PodcastsSecurity

E02 – Wi-Fi Protected Setup, Battered or Broken?

In episode 02 of the show, Andrew vonNagy hosts and welcomes guests Matthew Gast from Aerohive and Dan Cybulskie from Simply Wi-Fi to the show to talk about the recently announced Wi-Fi Protected Setup vulnerability. Matthew brings Wi-Fi expertise to the show from through his work at Aerohive, participation in the IEEE 802.11 standard, and as acting task chair for Wi-Fi Alliance security task groups. Dan brings extensive Wi-Fi security knowledge and has performed quite a bit of research into the WPS vulnerability since the announcement.

First, we discuss the background of Wi-Fi Protected Setup (WPS) – yet another acronym to remember and/or confuse with so many others – and it’s creation to “ease” security setup for non-technical users, typically in the consumer market. We make the distinction that WPS is not the same as WPA/WPA2 and that Wi-Fi security through use of those protocols is definitely not compromised by this vulnerability. Furthermore, WPS supports various methods of setup, including PIN and Push-Button Configuration, with the PIN mode the only one being affected by the vulnerability.

Matthew brings up a great point, that although this is a protocol design flaw, proper vendor implementations can make the attack much harder to execute. This is because it is a brute-force attack and implementation of user lockout / timeout feature after consecutive failed PIN attempts will slow-down the attack.

Next, we dig into the WPS vulnerability details:

  • Independently discovered by two parties: Stefan Viehbock and Tactical Network Solutions
  • Does NOT affect WPA/WPA2 enterprise (802.1X) or personal (PSK)
  • Only the WPS PIN mode is affected
  • Root cause is due to poor protocol design, which is something the Wi-Fi industry is familiar with because of WEP’s well-documented issues
  • This is an “active” attack, meaning the attacker must send and receive frames to the target. It cannot be exploited passively.
  • All WPS capable routers are affected
  • Some vendor implementations reduce attack effectiveness due to the use of a lockout feature after failed attempts
  • Static PINs (printed on the equipment) are generally more susceptible because WPS is typically “always-on”. Equipment with user-configurable PINs typically require WPS setup to be activated every time it needs to be used, and are less susceptible.

Then we discuss the impact to consumers, SMBs, and enterprises:

  • Consumer and some SMB equipment is vulnerable. No enterprise equipment has been found that supports WPS.
  • Enterprises should still be mildly concerned due to rogue APs and home VPNs connecting back into the corporate network.
  • Apple’s product focus on good user experience actually serves as a security benefit in this case, because they didn’t need to implement WPS.
  • Client devices are technically vulnerable too, but none of the show participants think it’s much of an attack vector and are not too concerned.
  • Vulnerability was discovered over 1 year ago by Tactical Network Solutions, which is why their Reaver attack tool was promptly available after the U.S. CERT announcement.
  • An exploit is in the wild… home users need to take action NOW by researching their router to see if it’s vulnerable.

Mitigation Steps:

  1. Turn off WPS, if possible. Some equipment does not allow it to be disabled.
  2. Watch for firmware updates from the vendor. However, given consumer manufacturers historical lack of support and upgrades for existing products, it’s probably best to buy a new router that does not support WPS or allows WPS to be disabled.
  3. Switch to open-source firmware, such as DD-WRT. However, this requires more technical knowledge than many home users have.
  4. SMBs should consider implementing 802.1X security with WPA2-Enterprise, and buying enterprise-class equipment.

Ultimately, responsibility to fix the vulnerability lies with both the Wi-Fi Alliance and vendors. The WFA needs to fix the protocol and vendors need to implement strong brute-force attack protection mechanisms.

Links to show resources:

We would love to hear your feedback on today’s show, please leave comments in the show notes and follow us on Twitter at @NSAShow.

Previous post

DSSS with 802.11 Prime and 802.11b

Next post

Cisco Field Notice: Wi-Fi Protected Setup PIN Brute Force Vulnerability

Andrew vonNagy

Andrew vonNagy

Technical Architect at a Fortune 50 Company CCIE #28298 CWNE #81

3 Comments

  1. January 16, 2012 at 3:15 pm — Reply

    If the WPS bug is exploited, does the router offer up just the SSID and WEP/WPA/WPA2 password, or, does it also provide the password for logging in to the router itself?

    Thanks.

    • January 16, 2012 at 4:54 pm — Reply

      Hi Michael,
      Yes, the router sends the SSID and pre-shared key information to the client. It does not to my knowledge provide access information to administer the router.

      Andrew

      • Michael
        January 16, 2012 at 5:20 pm — Reply

        Thanks Andrew.

        Some articles said that an attacker can re-configure the router, but it wasn’t clear what they meant. Of course a router with the default password would be vulnerable to a bad guy that gets on someone’s network, but if the router password is changed, the victim should be safe – I guess.

Leave a Reply