Several weeks ago, a security researcher by the name of Stefan Viehbock identified a pretty serious vulnerability in the WPS (Wi-Fi Protected Setup) protocol that is supported by most consumer-grade wireless routers produced over the last several years. Although I don’t believe this feature is used very often, the fact that it is supported and is turned on by default in most access points increases the importance of this discovery. A very good and detailed explanation of this vulnerability was done by Steve Gibson on episode 337 of the Security Now! podcast (transcript) on Leo Laporte’s TWiT (This Week in Tech) network. In a nutshell, having this feature enabled on your access point may allow a brute force attack to be carried out which could give a bad guy access to your network. A brute force attack is nothing more than trying many combinations of passwords or PIN numbers and, over time, successfully guessing the right string. As described by Steve Gibson, the flaw here is that the person entering the PIN number for the router is provided feedback after only part of the PIN number is entered. This significantly reduces the number of guesses required to gain access successfully.
In order to be certified by the Wi-Fi Alliance (the governing body for Wi-Fi certification of devices), this feature must be supported and turned on by default. As identified in this publication from the US-CERT (United States Computer Emergency Readiness Team), most manufacturers are impacted by this vulnerability. Conspicuously missing here is Apple. Their implementation of the WPS protocol generates random PINs upon request and, therefore, their products are not impacted. Adding even more security, the only way to request a WPS connection be established is to be connected to the AirPort Utility and initiate the connection attempt. Additional information about this vulnerability can be found here.
What can we do about this? Really, there are two options:
- Disable the WPS functionality – Most modern access points give you the opportunity to disable this feature from the web interface. I would suggest turning it off and just leaving it off. Really, you don’t need it.
- Upgrade the firmware – Many of the manufacturers of wireless access points have already released firmware updates which should fix this issue. Those who have not yet released updates will do so shortly.
Unfortunately, neither of these options pass the sniff test for implementation. That is, would the average consumer be able to easily accomplish either of these options on their own? Would they even know where to start? Do they even know the admin password on their wireless router or the URL to visit to access it? Was that little scrap of paper with the password written on it thrown out long ago? If the average consumer doesn’t know how to fix it, they won’t. The repercussions of this vulnerability will be felt for years because of un-patched access points. The flip side of this is, do consumers even know there was a problem? I don’t recall seeing any coverage of this vulnerability in the main stream media. A handful of tools have already been written and made freely available on the internet which exploit this vulnerability.
So, how did we get here? The major reason is due to the desire of the Wi-Fi Alliance organization to simplify how consumers use products with Wi-Fi connectivity. They are walking a tight rope between ease of use and security of our products. This time, they fell off. As consumers, we need to realize that by simplifying things, we reduce how secure they are. I would never let anyone on any network I maintain using the WPS process.
As I passed information about this vulnerability to family and friends, I received some feedback which implied confusion between WPS, WPA, WPA2, WEP, WDS, etc… Hopefully, someone at the Wi-Fi Alliance will wake up and realize that using acronyms that are all very close together does not make it very easy for consumers to make sense out of these things.
For you tech-savvy readers of this blog, please reach out and help some others secure their networks properly.
Update: 2012-02-12 – Hak5 aired an interview in episode 1024 found here which covers the WPS issue with even more detail.