Fear the Reaver, It Can Discover Your Wi Fi Password
Setting up a wi-fi network used to be a daunting task for the average user. People would spend countless hours in frustration and be assaulted with terms such as DHCP, DNS, administration console, and WPA passwords. If you didn't encrypt your wireless network your neighbors could use Fire Sheep to login to your personal accounts. Enter the Wi-Fi Alliance and now anyone can have their wireless network up and running securely in no time. However, this simplified process has introduced a new security vulnerability found in many of today's routers.
The root of the problem is a feature called Wi-Fi Protected Setup (WPS). This is part of a set of requirements a device must meet to be "certified" by the Wi-Fi Alliance and be able to place this coveted stamp on a box. There are four different methods that can be used for WPS. One of them is the PIN method, which every certified product has to support. An 8-digit PIN is assigned to the router and a user must enter that PIN when attempting to connect a device to the network using WPS. Statistically, this means there are 10x8 or 100,000,000 million combinations. However, the last digit is a check-sum, so in reality there would be only 10x7 or 10,000,000 variations.
The problem is that WPS authentication protocol breaks the PIN into two 4 digit numbers when verifying. It validates the first four numbers first. Once that number has been authenticated, it goes on to verify the next 3 numbers (remember the last number is a checksum). This significantly reduces the combination possibilities from 10x7 to 10x4 or 10,000 for the first half and 10x3 or 1,000 for the second set of numbers. A device is allowed 3 attempts to connect before it is locked out for period of 1 minute. This can slow down a brute force attack. To be successful an attacker only needs to make 11,000 attempts to gain access vs. 10,000,000, because of this flaw. Lifehacker recently documented how to use the brute force application Reaver in an attack. Test using this application have shown that the PIN can be discovered on average within 4-10 hours. Once the PIN is obtained, the program is able to retrieve the WPA-PSK pre-shared key and obtain network access.
The good news is that in most cases, WPS can be disabled in the router settings. By default, this setting is enabled. However, disabling does not appear to be an option on Linksys/CISCO routers. The only way to get around this is to flash to a non-WPS ROM. This is probably something an average user would not want to attempt. It is anticipated that there will be firmware updates coming from the various router manufacturers in the near future that will the remove the "check 4, then check 3" flaw, thereby making a brute force attack less feasible.
A list of vulnerable devices can be found here.
Jim Rhodes is a Mobility Solutions Engineer for AppRiver, a leading Hosted Exchange and e-mail security provider.
Update: Cisco (Linksys) has released a knowledge base article regarding the WPS vulnerability that exists in some of its routers. As noted in my original post, the WPS feature cannot be disabled on some Cisco products. This article clarifies which devices are affected and when they will receive an update to resolve the issue.