Brute Force Attack On WiFi Protected Setup Only Takes 4 Hours

Brute Force Attack On WiFi Protected Setup Only Takes 4 Hours


If you’ve purchased a wireless router in the last three or four years, there’s a good chance that it comes with support for Wi-Fi Protected Setup (WPS). This is supposed to make it easy for non-techies to get connected, but it is apparently making it easier for hackers to force their way onto your wireless network too.

As you know, WPS can work two different ways. First, there is that button. You push the WPS button on your router, push the WPS button your wireless device (printer, laptop, etc.) and they automagically recognize each other to give you network access. There isn’t any problem with this method.

The security flaw that has now been revealed has to do with the second method: PIN. The PIN for WPS is supposed to be an eight-digit random number that is predefined by the manufacturer. As such, there are 100 million variations. A brute force attack would just take too long.

However, there is a flaw in how the PIN is addressed. When you enter an incorrect PIN on the wireless device, the router sends a reply saying it’s wrong. But that’s not all the reply indicates. It also tells you whether the first or second halves of the PIN are correct. What’s more, the final digit is a checksum of the other seven digits. Working this all out, a brute force attack can take only 11,000 attempts. That’s a 9000-fold difference. In effect, a brute force PIN attack on a WPS router can take less than four hours.

This apparently affects a wide range of router manufacturers, including such big names as Linksys, Netgear, D-Link, Belkin, and ZyXEL. I’m not saying you need to put on your tinfoil hats and put your home on lockdown, but if you are worried about these brute force attacks, the only way to prevent them is to disable WPS on your router.