Vulnerability in Wi-Fi Routers Disclosed

Jay Decenella, IT audit expert
January 03, 2012 /

Users who have recently received Wi-Fi routers as gifts last Christmas might want to think twice before enabling the encryption built in most commercial devices as security researchers discovered a barely noticeable vulnerability in such a practice.

In a technology called the “Wi-Fi Protected Setup” (WPS) initially intended by the wireless industry to ease the security features set-up of modern routers, a new tool has been discovered that could bypass its encryption effects and leave the users open to a wide array of attacks by exploiting the design itself.

WPS is a tool mounted on most Wi-Fi routers to allow for a shorter passphrase to be entered, thus an easier security set-up. But according to Cameron Camp, a security researcher at ESET, this also “allows brute-force attacks to be much easier, since fewer characters would be required to crack.”

Research shows that routers with WPS are prone to a hacking technique known as ‘brute-force attack,’ in which the hacker can “try thousands of combinations in rapid succession until he happens on the correct 8-digit PIN that allows authentication to the device,” according to security blogger Brian Krebs.

Krebs explained: “Setting up a home wireless network to use encryption traditionally involved navigating a confusing array of Web-based menus, selecting from a jumble of geeky-sounding and ill-explained encryption options (WEP, WPA, WPA2, TKIP, AES), and then repeating many of those procedures on the various wireless devices the user wants to connect to the network. To make matters worse, many wireless routers come with little or no instructions on how to set up encryption.

“Enter WPS. Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router.”

Although the PIN consists of eight digits (100,000,000 possible combinations), Sophos’s Chester Wisniewski said “the last digit is just a checksum, which takes us down to 107 (10,000,000) combinations.”

“Worse yet the protocol is designed where the first half and second half are sent separately and the protocol will confirm if only one half is correct,” he said, adding that the “difficulty of brute forcing the PIN” is then reduced to 104 (10,000) plus 103 (1,000) or 11,000 possibilities.

The WPS vulnerability was first reported by security researcher Stefan Viehböck, which he published shortly before 2011 ended. The issue was discovered by Craig Heffner, whose team has now released the tool “Reaver” to prove such claim. Heffner noted that once the hacker cracks the WPS PIN, he can recover the router’s encryption passphrase even though it has been changed by the owner.

“As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide,” said Viehböck.

He said this concern has been forwarded to CERT/CC, which branded VU#723755 to this issue.

On the other hand, Krebs said “one way to protect against such automated attacks is to disallow authentication for a specified amount of time after a certain number of unsuccessful attempts.”

Krebs noted that “some wireless access point makers implemented such an approach,” based on the accounts of Viehböck. However, “most of the vendors did so in ways that make brute-force attacks slower, but still feasible.”

Although blocking this attack may be as easy as disabling the WPS feature on the router, Krebs said this may not apply in all cases.

Krebs cited an advisory released on Dec. 27 by the U.S. Computer Emergency Readiness Team (US-CERT), warning that “an attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.”

The advisory notes that products including Belkin, Buffalo, D-Link, Linksys, Netgear, TP-Link and ZyXel, can be affected.

What’s worse, these router makers have not issued firmware updates to address the weakness.

Camp, meanwhile offered another solution to solve this issue:

“WPA2 still remains a much more secure way to protect your home network than older methods, and it’s pretty simple to use.

“WPA2 toughens the encryption used on the traffic from your computer to the router. This makes it much more difficult for bad actors to intercept and trick your internet traffic into going places other than where you intend. If you have the choice, this is definitely an improvement over WEP, so use this at a minimum, preferably WPA2 if you have the option.

“If scammers go looking for networks to crack and they see WPA2 in place on your router, chances are they’ll look elsewhere, like to your neighbor’s router that has no protection at all.”

He concluded: “There’s no such thing as perfect security, it’s a game of cat-and-mouse. Exploits will always be a nuisance for network security folks, and the Reaver tool shows that network designers still have their work cut out for them to keep patches current.”

 

Share your opinion