Vulnerability in Modern Wireless Routers- Brute Force Attack can crack WPS PIN

January 2, 2012 | by

You might have came across a small button labeled WPS in your WiFi router. WPS (WiFi Protected Setup) is a protocol or optional program designed by Wi-Fi Alliance to make the Wireless setup easy for common users while keeping the essential security. Earlier it was termed as “WiFi- Simple- Config”. The technology was launched in 2007 and almost all modern routers has incorporated this in their subsequent WiFi routers.  Now a major security flaw in the design of this program is unveiled. By default WPS is enabled in the devices. Through brute force attack, hackers can break into your WPS enabled WiFi network.

How WPS Works

Instead of a preset SSID (Network identification), WPS setup a random network names and a strong network key for wireless devices. Instead of entering the network SSID and long security Key, WPS permits you to use push button (Either hardware or software) or PINs to join the secured wireless network. In three ways you can use the WPS system to join a WiFi network.

1.  Push Button Connect: In Push Button Connect System, the user has to push a button (virtual or original) on both the router and wireless client (Laptop, Camera, Mobile..etc). After pressing the the push button in Client, either you have to enter the PIN or press the push button in router within 2 minutes. In this case physical presence of both the devices are mandatory.



<image credit>

2.  PIN : Here the user have to enter the PIN of the Wireless adaptor to the web interface of access point. In this method your client (Laptop, camera , phone, printer etc ..) mush have an WPS PIN. The PIN is either printed on the device or can be retrieved through software interface.

3.  External Registrar method: In this method you have to enter the WPS PIN of your router/access point in the interface of client device. In this method, no authentication is required other than the access point PIN. Usually PIN is printed on the Router or can be obtained through software interface.

In the first method (Push button), physical access of Router is mandatory. In second method you must have the web interface of access point. Hence these two methods are safe. But the security flaw is in the third method, ie external registrar method. Last month Craig Heffner  identified this vulnerability and Stefan Viehböck  reported the same to United States Computer Emergency Readiness Team (Cert/CC). Cert has analyzed the threat and released a vulnerability note, which advices the users to disable WPS.

A Python Brute Force script is available to to hack WPS key. See the demo video

One and only Solution- Disable WPS

No firmware updates are available to cover this hole. Hence it is advised to disable the WPS option of your Router through software interface. See the software interface of D Link DSL 2730 U to disable the WPS

d link wps

All modern WiFi routers including Blekin, Bufalo, D Link, LynkSys, Netgear, TPLink, Technicolor, ZyXEL etc are vulnerable and  WPS is enabled by default. Your smart neighbor is reading this, and don’t give him a chance to test this vulnerability on your network 🙂


View all

view all