Vulnerability in Modern Wireless Routers- Brute Force Attack can crack WPS PIN

Wordpress 2 comments

You might have came across a small button labeled WPS in your WiFi router. WPS (WiFi Protected Setup) is a protocol or optional program designed by Wi-Fi Alliance to make the Wireless setup easy for common users while keeping the essential security. Earlier it was termed as “WiFi- Simple- Config”. The technology was launched in 2007 and almost all modern routers has incorporated this in their subsequent WiFi routers.  Now a major security flaw in the design of this program is unveiled. By default WPS is enabled in the devices. Through brute force attack, hackers can break into your WPS enabled WiFi network.

How WPS Works

Instead of a preset SSID (Network identification), WPS setup a random network names and a strong network key for wireless devices. Instead of entering the network SSID and long security Key, WPS permits you to use push button (Either hardware or software) or PINs to join the secured wireless network. In three ways you can use the WPS system to join a WiFi network.

1.  Push Button Connect: In Push Button Connect System, the user has to push a button (virtual or original) on both the router and wireless client (Laptop, Camera, Mobile..etc). After pressing the the push button in Client, either you have to enter the PIN or press the push button in router within 2 minutes. In this case physical presence of both the devices are mandatory.

 

wps2 thumb Vulnerability in Modern Wireless Routers  Brute Force Attack can crack WPS PIN

<image credit>

2.  PIN : Here the user have to enter the PIN of the Wireless adaptor to the web interface of access point. In this method your client (Laptop, camera , phone, printer etc ..) mush have an WPS PIN. The PIN is either printed on the device or can be retrieved through software interface.

3.  External Registrar method: In this method you have to enter the WPS PIN of your router/access point in the interface of client device. In this method, no authentication is required other than the access point PIN. Usually PIN is printed on the Router or can be obtained through software interface.

In the first method (Push button), physical access of Router is mandatory. In second method you must have the web interface of access point. Hence these two methods are safe. But the security flaw is in the third method, ie external registrar method. Last month Craig Heffner  identified this vulnerability and Stefan Viehböck  reported the same to United States Computer Emergency Readiness Team (Cert/CC). Cert has analyzed the threat and released a vulnerability note, which advices the users to disable WPS.

A Python Brute Force script is available to to hack WPS key. See the demo video

One and only Solution- Disable WPS

No firmware updates are available to cover this hole. Hence it is advised to disable the WPS option of your Router through software interface. See the software interface of D Link DSL 2730 U to disable the WPS

d link wps thumb Vulnerability in Modern Wireless Routers  Brute Force Attack can crack WPS PIN

All modern WiFi routers including Blekin, Bufalo, D Link, LynkSys, Netgear, TPLink, Technicolor, ZyXEL etc are vulnerable and  WPS is enabled by default. Your smart neighbor is reading this, and don’t give him a chance to test this vulnerability on your network icon smile Vulnerability in Modern Wireless Routers  Brute Force Attack can crack WPS PIN



style=”display:inline-block;width:336px;height:280px”
data-ad-client=”ca-pub-6771269864674384″
data-ad-slot=”8343618572″>

  • Sandeep Singh 01/03/2012, 8:13 AM Reply

    Hi SUjith,

    I dont see a Brute-Force Attack possibility. I think you will get the pin through a software Interface ! Do you know any ?? It would be great if you could help me.

    • Sujith 01/03/2012, 6:43 PM Reply

      Brute force attack possibility exists, normally the PIN is printed on the router backside label. This is an 8 digit number. Last digit is the check-sum. Routers don’t lockout on brute force attacks. Hence within few minutes numeric key combinations can be tested.

Leave a Comment

*