Major security hole in most modern wireless routers

David Heath
Saturday, 31 December 2011 16:16

Your IT - Home IT

If your wireless router supports Wi-Fi Protected Setup turn it off immediately (if you can).

According to a vulnerability notice issued by the US Computer Emergency Readiness Team (US-CERT) on December 27th, just about every Wi-Fi router that supports Wi-Fi Protected Setup (WPS) is vulnerable to a brute force attack.

WPS supports a PIN-protected access in order to simplify the process of enabling and configuring secure access for normal use.  Typically this would be used to enable WPA-PSK encryption.

The problems are many-fold. 

Firstly, the 8-digit PIN used to protect access to the WPS interface is configured in such a way that the attacker will be told when they have correctly guessed just the first 4 characters.  In other words the problem of guessing an eight-digit number is split into two problems of guessing a 4-digit number.

Secondly, the correct WPA password will be communicated to the successful PIN attacker no matter whether it was the default password or had been changed by the user (this is really an 'attribute' of the WPS system).

Once in possession of this information, an attacker may be able to reconfigure the router, lock out authorised users and any of a number of other possible outcomes.

According to US-CERT, "WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called "external registrar" that only requires the router's PIN. By design this method is susceptible to brute force attacks against the PIN.

"When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 10⁸ to 10⁴ + 10³ which is 11,000 attempts in total [instead of the hoped-for tens of millions].

"It has been reported that some wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot."

With regard to a solution, US-CERT observes, "We are currently unaware of a practical solution to this problem."

They can also offer only a weak 'workaround.'