:13 AM
Google Knocked by Analysts, But Shows Strokes of Brilliance in Q1 2014
April 18, 2014, 2:33 PM
Google Street View and reCAPTCHA Get Smarter with New Algorithm
April 17, 2014, 9:02 AM
Mt. Gox CEO Refuses to Come to the U.S. in Financial Crimes Probe
April 16, 2014, 3:50 PM
Mark Zuckerberg: Facebook Home Reception Slower than Expected, Social Graph Will Pick Up
April 16, 2014, 2:00 PM
FBI's Facial Recognition Database to Have 52 Million Criminal, Non-Criminal Photos by 2015
April 15, 2014, 2:56 PM
Most Popular Articles
A Bug's Life: Female Cave Bugs Have Penises, Penetrate Males for Three Days
April 17, 2014, 7:20 PM
Quick Note: Toyota Attempts to Erase “Boring” Image with ’15 Camry SE Hybrid
April 16, 2014, 11:36 AM
HTC Hires Former Samsung Marketing Chief Who Developed "Galaxy" Brand
April 18, 2014, 6:00 PM
Project Moonshine: Google's Plan to Flatten Android App Icons Leaks
April 16, 2014, 1:46 PM
Microsoft Announces the First Steps in Its "Universal Apps" Program
April 15, 2014, 7:59 PM
Latest Blog Posts
Facebook Aims to Provide Internet to "Every Person in the World" with Drones, Satellites
Apr 1, 2014, 10:20 AM
Retail Mobile Sites Experience Outages in Light of Simplexity's Bankruptcy
Mar 14, 2014, 8:48 AM
Tesla vs. BMW: Who Has the Safer EV?
Feb 1, 2014, 2:56 PM
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
Global Cyber Espionage Concerns Reveal Growing Cyber Armies
Nov 29, 2013, 11:04 AM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information