Skip to navigation
Real World Computing
Wireless router

Why you shouldn't use WPS on your Wi-Fi network

Posted on 16 Apr 2012 at 10:46

Davey Winder reveals news of a new Wi-Fi security flaw that could leave your router exposed to attack

It probably doesn’t need repeating that WEP security for Wi-Fi has long ago been cracked open wider than Humpty Dumpty in an earthquake, nor that WPA is as safe as a Lib Dem MP’s majority. And yet, a recent survey by web-hosting outfit UK2 in conjunction with YouGov reveals that the British public, if asked “is your Wi-Fi connection encrypted?” will typically answer “not bovvered”.

Of those asked, 56% never or rarely check to see whether a hotspot is encrypted before logging into it. These same folk are far more likely to secure their home Wi-Fi, so it isn’t just a failure of awareness but more like an excess of trust. Trust, that is, in the hotel or the coffee shop or the pub that offers Wi-Fi for free – and the service provider.

To gain access to your supposedly secure wireless network, he doesn’t require physical access to your router, computer or anything else

Such trust is often misplaced, which is where the potential security risk lies, and which lines me up nicely for the actual story that caught my attention – namely, that the Wi-Fi Protected Setup (WPS) protocol has been well and truly compromised. WPS is that button you probably pressed to secure your wireless router when you were setting it up for your home or small-business network, the one that helpfully did away with all the manual security configuration and made setting up wireless security both simple and quick. Or so you thought.

The truth is less encouraging, because WPS is vulnerable to attack, but not the big red button part of it. There’s another aspect to WPS that comes not via a button press but via an eight-digit PIN to enter, and it’s this PIN version of the WPS protocol that’s proved much less secure than everyone assumed. It turns out that in order to crack this encryption via a standard brute-force attack, the hacker doesn’t need to uncover all eight digits, which would require a great deal of time and computing power. Instead, they have to decipher only the first four digits of the PIN.

Yes, you read that correctly: that secure-looking PIN isn’t all that secure. Sure, bank cards employ a four-digit PIN and both the banks and their customers seem happy enough to place their trust in this when using cards in a cash machine, but there’s a big difference between these two seemingly identical instances of authentication.

To take your money out of an ATM, any would-be bad guy has to be in possession of your physical card as well as being able to guess or otherwise obtain its PIN. To gain access to your supposedly secure wireless network, on the other hand, he doesn’t require physical access to your router, computer or anything else – he can just set his own PC to try every possible combination. (There’s a useful “how long to crack my password” calculator at the Steve Gibson GRC security site: maths boffins will point out its shortcomings, but it’s good enough for back-of-a-fag-packet estimates.)

Security researchers have released a tool called Reaver that can exploit this flaw, and enables anyone to crack the simpler WPS PIN and access the cleartext version of the router’s WPA2 pre-shared key (PSK), which is then revealed as a result. The full PIN would have more than ten million combinations, but the reduced digit PIN has only 11,000 or thereabouts. Remember, it matters not a jot how complex the PSK lying behind your PIN is – by using the WPS PIN method, you’ve “protected” your Wi-Fi network using what is in effect only four digits.

A Google search for PSK hacking tutorials will demonstrate that even without this WPS PIN vulnerability it’s quite feasible to find a WPA2-PSK by brute force, but it would take very much longer and a potential hacker would need a very good reason to invest the time and resources required. Reduce that time and resource requirement sufficiently and suddenly your router and Wi-Fi network become more attractive targets for a casual hack.

It isn’t all bad news: you can simply disable the WPS feature on your router to remove the PIN that the likes of Reaver will be looking for. I believe, but at the time of writing have no details to back up this belief, that a number of router manufacturers have either released or are working on firmware updates to close the vulnerability, one assumes by turning off the PIN (which not all routers have a user configuration option for).

Better still, start over again and set up your Wi-Fi network using a long and complex PSK to make brute-force attacks impractical: think in terms of 32 characters or more, with the usual mix of letters, numbers and special characters. Using that Haystack calculator I mentioned above, you’ll see that a simple four-digit PIN takes only seconds to crack, but a complex 32-character password would take 6.22 thousand trillion trillion trillion centuries – even under a worst-case scenario of a massive cracking array being used to perform a hundred trillion guesses every second!

