Brute-forcing wireless access points made easy

A design flaw in the WiFi Protected Setup that can allow attackers to easily brute-force their way into wireless network devices has been discovered and made public by Austrian information security student and researcher Stefan Viehb?¶ck.

The WiFi Protected Setup is a computing standard devised for making the setting up, configuring and securing of a wireless home network an easier task for users who don’t know much about the technology involved, and is included in many currently sold wireless devices, including those by Cisco/Linksys, Netgear, D-Link, Belkin, Buffalo, ZyXEL, Technicolor and TP-Link.

The flaw consist in the fact that when an incorrect 8-digit PIN required to access the device is rejected, additional information returned with the rejection makes it easier to modify following requests in such a way as to make the brute-forcing a lot faster.

To prove his point, he wrote a proof-of-concept brute force tool and turned it against several routers made by different vendors, and it took him an average of two hours to access a WPS PIN-protected network.

Viehb?¶ck and US-CERT advise users to deactivate WPS in order to mitigate the flaw, but a better solution would be for vendors to introduce sufficiently long lock-down periods in order to make an attack impractical. Vendors are yet to respond officially to this plea, but will likely have to soon, as
Viehb?¶ck promises to make the brute force tool available soon.

For more details about the attack, check out his paper.