• Most Wi-Fi routers susceptible to hacking through security feature

    Stefan Viehböck, an independent security researcher, published a paper on Boxing Day titled "Brute forcing Wi-Fi Protected Setup" to his WordPress blog disclosing a weakness in the configuration of most consumer/SoHo Wi-Fi routers.

    As we all know the state of security for most home Wi-Fi networks was nearly non-existent only a few years ago.

    This prompted the Wi-Fi Alliance to establish a new simple method for consumers to enable and configure WPA2 on their routers without knowledge of encryption, keys or how it all works.

    The standard is called Wi-Fi Protected Setup (WPS) and is enabled by default on nearly all consumer Wi-Fi access points, including those sold by Cisco/Linksys, Netgear, Belkin, Buffalo, D-Link and Netgear.

    It has three methods of simplifying the connection of wireless devices to WPA2 protected access points:

    Push Button Connect (PBC) requires the user to push a button on the router which allows it to communicate with a client needing configuration. The client attempts to connect and the router simply sends it the security configuration required to communicate.

    Client PIN mode is where the client device supports WPS and has a PIN assigned by the manufacturer. You then login to the router's management interface and enter the PIN to authorize that client to obtain the encryption configuration.

    Router PIN mode allows a client to connect by entering a secret PIN from a label on the router, or from its management interface which authorizes the client to obtain the security configuration details.

    The first method requires physical access, while the second requires administrative access, both of these pass muster. The third however, can be accomplished only through the use of the Wi-Fi radio.

    The PIN used for authentication is only eight digits which would give the appearance of 108 (100,000,000) possibilities. It turns out the last digit is just a checksum, which takes us down to 107 (10,000,000) combinations.

    Worse yet the protocol is designed so that the first half and second half are sent separately and the protocol will confirm if only one half is correct.
    So you have now reduced the difficulty of brute forcing the PIN down to 104 (10,000) plus 103 (1,000) or 11,000 possibilities.

    Some of the routers Viehböck tested did seem to implement a mechanism to slow down the brute forcing, but the worst case scenario allowed him to acquire the keys within 44 hours.

    Compared with attempting to attack WPA2-PSK directly, this is a cheap and effective attack.

    As the sub-title of Viehböck's paper states "When poor design meets poor implementation" security is the loser.

    If you own a reasonably modern Wi-Fi router you are at risk (unless you have installed some sort of alternative firmware like OpenWRT or Tomato Router).

    If possible disable the WPS support on your router and contact your manufacturer for updated firmware which may provide a fix or mitigation against this attack.

    Another researcher independently discovered the same issue and has published a tool called Reaver that implements this attack.

    Similar to the Firesheep tool, this will likely light a fire under the butts of the Wi-Fi Alliance and manufacturers to quickly resolve these issues.
    Comments 8 Comments
    1. mjmacky's Avatar
      mjmacky -
      Never once used WPS, never trusted it, always disabled. I fucking jumped on WPA2 though, I hated WEP.
    1. Cabalo's Avatar
      Cabalo -
      I've installed Reaver on my backtrack. The exploit is there.
      I guess these news aren't so fresh after all.
    1. Quarterquack's Avatar
      Quarterquack -
      Tomato or bust.
    1. MikeB's Avatar
      MikeB -
      switched to wpa as soon as I heard that wep isn't entirely secure.
    1. johhny's Avatar
      johhny -
      Reaver v1.4 is out!!!!!!!

      New features, faster attacks, bug fixes.
    1. Cabalo's Avatar
      Cabalo -
      Quote Originally Posted by MikeB View Post
      switched to wpa as soon as I heard that wep isn't entirely secure.
      A WEP key can be cracked almost instantaneously with modern penetration testing solutions.
    1. mjmacky's Avatar
      mjmacky -
      Quote Originally Posted by Cabalo View Post
      Quote Originally Posted by MikeB View Post
      switched to wpa as soon as I heard that wep isn't entirely secure.
      A WEP key can be cracked almost instantaneously with modern penetration testing solutions.
      Not to mention most WEP keys were usually just 10 digit phone numbers of the place hosting the WiFi, home or business. Most aren't familiar with hexadecimal so they just resort to numbers, and phone numbers (with area code) are the most common 10 digit numbers. Through that practice, it should be no surprise that WPA keys for businesses tend to follow the same trend when switched.
    1. rhemux's Avatar
      rhemux -
      So..what´s the best way to protect a wifi connection?