WPA2-PSK, the pre-shared key implementation beloved by the stereotypical dangerous small-business man, was cracked a couple of years ago, and WPA2 with TKIP isn’t a secure option either, making Wi-Fi – for many people – quite simply insecure. WPA2 with AES is okay, as is WPA2-Enterprise with a RADIUS authentication server or even WPA2-PSK with a 32-character key. Since WPA2-PSK actually supports keys up to 63 characters, and most wireless devices cache that key forever so that it needs to be entered only once, it isn’t that difficult to work out what you should do – yet long passwords are still all too often seen as unnecessary and too complex. Sigh…

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Deja Vu....

http://www.theregister.co.uk/2011/12/29/wi_fi_not_
protected/

Read this last year

By DaChimp on 16 Apr 2012

My home router is set to manual registration. This means that to join a device to the network, I have press the button on the front for a couple of seconds. Devices can't join unless this is done.

By james016 on 16 Apr 2012

Mountain out of molehill

As a domestic user I have never understood why people are so scared of unecrypted wireless. Majority of email is encrypted and all banking\shopping pages are encrypted. Yes - the hacker may be able to get to your private stash of music\videos\pics. That would be one desperate hacker.

By drummerbod on 16 Apr 2012

"Special" characters

You need to be careful with the special characters. Not all devices support them or transmit them properly.

For example, iOS devices have problems in Germany with routers that have Umlauts (äöü) and the ß (among others) in their names and passwords.

Having non-Roman character in the SSID will hide the WLAN from iOS devices and using them in the password will get them refused access, because they can't send them properly.

By big_D on 16 Apr 2012

I think it's wise to listen to experts such as Davey Winder on this subject, as he knows more than I do. Being able to hack your PC without setting foot in your home could be very lucrative for a motivated criminal. You wouldn't even know it was happening.

By c6ten on 16 Apr 2012

@drummerbod

Actually, a majority of e-mail is unencrypted by default. Only mail servers with certificates are secured and that costs money (if it is done properly).

If you only have Webmail, it isn't so bad, most of them have recently started allowing SSL connections for the email, as opposed to just the sign-on page.

The bigger problems are:

1) once on your network, they can access any device on your network - all shares on your computer, NAS boxes, streaming services etc. If they want to "do you harm" and your PC isn't fully patched, there are a plethora of attack vectors to use to break into your computer and take control or download your data. If they can access your computer, they can install a keylogger and read your passwords out that way, an encrypted link to the bank or shopping site is then irrelevant.

2) What about 3 strikes or solicitors letters for sharing copyrighted material?

3) The same thing, but even worse, what happens if a kiddy fiddler uploads his latest images over your network?

You can expect the plod to "knock" on your door at some unreasonable hour and you'll have a lot of explaining to do.

The UK isn't too bad, at least you might be able to fight it. In many other countries, you are responsible for everything that takes place over your internet connection!

By big_D on 16 Apr 2012

@Davey Winder

You mention PINs and bank cards... That is certainly a big problem over here, in mainland Europe.

A lot of automats get hijacked and used for "skimming". The gang will stoll into a bank/service station etc. at night and put in an overlay-facia on the cash machine, which scans the card as it is entered and either film the keypad, or the newer ones will actually have a fake keyboard, which intercepts the keypresses and stores them, along with the card information. The information is transmitted to a receiver nearby.

They wait a couple of weeks and then remove it and then start using the cards they have captured.

Some of the facias are so good, you won't notice them unless you really look closely.

By big_D on 16 Apr 2012

@big_D

That reminds me, I did have to change my wifi password as my Freeview box wouldn't allow one of the characters. It didn't appear on the on-screen keyboard!

By james016 on 16 Apr 2012

Kind of cheesed that USA-CERT notified the manufacturers on 27th December 2011 and yet that this has only just now come to light.

