WPS Attacks – CompTIA Security+ SY0-501 – 1.2

The WPS protocol has suffered from vulnerabilities and active exploits from its introduction. In this video, you’ll learn more about WPS and why security professionals recommend disabling of all WPS functions.

<< Previous Video: Wireless Jamming Next: Bluejacking and Bluesnarfing >>–>


WPS stands for Wi-Fi Protected Setup. it was originally called Wi-Fi Simple Config. 7 That’s because we wanted to find a way to get people to connect to a wireless network securely, but do it in a way that would not require inputting any complicated passphrases.

There’s a lot of different ways to connect to a WPS enabled network. One might be to use a PIN that’s connected on an access point. One might be that you push a button on the front of the access point.

Some devices even enable near-field communication. You just bring the device somewhere close to the access point and it’s now connected to the device through WPS. There’s also a method that’s no longer used for USB connections. You would plug in a USB key and then move that USB key to the mobile device.

The problem that we discovered in December of 2011 however, was that WPS had a very significant design flaw. It was a design flaw that was there from the very beginning of the implementation.

The personal identification number for WPS is an eight digit number. But in reality, it’s a seven digit number and a checksum that’s at the end. So if you’re trying to determine through brute force what number it happens to be, you’ve got 7 digits or effectively about 10 million possible combinations to go through. 10 million possible combinations is quite a bit, but in reality it’s not even close to that.

The number that’s used in WPS is actually validated in two parts. It validates the first four digits, then it validates the last three digits. Remember that that digit on the end is used for a checksum. That means for the first half, you only need to go through about 10,000 possibilities. For the second half, you would only need to go through 1,000 additional possibilities, for a total of only 11,000 numbers that have to be brute forced.

If you did go through brute forcing every possible combination, it would take about four hours to go through all of them, which is not very long if you’re someone who really wants to get onto that wireless network.

Once manufacturers realized that people can take advantage of this vulnerability, they implemented slowdown procedures and lockouts so that someone really couldn’t go through every possible scenario. That means it could take as long as a day, or perhaps even a week to get through every possible combination if you’re somebody who’s trying to avoid that slowdown function. Of course, you may not even bother with looking for brute force attacks. If you have access to the access point, the PIN may actually be written right on the back of the device. Now you’ve got the WPS PIN– at least the one that’s configured by default– and you can simply connect to the network.

Some access points have a WPS button on the front. So if you can walk right up to the access point you may easily be on the network. As if these problems weren’t enough, in summer of 2014 a new attack against WPS was found. This one’s called Pixie Dust.

With Pixie Dust, the Personal Identification Number on the access point may be poorly encrypted. You’re able to receive that encrypted message and then offline go through brute force attack. In about 30 minutes and often much less than that, you’re able to determine what the WPS Personal Identification Number happens to be.

Ultimately, the best practice is to completely disable any WPS functions on your access point. It’s simply too easy, with all of these different vulnerabilities, to gain access to the network using WPS.