Image

Anyone using a modern wireless router may want to pay attention to this article since there has been a major flaw discovered in the WI-FI Protected Setup (WPS) protocol that a lot of modern wireless routers have enabled by default.

WI-FI Protected Setup was originally intended to make it easier for end users to be able to connect devices up to their wireless routers without going through all the administration setup pages that you see in a lot of the wireless routers now a days. The idea was that users would take the 8 digit WPS pin that’s printed on the backside or the bottom of the WI-FI router and then enter that pin into their device and then they would be able to connect up to the WI-FI router with no hassle.

The problem with the 8 digit WPS pin is the router will take that pin and check the first 4 digits and then it checks the next 3 digits and the last digit is a checksum digit. The cutting the pin in half and then doing the checking has made what was supposed to be a secure system into a not so secure system because its taking a 8 digit pin and breaking it down to a 4 and 3 digit pin which is way easier to brute force then a 8 digit pin would be. It turns out do to the way the WPS pin is checked by the wireless router a hacker could essentially brute force the 4 and 3 digit pins in about a day or so considering he/she would only need to brute force 11,000 combinations and a computer can do that in no time. On a side note, some wireless routers are supposed to time out when they get a wrong WPS pin sent to them and it appears that some of the wireless routers that have been tested don’t even do that, meaning the brute forcing would take even less time since they could flood the wireless router with endless brute force attempts and not have to worry about time outs which could really add to the amount of time needed to do the brute forcing of the WPS pins.

For me the really shocking part of this flaw is the fact that most wireless routers only a few years old come with WPS enabled and if it’s enabled this will override a WPA 2 setup with a very long password like I had in my router. I have a D-Link DGL-4500 gaming router here and when I went into the administration setup I found that indeed WPS was enabled by default and I quickly disabled it. Even with the WPS flaw I was probably a little safer than most since the only time I have my WI-FI on is when I’m using it and for the most part I have it disabled 99% of the time.

If you happen to have a Linksys router I have heard reports that even when you do turn off WPS in the administration setup of the wireless router that the WPS stays enabled despite the fact you turned it off. If you happen to have a Linksys router I would keep the WI-FI DISABLED until Linksys gets this sorted out. Also you may want to head over to the Linksys web site and see if your particular model of wireless router has had a new firmware released so that you can fix this WPS flaw.

As mentioned above the way to see if you have a WPS enabled wireless router is look for a sticker with a WPS 8 digit pin printed on it. If you don’t see the pin printed on the wireless router you may want to go into the administration setup on the wireless router and check to see if WI-FI Protected Setup or WPS is mentioned anywhere in there and see if its enabled or not.

If you’re using a wireless router that has a custom firmware flashed on to it you will have to go and have a look if it supports WPS or not. I know I have heard that some of the custom firmwares like DD-WRT don’t support WPS so if you’re using one of those you may be safe. The reason why I say you “may be” safe is because I have also heard that some Buffalo routers that are running DD-WRT do in fact have WPS so keep that in mind.

If you do have a wireless router that does have WPS  I would suggest going to your wireless router manufacturer’s web page and see if they have any firmware updates for your router.

I’m not sure how actively this WPS flaw is being used by hackers since it’s so new but, I do know that there have been popular web sites out there with complete HOW TO articles on how to exploit this WPS flaw as well telling users what software to use to pull it off. Hopefully the wireless router manufacturers get fixes for this flaw out quickly or this could end up being a very big problem for people that don’t know about the flaw in WPS.

In short, this WPS flaw allows hackers to get into your wireless network even if you have WEP, WPA 1 or 2 enabled on your wireless router. If you have a router that is NOT wireless this flaw does not affect you.

Here are some links to the Security Now podcasts episode 335 and episode 337 with Leo Laporte and Steve Gibson where they discuss this WPS flaw in a lot more detail then I have here. For those interested here is the link to Wikipedia article on WPS. HAK5 has also done a podcast with Craig Heffner, author of Reaver which is one of the software tools used to exploit the WPS flaw.