Personally cheesed because my brand-new router will not allow me to disable WPS. There's a checkbox, but it is disabled. No new firmware either or any announcement from the company.

By c6ten on 16 Apr 2012

@c6ten

don't forget, this article has only now been released for the Website.

This article originally appeared in the print version of the magazine and Dennis won't let it be read online until the print version is out of circulation... And the print version has a deadline well ahead of it actually printing it, so the article itself was probably written in a timely manner, just the "old world" press is a little lethargic, when it comes to online. ;-)

By big_D on 16 Apr 2012

@big_D

I knew that. But the biggest question still is - What is the motivation and is it worth it? Lots of assumptions were made in your comments ie no passwords for shares, no firewalls on PCs, unpatched apps just sitting waiting.

By drummerbod on 16 Apr 2012

@drummerbod

have you turned off the hidden system shares on your PC?

Have you patched all your apps? Is you're PCs firewall set up to reject PCs on your local network? Probably not.

There are dozens of ways to bore into a pc, especially if it is on your home network and is expecting only "good" machines, which is the normal case.

Are you sharing a printer on the lan? If the driver is not properly hardened, then you could provoke a stack overflow etc.

Your PC is very vulnerable, especially if it is on a network it considers safe.

By big_D on 16 Apr 2012

Wireless Station Access List

Thanks for the heads-up.

As well as using WPA2-PSK with a fairly long password (think I might make it a bit longer now), I also restrict access by MAC address with the Wireless Station Access List function in my router. It gives me a bit more peace of mind, especially with 5 wireless devices in the house.

I also make sure that I've got the latrest firmware update.

By Chris_C on 16 Apr 2012

Interesting article

This is nice to know. Is this just if people have routers with a button to press?

By thorv on 17 Apr 2012

@thorv

No, those who have to press a button are better off than those that have routers that use WPS all the time!

With the button, the hacker has to have physical access to the premises to hack into the network.

If the router automatically accepts WPS requests, the hacker doesn't need to gain physical access to the router, he can sit outside on the street and attempt to access your device.

Best case, you'll notice a denial of service on the router (it is so busy trying to deal with WPS requests, it slows down or stops doing normal work).

By big_D on 17 Apr 2012

@Chris_C

I was always told that restricting access by MAC was a waste of time because MAC spoofing was far too easy?
I'm currently using an older router with WPA-PSK encryption - I can't afford to upgrade all my devices to the latest standards; anyway a quick snoop locally shows a couple of unencrypted networks and a couple with WEP - Think I'm relatively safe in these area!!

By BAKERDAVE on 21 Apr 2012

@Chris_C

I was always told that restricting access by MAC was a waste of time because MAC spoofing was far too easy?
I'm currently using an older router with WPA-PSK encryption - I can't afford to upgrade all my devices to the latest standards; anyway a quick snoop locally shows a couple of unencrypted networks and a couple with WEP - Think I'm relatively safe in these area!!

By BAKERDAVE on 21 Apr 2012

@BAKERDAVE

Just because everyone around has no or next to no security set up doesn't make you safer. The fact you have a semi-decent security block may just make you a potentially more jucy traget, you either have something worth protecting or they enjoy the challange more.

By Shuflie on 24 Apr 2012

Long Passwords

"yet long passwords are still all too often seen as unnecessary and too complex" I do not agree.

For most people loag passwords are unworkable.
1) they have to remember 20-50 different long passwords and change them on a regular basis.
2) Any frail person (or non-keyboard regular user) will just keep locking themselves out trying to type in 40 unseen characters in the right sequence.

The answer is for our industry to come up with a better answer - and not just blame the customer for failing to use the un-unsable.

By trevorellis on 25 Apr 2012

We use WPA2-Enterprise with RADIUS authentication over on our system, with MAC Address filters too.

WiFi security is important in Businesses

By scottbob9 on 3 Dec 2013

Leave a comment

You need to Login or Register to comment.

(optional)

Davey Winder

Davey Winder

Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.

Read more More by Davey Winder

advertisement

Latest Real World Computing
Latest Blog Posts Subscribe to our RSS Feeds
Latest News Stories Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.