Secure Wi-Fi? Not so Much -- Gaping Hole Found in WPS Pin System
December 29, 2011 12:42 PM
comment(s) - last by
The Department of Homeland Security suggests the only solution is to disable WPS
NETGEAR, Inc. (
), Cisco System, Inc.'s (
) Linksys, D-Link Corp (
), and Belkin, Inc. are some of the biggest makers of routers. If you own a router, there's a good chance you own a router from one of these manufacturers. And if you own a router from them, there's a good chance you used Wi-Fi Protected Setup (WPS) -- a PIN protected method -- to easily set up your home network. And that means that there's a good chance your security is now at serious risk.
WPS was dreamed up by
the Wi-Fi Alliance
as a means of easing the pain of home networking. But by including a flag in the EAP-NACK message, the standard unwittingly left a gaping hole that can be exploited by hackers to subvert your router.
The message tells the user if the first half of the pin they typed was right. Thus it drastically reduces the time needed to crack the PIN using a brute force attack. Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster.
[Image Source: Best Wireless Internet Routers Blog]
The flaw reduces the time it takes to crack your average PIN from 10
attempts to 10
attempts (11,000 attempts total). Assuming you can fire off ten requests or more a second, you should be able to crack routers in minutes.
U.S. Department of Homeland Security
issued a warning
to the public
about the flaw. It
disabling WPS. This may be a painful option for less savvy operators, though, as setting up a network with more sophisticated protections can require a bit of learning.
the vulnerability and reported it to the DHS. He claims that none of the major manufacturers stepped up to the plate with a patch. He is going to release a C-coded exploitation tool shortly -- perhaps that will help prompt the business into action.
.BrainDump (Stefan Viehbock)
Department of Homeland Security
This article is over a month old, voting and posting comments is disabled
1/3/2012 4:41:25 AM
Anybody who wants to and can use google can access your network in about an hour - assuming they need to learn what to do first :). WEP is completely useless and should never, ever be used if you are being serious about security.
MAC keeps your neighbours off (and WEP will do the same thing) unless they are very determined but it won't keep out anybody serious (or even anybody seriously interested).
WPA2 is the only way to go if you want to ACTUALLY secure your network :). It's super-easy to setup (unlike MAC-based security) - just choose a longish password that's easy to remember. Something like a cheat from your favourite computer game or a quote from a movie is basically impossible for a stranger to crack. "If it bleeds we can kill it" won't be cracked in the lifespan of your router, for example :).
"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs
Homeland Security Warns About Latest Dangerous Apple Browser Bug
May 10, 2010, 5:20 PM
WiGig Specifications Completed
December 10, 2009, 11:16 AM
ISIS Supporters Threaten "Charlie Hedbo style" Attack Against Twitter Employees
March 3, 2015, 4:26 PM
Lenovo Vows to Drop "Adware" and "Bloatware" From Its PCs
February 27, 2015, 3:09 PM
Google Steps up Snub of Adobe Flash, Auto-Converting Flash Ads to HTML5
February 25, 2015, 6:16 PM
Quick Note: Microsoft Gives Dropbox Users Extra 100 GB of Free OneDrive Storage
February 20, 2015, 9:48 AM
Anonymous vs. the ISIS Cyber Caliphate -- War in the Middle East Goes Digital
February 12, 2015, 8:54 PM
Jeb Bush Releases Years of Emails, Leaking Names, Social Security Numbers
February 11, 2015, 8:30 PM
Most Popular Articles
Samsung is Bringing Sexy Back w/ Launch of Razor-Thin Galaxy S6 and S6 Edge
March 3, 2015, 2:25 AM
Australian Engineers Successfully Developed 3D-Printed Jet Engines
March 2, 2015, 11:08 AM
Scientists Tap Hard Data on 15,500 Penises to Estimate Average Length
March 3, 2015, 11:22 PM
Windows 10 Adds USB 3.1 for Dual-Role Peripherals, External Display Support
February 27, 2015, 11:39 AM
Windows 10 Testers: Beware Experimental NVIDIA Drivers Tied to DX12 Update
March 3, 2015, 11:13 AM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2015 DailyTech LLC. -
Terms, Conditions & Privacy Information