Securing the Tech: WPS Brute Force Vulnerbility
This one shocked me. I don't know why, because ever since I learned about WPS I have thought it was a bad idea. One of my favorite security researchers, Steve Gibson, likes to say that anything that makes security easier also makes it less secure. The point of the technology is to make setting up wireless encryption point and click. There are several things about the whole process that make this a case study in security gone bad.
First of all, I need to say that what the designers of WPS did do everything correctly except for one major flaw and one minor flaw. However, that is all it took to ruin the security of WPS. The parts that work are very well designed and use all of the best cryptography and use it correctly. If it wasn't for this one bug.
The minor flaw may not really be a flaw, depending on your viewpoint. WPS has two modes, one for connections between devices with a WPS button and one for devices that don't. That is the problem, it is basically two programs in one when it would have been fine with just the one. The flaw exists in the second of those two modes. If they had stopped at the first, the one with the button, everything would be fine. However, that would require that all devices have a WPS button (it could have been in the user interface somewhere, like on a settings page). This button would be pressed on both devices (say a router and a laptop) to put them into a mode similar to the "pairing" mode of Bluetooth devices for two minutes. They would see each other and assume they were supposed to connect. After a flurry of bullet proof cryptography goes flying through the air the WPA key of the wireless network gets shared securely and the new device is connected to the network. Now, what if your neighbor hits the button on his device? If there were more than two devices in this "pairing" mode during the same two minutes then they all start freaking out and refuse to connect to anything. Very secure.
Here is where the problem lies. The second mode itself has two modes, one for connections between devices with a screen and one for devices that don't. The first mode uses a four character pin displayed on the first device (the router, for example) and entered into the second device (perhaps a laptop). The pin is only good for 2 minutes and you have three chances to enter it correctly every minute. That is a total of six chances to enter it correctly. Now if somebody wanted to hack your connection they would have to guess the four digit pin. With 10,000 possibilities for the pin and only six chances to guess it, the odds are not in the favor of the person hacking the system.
However, most router manufactures didn't want to add screens to their routers (some of these machines only cost $20) as it would increase the price so a second method was added. Instead of displaying a four digit pin on a screen and therefore be able to change the pin every few minutes, an eight digit pin would be printed on the bottom of the router. When connecting a device like a laptop up to the network it would ask for the pin on the bottom of the router to connect. The user would then do so proving that they had physical access to the router. The laptop then connects to the network and everyone is happy.
Problem is, this eight digit pin isn't handled correctly. First, lets look at how much more secure an eight digit pin would be over a four digit pin if handled correctly. The router will only allow three attempts to connect every minute, so that is how fast we can try each of the possible pins. At that rate we can try 10,000 divided 2 since the pin is just as likely to be in the first half as the second. Now we divide by 3 since they can only try 3 pins in a minute. This is how many minutes it will take (1,666.66...). Now we divide that by 60 minutes in an hour and we see that on average it will take about 28 hours to crack the network with a four digit pin that never changed. Now we do the same calculation for a pin eight digits long and see what we get. 100,000,000 divided by 2 divided by 3 gives us minutes. Wow, 16,666,666.66... minutes. Let's convert that to something we can understand and we get 31.7 YEARS for the average case. Wow, big difference.
Problem is that WPS doesn't work like this. Instead of the hacker having to guess all eight digits to find out if he is right, he only has to guess four at a time. When he gets the first four right he doesn't have to guess them anymore. This means he will only have to guess two four digit pins (28 hours times 2 = 56 hours) instead of one eight digit password. Very simple for a hacker to do. And this gives them full access to your network.
In fact there is already code out there to do this. There is a company called Tactical Network Solutions (awesome name, by the way) that has a program called Reaver that will do just this. And they have been selling it for a while. So this has been known to some and in use by others (NSA, CIA, and FBI probably are hating life now that this it out) already.
How to defend against this? Simple, turn off WPS. Well, almost. If you have a Linksys or Cisco router you can't turn it off. The interface will say it is off but the feature will still be active. Answer? Install a custom ROM on those routers, something like DD-WRT or Tomato Router will do the trick. They don't even have WPS in them at all. But you need to be sure that your router is supported by those projects and you need to have a little bit of hacker skills to install them. The only other option is to get a different router. Be aware that if you have some D-Link routers as well, they don't have the three tries per minute feature, so the numbers we calculated before will be much, much, much, much smaller since hundreds of pins can be tried a second. All the way around, just turn off WPS.
