CERT Warns That Wi-Fi Routers Maybe Not Be So Protected
December 29, 2011

CERT Warns That Wi-Fi Routers Maybe Not Be So Protected

The US Computer Emergency Readiness Team (CERT) is warning that many Wi-Fi routers utilizing a popular protocol have a major security flaw.

The Wi-Fi Protected Set-up (WPS) protocol is designed to simplify the set-up process for home networks by allowing users to type in a shortened PIN instead of a longer password when adding a new device to a secure network.

Security researcher Stefan Viehbock, who uncovered the issue and reported it to CERT, said he found the potential security flaw after deciding to look at the WPS technology. “I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers,” he told Emma Woollacott of TG Daily.

“As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide,” he added.

Using a specific technique, Viehbock was able to access a WPS PIN-protected network in as little as two hours. The design flaw, Viehbock said, allows the WPS protocol´s 8-digit PIN security to fall dramatically as additional attempts are made to gain access. With each attempt, the router will send a message stating whether the first four digits are correct while the last digit of the key is used as a checksum and then given out by the router in negotiation. The result significantly reduces the 100 million possible WPS combinations down to around 11,000.

The key issue is that entering a wrong PIN returns information that could be useful to a hacker.

“When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct,” noted CERT.

Viehbock said he has attempted to discuss the issue with several hardware vendors including D-Link, Linksys, and Netgear, but said they have largely ignored him and no public acknowledgement on the issue has been released.

Once hackers gain access to your supposedly ℠secure network,´ they can read your emails, get your credit card passwords and more. And there currently is no fix for this, CERT acknowledged.

Viehbock said users can protect themselves by logging in to their wireless device and disabling WPS. Then they need to reset their Wi-Fi network to manually use a WPA2 with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) -- aka Advanced Encryption Standard (AES). Other older Wi-Fi security methods will not work, according to Viehbock.

Unfortunately, WPS was designed to be used by people with no clue about network security; those who need to implement these security fixes are the ones who least know how to. A real fix is going to need to come from hardware vendors with firmware updates. Until that is done, many home and office Wi-Fi networks are going to remain vulnerable to attack.

Viehbock has promised to release a brute force tool soon, hopefully pushing the manufacturers to work to resolve the issue.


On the Net: