The United States Computer Emergency Readiness Team (US-Cert) sent out an alert Dec. 29 warning that the Wi-Fi Protected Setup (WPS) PIN, typically the default protection on millions of routers, is susceptible to a “brute force” vulnerability.
Brute force vulnerability is not a technical term for a new kind of attack. It simply means that a great deal of technical skill is not required on the part of an attacker to discover the PIN of an access point. In other words, it can be unlocked by brute force.
Finding a random PIN generated by WPS typically would require millions of attempts. However, due to a design flaw in the WPS program, uncovered by security researcher Stepahn Viehbock, WPS will incrementally reveal pieces of the PIN as the random generator finds the correct set-up numbers.
US-Cert explained in its alert to manufacturers earlier this month that “when the PIN authentication fails the access point will send an EAP-NACK (Extensible Authentication Protocol-Neg. ACKnowledge) message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct.”
Of course, the last digit is also easily discovered, as US-CERT points out, because the last digit is a checksum digit for the PIN.
Once the PIN is known, the attacker can easily obtain the Wi-Fi network password and change the configuration of the access point or use it for a denial of service attack.
In its alert the US-CERT said, “we are currently unaware of a practical solution to the problem.”
Giving US-CERT the benefit of the doubt, perhaps this is why the organization notified manufacturers in early December and not the public: It needed time to verify Viehbock's finding and did not want to give potential attackers a roadmap to Wi-Fi susceptibility.
If you’re more skeptical you might think US-CERT was protecting manufacturers against a public outcry and lots of returned routers. Here’s a list of manufacturers whose products are vulnerable: Belkin, Buffalo,
US-CERT did offer a few suggestions that, while not correcting the vulnerability, could mitigate its success rate.
It suggests using WPA2 encryption with a strong password, disabling UPnP, and enabling MAC address filtering “so only trusted computers and devices can connect to the wireless network." The only other workaround suggestion is to “disable WPS.”
In his blog Viehbock said the reason for the flaw is that “some vendors did not implement any kind of blocking mechanism to prevent brute force attacks.”
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS).