Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability

h57xiucj2z946q

If you use or have WPS enabled, you might wanna disable it for now!

http://isc.sans.edu/diary.html?storyid=12292&rss

Wi-Fi Protected Setup (WPS) is a Wi-Fi Alliance specification (v1.0 - available since January 2007) designed to ease the process of securely setup Wi-Fi devices and networks. A couple of days ago US-CERT released a new vulnerability note, VU#723755, that allows an attacker to get full access to a Wi-Fi network (such as retrieving your ultra long secret WPA2 passphrase) through a brute force attack on the WPS PIN. The vulnerability was reported by Stefan Viehböck and more details are available on the associated whitepaper. In reality, it acts as a "kind of backdoor" for Wi-Fi access points and routers.

The researcher used a Python (Scapy-based) tool that has not been release yet, although other tools that allow to test for the vulnerability have been made public, such as Reaver . The current tests indicate that it would take about 4-10 hours for an attacker to brute force the 8 digit PIN (in reality 7 digit PIN, 4+3+1 digits).

Looks like Eircom's Netopia 2247 & UPC's Thomson TWG870UIR have WPS disabled by default. Also it seems the Netopia one supports Enrollee only, not Registrar mode, which means the STA has to register its PIN against the AP. It does not support the AP's PIN been registering against the STA which as far as my understanding is the vulnerable/bruteforacable part. The Thomson router supports both.

BaconZombie

There was a talk at 28c3 on this a week ago.
Videos should already be live:

http://events.ccc.de/congress/2011/wiki/Documentation

rcanpolat

Cracking WPS with Reaver in Backtrack 5. For educational purposes only.

http://insanitypop.com/2012/01/how-to-hack-eircom-upc-internet-wpa-wpa-2-cracking-with-reaver/

Galway K9

Well for my own security I tried Reaver on my machine and it couldnt attack my router because WPS was disabled by default yet the article says "95 percent are vulnerable". Eircom also have WPS disabled.

It does work tho and successfully with a few routers i have tested against i plugged into my connection.

I tried both reaver source code and Reaver pro (bootable GUI and wifi card that supports packet injections)

Cork24

Any Wireless Modem is hackable,

Even Mac-filtering is hackable by means of Mac address Cloning. and ip spoofing

Do i use WiFi yes do i think its safe no not even 10% safe,

I dont even need to be on the Network and i can use Wireshark to get information thats around my area, my friends as a Direct Line of Sight Antenna and what information he can pick up is scary!

by learning what Wifi threats are out their i dont buy anything over Wifi, i plugs my laptop into the Modem when using paypal etc.

h57xiucj2z946q

Cork24 wrote: »

Do i use WiFi yes do i think its safe no not even 10% safe,

That's a bit extreme. There is a nice chance if you use WPA2, with WPS disabled (which is a common default setup with routers in the last year or two) with a long non dictionary word (i.e. random characters), your safe.

Cork24 wrote: »

I dont even need to be on the Network and i can use Wireshark to get information thats around my area, my friends as a Direct Line of Sight Antenna and what information he can pick up is scary!

yeah, but only if you know their wifi encryption mechanism and related decryption key. i.e. as with the case of WPA2, you would need to know their passphraze.

Cork24

I find it safer not to bank over wifi,

Eircom still have not fixed the issue of apps that allow people to find the person eircom ssid which has being ship with

http://s4dd.yore.ma/eircom/

h57xiucj2z946q

Cork24 wrote: »

I find it safer not to bank over wifi,

Eircom still have not fixed the issue of apps that allow people to find the person eircom ssid which has being ship with

http://s4dd.yore.ma/eircom/

This has nothing to do with WiFi security standards itself. This was a mess-up by Eircom and/or Netopia where the WEP key they set was generatable based on the broadcast SSID back in 2007. They later sent out a latter to its customers advising them to change their passphraze. Their routers some time later are shipped with WPA enabled and their passphraze algorithm is not embedded in the software on the set-up cd.

Cork24

Brayden Cuddly Landscape wrote: »

This has nothing to do with WiFi security standards itself. This was a mess-up by Eircom and/or Netopia where the WEP key they set was generatable based on the broadcast SSID back in 2007. They later sent out a latter to its customers advising them to change their passphraze. Their routers some time later are shipped with WPA enabled and their passphraze algorithm is not embedded in the software on the set-up cd.

Yes Every one did get an Letter to state that tey would need to change their Password, But as far as i know you can still use Tools like the web site above to get into a Network, it has nothing to do with Wifi Security..

but it does show you what type of idiots are out there that allows their algorithm to be decoded nor update their algorithm after a limited number of units made

sayali26

Hi Friends.......

A WiFi protected setup is susceptible to brute force attack Most wireless routers come with a WPS personal identification number (PIN) printed on the device.WiFi protected setup is enabled by default on branded routers.

Perizaad

syklops

Brayden Cuddly Landscape wrote: »

That's a bit extreme. There is a nice chance if you use WPA2, with WPS disabled (which is a common default setup with routers in the last year or two) with a long non dictionary word (i.e. random characters), your reasonably safe.

FYP.

Ever use a wifi pineapple?

h57xiucj2z946q

syklops wrote: »

FYP.

Ever use a wifi pineapple?

Nope, looks interesting though.