WPS Attacks – CompTIA Security+ SY0-401: 3.4

If you can’t break the encryption, maybe you can break down the door. In this video, you’ll learn about a significant security flaw in wireless devices that use WPS.

<< Previous Video: WPA AttacksNext: Cross-Site Scripting >>

When we’re working with security on wireless networks we often refer to the WEP encryption protocol, or the WPA encryption protocol, or WPA2. But there’s a mechanism on a wireless access point called WPS. This is not an encryption protocol at all. It stands for Wi-Fi Protected Setup. It is something that used to be called Wi-Fi Simple Config, and as the name implies, this was a mechanism added to wireless access points that was to make it much easier for devices to securely connect to these access points. Adding a WPA2 key, and then distributing that key to all of your devices, seemed to be a little bit too complex for the novice. So we created this very simple method using a PIN, using a simple series of numbers on the wireless access point that would then allow us to easily connect our devices onto the wireless network.

There were a number of different ways you can connect to the wireless network. You would have a PIN configured on the access point. It’s usually written on the access point somewhere. And then you would enter that PIN on your mobile device. You could also bring your mobile device nearby and push a button on the wireless access point that would then allow the remote device to have access. Some cases, the wireless access point took advantage of NFC, Near-Field Communication. All you had to do was get your mobile device close to the access point and it would then allow you access to the wireless network. There was also a USB method that was used. It’s no longer something that applies to the WPS standard. But on some older access point you may still see a reference to a USB connection.

Although the idea of WPS was a good one, unfortunately, it was the implementation of WPS that ended up being its undoing. And in December of 2011, there was the discovery that there was indeed a design flaw in WPS. And it’s a design flaw that’s been there from the very beginning. The WPS PIN, if you look at it, it’s an eight-digit number. It’s really seven digits and a checksum. So if you needed to brute force these seven digits to try to force your way on to one of these wireless networks, you would need to go through about 10,000,000 possible combinations. Well, that seems secure enough, doesn’t it? The problem is that the WPS process validates the PIN in two forms– in the first half and the second half. So really it validates the first half, which is four digits, and the second half, because there’s a checksum digit there, it’s really only three digits that you would then need to validate.

That means to validate the first half was 10,000 possibilities and to validate the second half was only 1,000 possibilities. Well, these 11,000 possibilities is certainly a lot fewer than 10,000,000, which means if you wanted to run through every possibility for WPS, it only takes about four hours to go through every single one of them. And, obviously, if you’re trying to gain access to a wireless network, you’re usually somewhere where you’re away from the network. You’re somewhere where you can run through and do this and have it go through its four-hour process to find this.

And even worse, these wireless access points did not have a brute force lockout function. Which means you could go through all 11,000 of them, and all of them could be wrong except for the last one, and you would never be locked out of the process. This was obviously an enormous security concern. And it’s now recommended on everybody’s access point that you disable the WPS functionality and don’t use it at all.