Wi-Fi Protected Setup (WPS) has been comprehensively cracked, according to security researcher Stefan Viehböck.
WPS is designed to help inexperienced users connect to and manage wireless routers and access points. It’s a common feature of many new routers and wireless devices.
All certified WPS devices include a PIN identification method, where a sticker or label on the access point or wireless device contains a unique eight-digit number to identify that device. For example, to authenticate a WPS-capable USB Wi-Fi adapter with a router, you just have to enter the adapter’s pin number in the router software, which “enrols” it with the router and automatically configures WPA2 security. Alternatively, the client device can enter the router’s PIN number to authenticate it.
Some devices may include additional WPS authentication methods (like synchronised button pushes or USB flash drives), but the PIN method is the baseline method and included in all WPS-certified devices.
Normally, it would take up to 100 million authentication attempts to guess the WPS PIN number of a router or access point, which is generally unfeasible given that each attempt takes between 0.5 and 3 seconds. However, Viehböck showed that when an attempt at WPS PIN authentication fails, the router sends back a message that actually reveals if half of the PIN is correct. Using this information, attackers could whittle the number of attempts required to guess a PIN down to just 11,000, something that can be brute-forced in a few hours (a maximum of four and an average of two, according to Viehböck’s tests). Several tools are already available that exploit the vulnerability.
The upshot is that if your router supports WPS, it may be vulnerable to such an attack, giving anybody who guesses the PIN full access to your local network and Internet connection. For now, there is no solution apart from turning WPS off on your router and relying on old fashioned SSID/password identification. In time, it’s likely that new firmware releases for the various router models will fix the problem, probably by increasing lockdown periods after failed authentication attempts.
How to keep your home Wi-Fi running fast