In the last few days I’ve been following this vulnerability with interest, and boy- it’s been fun!

What is WPS?

Wi-Fi protected set-up (WPS) was designed to ease the task of joining clients to a wireless network. The user simply types an 8 digit numeric pin, which transparently gives the user the WPA/WPA2 PSK and allows them to join the wireless network. So far so good.

So what is the exploit and how big a deal is it?

Currently WPA/WPA2 exploits are long winded and typically involve testing the PSK against large dictionaries, which takes a huge amount of computing resources and time. On top of that, more often then not they’re unsuccessful.

Stefan Viehböck discovered a vulnerability in WPS which allows its PIN to be discovered much quicker than brute forcing the PSK, which in turn exposes the WPA/WPA2 PSK. The exploit is explained in detail in a document here but here’s a quick break down of why it’s so fast.

There are 8 digits in the pin, the 8th being a checksum of digits 1-7. So with 7 digits left, it then gets interesting: during a WPS negotiation attempt, the system acknowledges when the first 4 digits of the PIN are correct. So we try up to 10^4 keys first, then 10^3 keys plus the checksum. There are around 11,000 keys/PINs to be attempted, but because of how the exploit works, searching half of the key space first, on average the number of keys that are probably tried before the right one is found is around half that. That small number means the key space can be tested in a relatively small amount of time, typically somewhere between 4 and 10 hours.

WPS is enabled on a lot of Wi-Fi access points by default, especially on Wi-Fi-equipped modem routers issued by ISPs. Some routers will actively block multiple attempts, or slow down requests- a spreadsheet of tried and tested devices can be found here.

The obvious solution is to disable WPS, if you can, but on a larger scale newer firmware will need to be deployed to completely mitigate the flaw. That’s something that will take time, and something that’s hard to communicate with the general public, so I foresee a lot of WPS-enabled APs in circulation for some time.

How to perform the exploit

There are a couple of valuable tools that can use the exploit that are available for pentesting your current AP infrastructure; it’s especially worth doing so if you’re unable to turn WPS off. The tools are very easy to use, and please note I don’t advocate performing this on anything but your own environment.

Pre-reqs
Linux distro of choice (Backtrack 5R1)
Supported Wireless Card (Realtek RTL8187L)
Reaver (http://code.google.com/p/reaver-wps/) or wpscrack.py (http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/), I’ve focused on Reaver.

wget http://reaver-wps.googlecode.com/files/reaver-1.3.tar.gz
tar -xvf reaver-1.3.tar.gz
cd reaver-1.3/src
./configure
make
make install

##Make sure your wireless card is detected
ifconfig
##Put the wireless card into monitor mode
airmon-ng start wlan0
##Show Wireless networks with strength and more importantly the BSSID needed for Reaver
airodump-ng mon0

reaver -i mon0 -b BSSID 

…and off it goes. There are currently some bugs that are being ironed out and as mentioned earlier some APs will throttle or simply lock out multiple requests.

As you can quite clearly see this is extremely easy to perform and potentially exposes a large security flaw in any WPA/WPA2-protected network with WPS enabled. I’ve run Reaver against two of my spare APs and it’s been successful both times with a completion time of around 6 hours. The tools can be used for pentesting using exploit, but in the wrong hands the tools provide a ridiculously easy method for anyone to gain unauthorised access, if your AP infrastructure is vulnerable. If WPS-protected Wi-Fi networks you administer are vulnerable, take steps to protect them.