Hacking WiFi Protected Setup (WPS)

Monday, January 9th, 2012 | Gene Teo | 1 Comment

Update: Cisco has responded to this with a recommendation to disable WPS on their Small Business product series. Note that this does not apply to Linksys devices, even though Cisco does own the Linksys brand.

WiFi Protected Setup (WPS) is a feature on WiFi access points that makes it easier to connect a new device to them – sometimes as easy as pushing the WPS button of the Access Point and new device at the same time.

On 27 December 2011 the US Department of Homeland Security’s Computer Emergency Readiness Team documented a security flaw in WPS that was discovered independently by security researchers Stefan Veihbock (pdf) and Craig Heffner.

The flaw allows an attacker to recover WPA/WPA2 passphrases – the attack reportedly takes 4-10 hours per access point. Both researchers have released tools to verify the vulnerability and allow for other security teams to perform their own evaluations.

Over at Ars Technica, Sean Gallagher has replicated the attack and notes:

That wouldn’t be as much of a problem for security if wireless access points locked out devices after repeated bad PIN entries. But on many WPS wireless routers, there is no lockout feature. That means attackers can continue to attempt to connect at their leisure.

An successful attack means the attacker is now connected to your WiFi network, and is able to start attacking the computers on it. This is an extremely severe vulnerability – anyone transmitting highly sensitive data over WiFi via a WPS capable Access Point should retire the Access Point immediately and use cabled connections.

Wi-Fi Protected Setup Logo

Wi-Fi Protected Setup Logo

Note that not all WiFi Access Points are WPS capable. The easiest way to tell is to check with the manufacturer (search for the make and model of your Access Point), or examine the access point for a button or labels with the WPS logo.