clock menu more-arrow no yes mobile

Filed under:

Wi-Fi Protected Setup security hole discovered

New, 26 comments

Security researcher Stefan Viehbock has exposed a hole in the Wi-Fi Protected Setup PIN-protection system used by a number of hardware manufacturers.

Linksys E4200
Linksys E4200

Wi-Fi Protected Setup (WPS) has become popular among router manufacturers as a way to make adding new devices to your wireless network simpler, meaning you don't have to remember your wireless key every time. However, security researcher Stefan Viehbock has uncovered a major security hole which allows him to use brute force to access a WPS PIN-protected network in an average of two hours.

An inherent design flaw means that the 8-digit PIN's security falls dramatically as more attempts are made — a message sent by the router when the PIN fails informs the hacker if the first four digits are correct, while the last digit of the key is used as a checksum and is given out by the router in negotiation. This means that instead of the 108 (100,000,000) possibilities that WPS should represent, the actual level of security is closer to 104 + 103 (or 11,000 — over 9,000 times less).

Advice from the US Computer Emergency Readiness Team (US-CERT) suggests that the safest option for users is to disable WPS on your router, though as Viehbock says, "good luck telling users to turn off functionality that has 'protect' in its name." He also claims to have attempted to discuss the issue with hardware vendors — with routers from Buffalo, D-Link, Linksys, and Netgear all vulnerable to the attacks — but has been ignored. None of the manufacturers have yet released statements or updated firmware, though with Viehbock promising to release the brute force tool soon, it seems likely that they'll be forced to respond.