WPS — The Wireless Network Backdoor
Tags: cyber security, internet security
WPS or WiFi Protected Setup (a.k.a. WSC or WiFi Simple Config) is a handy feature of a wireless base station that allows easy connection of new clients by the press of a physical button. WPS is required to be enabled by default for a manufacturer/vendor to achieve WiFi Alliance certification on their products. This means that most devices have it enabled right out of the box.
Unfortunately, WPS can be initiated by transmitting a PIN to the base station when direct physical contact is not convenient. The PIN is an eight digit code that is actually comprised two 4 digit PINs. The first 4 digits can be guessed using a brute force technique (i.e. by potentially trying all possible 10,000 options (0000−9999) and the base station will indicate whether or not the initial 4 digits are correct. Once the first four digits are known, the next 3 digits of the second 4 digit portion are all that need to be guessed. The final digit is a checksum value which is calculated from the first 7 digits.
The end result of this is that an attack guessing the WPS PIN could take only a few hours. Once the WPS PIN is known, outsiders can trigger an authentication process that connects their device to your secured wireless network. This is true even if you have WPA-2 enabled and are using extremely strong authentication options.
To defend against this attack, take one or more of the following steps:
1. Look into your wireless base station’s configuration settings to find the current valid WPS PIN.
2. Turn off WPS (usually clearing a checkbox), save the settings, then reboot the device.
3. Test to see if you can connect a new device using the WPS PIN from the client device only. If WPS fails, you are now secured against the attack.
4. If WPS works, you have a problem. First, try to update the wireless access point’s firmware then try steps 1 – 3 again. If that fails, replace your wireless access point or replace the device’s firmware with a third-party option such as DD-WRT, Open WRT, or Tomato.
5. If your wireless access point does not offer the ability to turn off WPS, then replace the device or its firmware.