Warning: Creating default object from empty value in /home/ict-forward/www-apps/wp-svn/wp-includes/ms-load.php on line 138
WPS Design Flaw Revealed « The FORWARD project blog

WPS Design Flaw Revealed

A security technology that is widely used in latest, domestic or small business, modem/routers, is WiFi Protected Setup (WPS). As its name implies, WPS protocol has been designed to aid in the WiFi security configuration process, enhancing devise usability. However in contrast to usability, security issues have been revealed by several researchers, that could easily lead to a DOS attack.

WPS supports both out-of-band configuration over Ethernet/UPnP and in-band configuration over IEEE 802.11/EAP. Since the (wireless) in-band option is most likely to be exploited by in – range potential attackers , it is interesting to examine all the three configuration methods that an in-band configuration over IEEE 802.11/EAP provides.

According to the first security configuration method, a user has to push a button, usually actual, located on both the Access Point and the new wireless client device. This method is commonly referred as PBC (Push Button Connect), and prevents a user form typing a unique security key-code for performing authentication. The second method involves the typing of the client device PIN into the web-interface of the access point, usually referred as PIN internal registrar. The third method is called PIN external registrar, mainly because the user enters the PIN of the access point into a GUI provided by the client device (usually a computer).

The latter method is extremely vulnerable, to a Brute Force Attack, since authentication is not required. If an incorrect PIN is entered the Access Point responds with an EAP-NACK message. An attacker can use the Brute Force technique, by incrementing the PIN number each time an EAP-NACK message is received. Furthermore, the attacker (client) by sending to the access point a handshake message and receiving back an EAP-NACK message, depending on the type of message sent, is capable of determining whether the first half or the second half of the PIN is correct. This observation has an impact on the performance of the Brute Force algorithm used by a potential attacker, since only the first and the second half of the PIN number has to be incremented accordingly until a match is found, decreasing dramatically the time needed to obtain the PIN.

In an attempt to restrict the Brute Force technique, vendors incorporate into their devices lock down mechanisms that introduce delays every time an incorrect PIN is entered. However at least one researcher has showed that such lock down mechanisms are not sufficient to make the attack infeasible. Several factors influence the Maximum Attack Time, depending on whether a lock down scheme is deployed. The lock down time and the number of attempts before lock down, are the most predominant factors that affect Maximum Attack Time. A researchers implementation of a proof of concept Brute Force attack tool, has showed that the Maximum Attack Time could last from 3.97 hours to 2203.97hours, depending on the lock down mitigation mechanism employed by vendors. Apart from vendors, end users could prevent a Brute Force Attack by deactivating WPS. However this may not always be possible.

Another researcher, by implementing an open source tool capable of performing Brute Force Attacks exploiting the WPS vulnerability, has been concluded that by knowing the WPS PIN, the routers encryption pass phrase can be easily revealed. This is true even if multiple radio frequencies are used in the physical layer, with each configured with different WPA key, or even if the pass phrases are altered by the user.

The key point to note is that WPS functionality is likely to have been turned on by default, as a factory setting, or if this is the case the means of turning WPS off may not be available, resulting in a security flaw, even if end users do not benefit WPS facilities. Definitely a long lock down time period, may not be a solution to prevent Brute Force Attacks, since an access point is usually operating for a long time, in the order of several months, that is enough time for an attack to take place. To address this security flaw, a mature solution could be vendors collaboration to develop mitigation techniques with an end user informative campaign to urge them for firmware upgrade and / or WPS deactivation.





Tags: , , , , ,

Leave a Reply