Good try WiFi guys, but you missed a spot.
First of all, I need to say that what the designers of WPS did do everything correctly except for one major flaw and one minor flaw. However, that is all it took to ruin the security of WPS. The parts that work are very well designed and use all of the best cryptography and use it correctly. If it wasn't for this one bug.
The minor flaw may not really be a flaw, depending on your viewpoint. WPS has two modes, one for connections between devices with a WPS button and one for devices that don't. That is the problem, it is basically two programs in one when it would have been fine with just the one. The flaw exists in the second of those two modes. If they had stopped at the first, the one with the button, everything would be fine. However, that would require that all devices have a WPS button (it could have been in the user interface somewhere, like on a settings page). This button would be pressed on both devices (say a router and a laptop) to put them into a mode similar to the "pairing" mode of Bluetooth devices for two minutes. They would see each other and assume they were supposed to connect. After a flurry of bullet proof cryptography goes flying through the air the WPA key of the wireless network gets shared securely and the new device is connected to the network. Now, what if your neighbor hits the button on his device? If there were more than two devices in this "pairing" mode during the same two minutes then they all start freaking out and refuse to connect to anything. Very secure.
Here is where the problem lies. The second mode itself has two modes, one for connections between devices with a screen and one for devices that don't. The first mode uses a four character pin displayed on the first device (the router, for example) and entered into the second device (perhaps a laptop). The pin is only good for 2 minutes and you have three chances to enter it correctly every minute. That is a total of six chances to enter it correctly. Now if somebody wanted to hack your connection they would have to guess the four digit pin. With 10,000 possibilities for the pin and only six chances to guess it, the odds are not in the favor of the person hacking the system.
However, most router manufactures didn't want to add screens to their routers (some of these machines only cost $20) as it would increase the price so a second method was added. Instead of displaying a four digit pin on a screen and therefore be able to change the pin every few minutes, an eight digit pin would be printed on the bottom of the router. When connecting a device like a laptop up to the network it would ask for the pin on the bottom of the router to connect. The user would then do so proving that they had physical access to the router. The laptop then connects to the network and everyone is happy.
Problem is, this eight digit pin isn't handled correctly. First, lets look at how much more secure an eight digit pin would be over a four digit pin if handled correctly. The router will only allow three attempts to connect every minute, so that is how fast we can try each of the possible pins. At that rate we can try 10,000 divided 2 since the pin is just as likely to be in the first half as the second. Now we divide by 3 since they can only try 3 pins in a minute. This is how many minutes it will take (1,666.66...). Now we divide that by 60 minutes in an hour and we see that on average it will take about 28 hours to crack the network with a four digit pin that never changed. Now we do the same calculation for a pin eight digits long and see what we get. 100,000,000 divided by 2 divided by 3 gives us minutes. Wow, 16,666,666.66... minutes. Let's convert that to something we can understand and we get 31.7 YEARS for the average case. Wow, big difference.
Problem is that WPS doesn't work like this. Instead of the hacker having to guess all eight digits to find out if he is right, he only has to guess four at a time. When he gets the first four right he doesn't have to guess them anymore. This means he will only have to guess two four digit pins (28 hours times 2 = 56 hours) instead of one eight digit password. Very simple for a hacker to do. And this gives them full access to your network.
In fact there is already code out there to do this. There is a company called Tactical Network Solutions (awesome name, by the way) that has a program called Reaver that will do just this. And they have been selling it for a while. So this has been known to some and in use by others (NSA, CIA, and FBI probably are hating life now that this it out) already.
How to defend against this? Simple, turn off WPS. Well, almost. If you have a Linksys or Cisco router you can't turn it off. The interface will say it is off but the feature will still be active. Answer? Install a custom ROM on those routers, something like DD-WRT or Tomato Router will do the trick. They don't even have WPS in them at all. But you need to be sure that your router is supported by those projects and you need to have a little bit of hacker skills to install them. The only other option is to get a different router. Be aware that if you have some D-Link routers as well, they don't have the three tries per minute feature, so the numbers we calculated before will be much, much, much, much smaller since hundreds of pins can be tried a second. All the way around, just turn off WPS.
Good try WiFi guys, but you missed a spot.
Comments