E02 – Wi-Fi Protected Setup, Battered or Broken?
In episode 02 of the show, Andrew vonNagy hosts and welcomes guests Matthew Gast from Aerohive and Dan Cybulskie from Simply Wi-Fi to the show to talk about the recently announced Wi-Fi Protected Setup vulnerability. Matthew brings Wi-Fi expertise to the show from through his work at Aerohive, participation in the IEEE 802.11 standard, and as acting task chair for Wi-Fi Alliance security task groups. Dan brings extensive Wi-Fi security knowledge and has performed quite a bit of research into the WPS vulnerability since the announcement.
First, we discuss the background of Wi-Fi Protected Setup (WPS) – yet another acronym to remember and/or confuse with so many others – and it’s creation to “ease” security setup for non-technical users, typically in the consumer market. We make the distinction that WPS is not the same as WPA/WPA2 and that Wi-Fi security through use of those protocols is definitely not compromised by this vulnerability. Furthermore, WPS supports various methods of setup, including PIN and Push-Button Configuration, with the PIN mode the only one being affected by the vulnerability.
Matthew brings up a great point, that although this is a protocol design flaw, proper vendor implementations can make the attack much harder to execute. This is because it is a brute-force attack and implementation of user lockout / timeout feature after consecutive failed PIN attempts will slow-down the attack.
Next, we dig into the WPS vulnerability details:
- Independently discovered by two parties: Stefan Viehbock and Tactical Network Solutions
- Does NOT affect WPA/WPA2 enterprise (802.1X) or personal (PSK)
- Only the WPS PIN mode is affected
- Root cause is due to poor protocol design, which is something the Wi-Fi industry is familiar with because of WEP’s well-documented issues
- This is an “active” attack, meaning the attacker must send and receive frames to the target. It cannot be exploited passively.
- All WPS capable routers are affected
- Some vendor implementations reduce attack effectiveness due to the use of a lockout feature after failed attempts
- Static PINs (printed on the equipment) are generally more susceptible because WPS is typically “always-on”. Equipment with user-configurable PINs typically require WPS setup to be activated every time it needs to be used, and are less susceptible.
Then we discuss the impact to consumers, SMBs, and enterprises:
- Consumer and some SMB equipment is vulnerable. No enterprise equipment has been found that supports WPS.
- Enterprises should still be mildly concerned due to rogue APs and home VPNs connecting back into the corporate network.
- Apple’s product focus on good user experience actually serves as a security benefit in this case, because they didn’t need to implement WPS.
- Client devices are technically vulnerable too, but none of the show participants think it’s much of an attack vector and are not too concerned.
- Vulnerability was discovered over 1 year ago by Tactical Network Solutions, which is why their Reaver attack tool was promptly available after the U.S. CERT announcement.
- An exploit is in the wild… home users need to take action NOW by researching their router to see if it’s vulnerable.
Mitigation Steps:
- Turn off WPS, if possible. Some equipment does not allow it to be disabled.
- Watch for firmware updates from the vendor. However, given consumer manufacturers historical lack of support and upgrades for existing products, it’s probably best to buy a new router that does not support WPS or allows WPS to be disabled.
- Switch to open-source firmware, such as DD-WRT. However, this requires more technical knowledge than many home users have.
- SMBs should consider implementing 802.1X security with WPA2-Enterprise, and buying enterprise-class equipment.
Ultimately, responsibility to fix the vulnerability lies with both the Wi-Fi Alliance and vendors. The WFA needs to fix the protocol and vendors need to implement strong brute-force attack protection mechanisms.
Links to show resources:
- Wi-Fi Alliance page on Wi-Fi Protected Setup
- Wi-Fi Alliance database on WPS certified equipment (use this to research your router)
- U.S. CERT Vulnerability Note on WPS
- Stefen Viehbock’s blog post on the WPS vulnerability
- Tactical Network Solution’s post on the WPS vulnerability and the Reaver tool
- Ars Technica article on the WPS vulnerability
- Dan Kaminsky’s blog post on observed WPS support through wardriving
- Dan Cybulskie’s blog posts on this issue:
- WPS Brute Force Thoughts and Video
- Is My Wireless Router Running WPS
- Reaver, What Does It Look Like In the Air
- Matthew Gast’s blog on what you need to know about the WPS attack
- SmallNetBuilder article with vendor responses
We would love to hear your feedback on today’s show, please leave comments in the show notes and follow us on Twitter at @NSAShow.
Podcast: Play in new window | Download | Embed
Subscribe: Apple Podcasts | Android | Stitcher | RSS | More
3 Comments
If the WPS bug is exploited, does the router offer up just the SSID and WEP/WPA/WPA2 password, or, does it also provide the password for logging in to the router itself?
Thanks.
Hi Michael,
Yes, the router sends the SSID and pre-shared key information to the client. It does not to my knowledge provide access information to administer the router.
Andrew
Thanks Andrew.
Some articles said that an attacker can re-configure the router, but it wasn’t clear what they meant. Of course a router with the default password would be vulnerable to a bad guy that gets on someone’s network, but if the router password is changed, the victim should be safe – I guess.