WiFi WPS vulnerability: disable it, or else


When it comes to someone breaking into a wireless network with a WPS-enabled router (WiFi Protected Setup) for those of you in the know, it’s not a matter of if someone will break in, but when. Some might think that your wireless network would be uninteresting to an outside threat, but then again, you didn’t know me.

Over my lifetime, I had broken into hundreds of “uninteresting” wireless networks just because I could. As a former black hat hacker, I came to understand that if I couldn’t break into a target network remotely, as long as the target wasn’t too far from me, wireless penetration always proved to be an efficient attack vector simply because the attacks were too easy. That’s because it seems standard wireless security is flawed by design.

This is how I managed to hack into wireless cameras owned by the city and the home computer systems belonging to military personnel. I even attempted to break into an International security and aerospace corporation simply for the sake of satisfying my curiosity.

This is because wireless security is far weaker than physical security or even most network security. You can have a network fortress, but weak wireless security management is a recipe for trouble.

Connecting to a wireless network means the possibility of performing lateral movement across network devices, gathering information, intercepting network traffic, and, even worse, DNS cache poisoning attacks, also known as DNS spoofing, which are very difficult to detect.

This can occur when an attacker takes advantage of a vulnerability within the domain name system (DNS), which can allow them to redirect traffic away from a legitimate domain such as Twitter or Facebook and send the victim to a spoofed version of those sites for the purpose of stealing their credentials, or worse.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g., an IP address.

All of these and far more intrusive attacks can be made possible if you trade security for convenience by allowing WSP to remain enabled on your wireless router – even your wireless printer.

WPS at a glance

WPS is a feature built into many routers and peripheral devices, such as printers. It lets users make wireless connections more easily without having to know the password to the wireless router. WPS-enabled routers, printers, cameras, wireless range extenders, wireless access points, smart home devices, and so on.

On wireless routers, the WSP button is typically found on the exterior of the router. With a simple push of the button, you can connect devices directly to the wireless network without needing to know, share, or enter the wireless password manually.

Once the WPS button is pressed, the device and the router exchange information securely, and then the connection is made. Newer routers may offer the option to disable WPS or even have it disabled by default due to its inherent exploitability. It’s important to note that in this context, the term “secure” is subjective.

During the WPS setup process, a temporary session key known as the “Pairwise Master Key” (PMK) is exchanged between the wireless router and the device wanting to connect to the network. However, since WPS uses a completely fallible PIN-based authentication, it's susceptible to brute force attacks.

And it doesn’t take long.

Cracking WPS Pins

Like I said before, it doesn’t take long. Sometimes, it only takes a few seconds – other times, it takes a couple of hours. Let me break it down, and you’ll see why this network security standard is arguably the equivalent of having almost no security at all due to its crackable nature.

Firstly, WPS uses an 8-digit PIN. This means that it could produce a total sum of 100,000,000 possible numerical combinations. Without exploiting the weakness in WPS, cracking it would be impractical, which are pretty awful odds of a brute force attack actually cracking the PIN. An attacker would have to hijack a CRAY-2 mainframe running a clock cycle time of 4.1 nanoseconds just to make those odds turn around in their favor.

Let’s examine how long it would take to brute force only 1 PIN per second. That would take approximately 1,157 days, give or take. But here’s where things get interesting. The 8th digit in the PIN doesn't function as part of the PIN itself; rather, it serves as a checksum for the preceding seven digits.

This reduces the potential combinations from 100,000,000 to 10,000,000, resulting in a significant drop in the time the brute force attack would take. With major adjustments, it would take somewhere around 115.7 days to attempt all potential combinations or 57.8 days to try 50%, given a rate of 1 PIN per second.

Not bad, but it's still unrealistic because hackers need constant stimulation, and too much can go wrong by letting a computer run continuously for 58 days without a crash or power outage. Let’s break this attack down further.

Dividing eight digits into two halves

The PIN number, when submitted for verification, undergoes a process where it’s split into two segments. Now, we’re only working with two halves of 4 digits each. Here is where the vulnerability occurs because by reducing the 7-digit crackable PIN to 4 digits, the total sum of possible combinations is greatly reduced to only 10,000 for the first half. Cracking it at 1 PIN per second means the task should only take around 2.7 hours.

Remember that the 8th digit in the PIN exists as a checksum value? This means we’re only focusing on three digits now, which reduces the number of combinations significantly to 1,000 possible combinations, which would take around 15 minutes to break, which makes WPS an extremely weak security protocol for convenient wireless connections.

Easy crackability through autonomy

Because of the easy accessibility to autonomous wireless penetration tools, threat actors can make short work of wireless networks with or without WPS. Some Linux-based WiFi hacking tools such as Wifite, Airgeddon, and Fern require almost no user input in order to launch complicated wireless attacks that use a variety of backend tools, simplifying the process so that even a child could launch.

Every popular penetration-testing Linux distribution comes pre-installed with wireless hacking capabilities. This means the ability to launch these attacks is already in the hands of hundreds of thousands of hackers. So before you write off that your wireless network is “uninteresting” and nobody is going to take the time to try to break in and poke around, think again.

Also, WPA-PSK and WPA2-PSK pose their own security challenges since they depend exclusively on the complexity of the user’s password – and we all know how cumbersome it is to remember complicated passwords. Because of good old-fashioned human nature, people tend to choose passwords they will remember, which typically consist of a word, phrase, and number combination like a year or date.

Yes, these can also be cracked with relative ease. These security issues can be completely avoided by sanitizing those guessable passwords with alpha-numerical passwords containing capital and lowercase letters and special characters. You can take that to the bank and cash it.


More from Cybernews:

AT&T confirms 70M+ dataset was leaked on hacker forum – yet again

Microsoft, OpenAI plan data center and ‘Stargate’ supercomputer

Palmsy: a social media app with only fake followers

Darcula phishing: iPhone users targeted via iMessage

Cybercriminals selling new tool weaponizing Raspberry Pi 

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked