E02 – Wi-Fi Protected Setup, Battered or Broken?

In episode 02 of the show, Andrew vonNagy hosts and welcomes guests Matthew Gast from Aerohive and Dan Cybulskie from Simply Wi-Fi to the show to talk about the recently announced Wi-Fi Protected Setup vulnerability. Matthew brings Wi-Fi expertise to the show from through his work at Aerohive, participation in the IEEE 802.11 standard, and as acting task chair for Wi-Fi Alliance security task groups. Dan brings extensive Wi-Fi security knowledge and has performed quite a bit of research into the WPS vulnerability since the announcement.

First, we discuss the background of Wi-Fi Protected Setup (WPS) – yet another acronym to remember and/or confuse with so many others – and it’s creation to “ease” security setup for non-technical users, typically in the consumer market. We make the distinction that WPS is not the same as WPA/WPA2 and that Wi-Fi security through use of those protocols is definitely not compromised by this vulnerability. Furthermore, WPS supports various methods of setup, including PIN and Push-Button Configuration, with the PIN mode the only one being affected by the vulnerability.

Matthew brings up a great point, that although this is a protocol design flaw, proper vendor implementations can make the attack much harder to execute. This is because it is a brute-force attack and implementation of user lockout / timeout feature after consecutive failed PIN attempts will slow-down the attack.

Next, we dig into the WPS vulnerability details:

• Independently discovered by two parties: Stefan Viehbock and Tactical Network Solutions
• Does NOT affect WPA/WPA2 enterprise (802.1X) or personal (PSK)
• Only the WPS PIN mode is affected
• Root cause is due to poor protocol design, which is something the Wi-Fi industry is familiar with because of WEP’s well-documented issues
• This is an “active” attack, meaning the attacker must send and receive frames to the target. It cannot be exploited passively.
• All WPS capable routers are affected
• Some vendor implementations reduce attack effectiveness due to the use of a lockout feature after failed attempts
• Static PINs (printed on the equipment) are generally more susceptible because WPS is typically “always-on”. Equipment with user-configurable PINs typically require WPS setup to be activated every time it needs to be used, and are less susceptible.

Then we discuss the impact to consumers, SMBs, and enterprises:

• Consumer and some SMB equipment is vulnerable. No enterprise equipment has been found that supports WPS.
• Enterprises should still be mildly concerned due to rogue APs and home VPNs connecting back into the corporate network.
• Apple’s product focus on good user experience actually serves as a security benefit in this case, because they didn’t need to implement WPS.
• Client devices are technically vulnerable too, but none of the show participants think it’s much of an attack vector and are not too concerned.
• Vulnerability was discovered over 1 year ago by Tactical Network Solutions, which is why their Reaver attack tool was promptly available after the U.S. CERT announcement.
• An exploit is in the wild… home users need to take action NOW by researching their router to see if it’s vulnerable.

Mitigation Steps:

1. Turn off WPS, if possible. Some equipment does not allow it to be disabled.
2. Watch for firmware updates from the vendor. However, given consumer manufacturers historical lack of support and upgrades for existing products, it’s probably best to buy a new router that does not support WPS or allows WPS to be disabled.
3. Switch to open-source firmware, such as DD-WRT. However, this requires more technical knowledge than many home users have.
4. SMBs should consider implementing 802.1X security with WPA2-Enterprise, and buying enterprise-class equipment.

Ultimately, responsibility to fix the vulnerability lies with both the Wi-Fi Alliance and vendors. The WFA needs to fix the protocol and vendors need to implement strong brute-force attack protection mechanisms.

Links to show resources:

• Wi-Fi Alliance page on Wi-Fi Protected Setup
• Wi-Fi Alliance database on WPS certified equipment (use this to research your router)
• U.S. CERT Vulnerability Note on WPS
• Stefen Viehbock’s blog post on the WPS vulnerability
• Tactical Network Solution’s post on the WPS vulnerability and the Reaver tool
• Ars Technica article on the WPS vulnerability
• Dan Kaminsky’s blog post on observed WPS support through wardriving
• Dan Cybulskie’s blog posts on this issue:
• WPS Brute Force Thoughts and Video
• Is My Wireless Router Running WPS
• Reaver, What Does It Look Like In the Air
• Matthew Gast’s blog on what you need to know about the WPS attack
• SmallNetBuilder article with vendor responses

We would love to hear your feedback on today’s show, please leave comments in the show notes and follow us on Twitter at @NSAShow.