The Security Challenges Of Wifi Protected Setup (WPS)

If you have followed me for any time, you know that I often say that you can pick security or convenience, but not both.  Here is another example of that.

WiFi Protected Setup was a mechanism created by the manufacturers because users were having too much trouble setting up WiFi connections, which reduces sales.

In its most common configuration, typically enabled by default, the WiFi router or access point has a PIN which is printed on a label on the device.  When you want to connect a new device, you enter this PIN and the WiFi router delivers the password to the device.  Suposedly, only the owner (or anyone who has seen the router) would know the PIN.

In another mode, the user has to press a button on the Wifi router in order to enable this feature – to improve security, but not all devices support this mode – it was an enhancement after people found out about the weakness of PIN mode.

A design defect in the specification allows an attacker to very quickly try all possible combinations.    While the 8 digit PIN allows for 99, 999,999 combinations, the last digit is a check digit, so there are only 9,999,999 combinations.  But there is a design defect.  You can ask the WiFi router if the first four digits match – 10,000 possibilities.  Then all you have left is 4 digits less the check digit, or three digits, meaning 999 combinations to choose.

To add insult to the process, you can try all 10,000 + 999 combinations without the router shutting the attack down.  That won’t take very long.

Bell Canada announced this week that a couple of the routers that they give to their customers have an option to turn off WPS.  Only it doesn’t really turn WPS off.  It only turns off announcing WPS.  An attacker can still try the 11,000 possible combinations.

The real questions are (a) Does your WiFi device support WPS?  (b) Is WPS on?  (c) Can it be turned off?

The best answer is to use a WiFi router that doesn’t have WPS in it at all.

by