Wi-Fi Protected Setup (WPS)is a Wi-Fi Alliance specification (v1.0 - available since January 2007)designed to ease the process of securely setup Wi-Fi devices and networks. Acouple of days ago US-CERTreleased a new vulnerability note, VU#723755, that allows an attacker to get full access to a Wi-Fi network (such as retrieving your ultra long secret WPA2 passphrase) through a brute force attack on the WPSPIN. The vulnerability was reported by Stefan Viehbck and more details are available on the associated whitepaper. In reality, it acts as a kind of backdoor for Wi-Fi access points and routers.
The quick and immediate mitigation is based on disabling WPS. Your holiday gift for the people around you these days is to tell them to disable WPS.
It is important to remark that this vulnerability affects both the WPSdesign (which typically means higher impact and longer fix times)and the current Wi-Fi vendor implementations. The design is affected as WPS presents serious weaknesses that allow an attacker to determine if half of the PINis correct (Do you remember Windows LANMAN (LM) authentication?7+7 !=14). Therefore the brute force process can be split in two parts, significantly reducing the time required to brute force the entire PIN from 100 million (108)to 11,000 (104 + 103)attempts.The vendor implementations (in Wi-Fi access points and routers)are also affected due to the lack of a proper (temporarily) lock out policy after a certain number of failed attempts to guess the PIN, plus some collateral DoSconditions.
The researcher used a Python (Scapy-based) tool that has not been release yet, although other tools that allow to test for the vulnerability have been made public, such as Reaver . The current tests indicate that it would take about 4-10 hours for an attacker to brute force the 8 digit PIN(in reality 7 digit PIN, 4+3+1 digits).
Lots of Wi-Fi devices available in the market implement WPS, a significant number seem to implement the PINauthentication option (the vulnerable mechanism - called PINExternal Registrar), as it seems to be a mandatory requirement in the WPSspec to become WPScertified (by the Wi-Fi Alliance), and still a very relevant number seem to have WPSenabled by default. Based on that, and the experience we had on similar Wi-Fi vulnerabilities over the last decade, it might take time to the Wi-Fi industry to fix the design flaw and release a new WPSversion, it will take more time to (all)vendors to release a new firmware version that fixes or mitigates the vulnerability, and it will take even extra time to end users and companies to implement a fixed and secure WPSversion and/or implementation, or to disable WPS (although this is the quickest option... we know it takes much more time than we would like :( ).
To sum up, millions of devices worldwide might be affected and it will take months (or years - think on WEP) to fix or mitigate this vulnerability... so meanwhile, it is time to start a global security awareness campaign:
This diary extends the Wi-Fi security posture of previous ISCdiaries, were we covered the security of common Wi-Fi usage scenarios, and will be complemented by two upcoming Wi-Fi security end-user awareness resources: the SANSOUCH! January 2012 issue and lesson 12 of Intypedia (both will be available on mid January 2012).
Founder and Senior Security Analyst with Taddong
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.