14 DAY TRIAL // A design flaw recently discovered in the WiFi Protected Setup (WPS) could make it easier for hackers to launch a brute force attack on the PIN of a device since they can easily find out when the first half of the 8 digit PIN is accurate.
The United States Computer Emergency Readiness Team (US-CERT) was recently informed on the issue by security researcher Stefan Viehbock who found the weakness.
WPS, the computing standard developed to make it easier for users to secure home wireless networks, contains an authentication method called “external registrar” that only requires the router’s PIN to allow access.
It turns out that by design this method is susceptible to a brute force attack against the device's PIN.
“When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct,” reads the advisory posted by US-CERT.
“Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.”
Since some wireless routers don’t implement any kind of lock-out policy against brute force attempts and some even result in a denial-of-service (DoS) condition after such an attempt, an attack that targets the PIN could be successfully performed in a fairly short time.
Viehbock also wrote a paper on the matter called Brute forcing Wi-Fi Protected Setup, claiming that millions of devices worldwide could be affected.
For now, there are no known ways to mitigate the problem, but experts recommend the use of WPA2 encryption with a strong password, disabling UPnP and enabling MAC address filtering to make sure only trusted devices can connect to the wireless network.