How secure is your Wi-Fi network?
Posted on 18 Feb 2013 at 14:00
Davey Winder warns about new Wi-Fi vulnerabilities and weak wireless passwords
A recent survey by web-hosting outfit UK2 in conjunction with YouGov reveals that the British public isn’t all that "bovvered" whether or not the public Wi-Fi hotspots they connect to are encrypted, although these same folk are more likely to check that their home Wi-Fi is secured.
It obviously isn't merely a matter of security awareness but one of trust – misplaced trust in the hotel, coffee shop or pub that offers the free Wi-Fi service (or the provider behind it). It shouldn't need saying today that the WEP and WPA protocols are about as safe as Lib Dem MPs’ seats, but now it appears that the Wi-Fi Protected Setup (WPS) protocol has been well and truly compromised too.
It shouldn't need saying today that the WEP and WPA protocols are about as safe as Lib Dem MPs’ seats
"WP what?" I hear you mutter. It's just that button you probably pressed to secure your wireless router when you set it up for your home or small-business network, the one that did away with manual security configuration and made wireless security so simple and quick. Or so you believed. The truth is rather less certain, because WPS is vulnerable to attack, although not through its big red button.
A different aspect of WPS is an eight-digit PIN you have to enter instead of pressing that button, and it’s this PIN version of the protocol that’s been shown to be much less secure than everyone had assumed.
It seems that in order to crack the encryption via standard brute-force attack, hackers don’t need to uncover all eight digits of that PIN – which would take quite a lot of time and computing resources – but have to decipher only the first four. That secure-looking PIN isn’t actually so secure after all.
Sure, your bank card employs a four-digit PIN, and both banks and customers seem happy enough to place their trust in that when placing it in an ATM, but there’s a big difference between these two seemingly identical authentication scenarios.
To take your money out of a cash machine, any would-be villain has to be both in possession of your physical card and able to guess or otherwise get hold of your PIN. To gain access to your supposedly secure wireless network, however, they don’t need physical access to your router, computer card or anything: they can just set their own computer loose on trying every possible combination.
There’s a useful "how long to crack my password" calculator – called Haystack – at the Steve Gibson GRC security site, which is accurate enough for a rough estimate, although the maths boffins will tell you that it’s far from perfect.
The trouble is, security researchers have now released a tool called Reaver that can exploit this imperfection to enable anyone to crack the more simple WPS PIN and access the clear-text version of your router’s WPA2 Pre-Shared Key (PSK), which is then revealed as a result.
The full eight-digit PIN would have more than 100 million combinations, whereas the reduced-digit PIN has only 11,000 or thereabouts. It matters not one jot how complex the PSK lying behind the PIN is, because by using the WPS method you’re in effect "protecting" your Wi-Fi network with a simple four-digit PIN.
Am I being stupid, how you get 11000 combinations from 4 digits?
By ChrisH on 19 Feb 2013
Only 11,000 ?
At the risk of being facetious. four hex digits give you 65,536 possible combinations. I'll get my coat.
By howardabates1 on 21 Feb 2013
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to write your company's IT security policy
- Raspberry Pi and Wolfram: a must-have for every child
- Could you get by with Office Web Apps?
- The best Android antivirus apps for 2014
- Headings vs headers: how to use both in Word
- Hello Cortana, it's nice to meet you
- Windows 8.1 Update: an abject surrender
- The insane economics of Sky Now TV
- No such thing as a free app... so pay up if you want quality
- Time to outlaw crapware-laden installers
- Windows Phone 8.1 video: hands-on
- Office for iPad: key information
- Why every PC buyer owes Richard Durkin a debt of gratitude
- HTC One M8 vs Samsung Galaxy S5: 2014's big-hitters compared
- Windows XP end of life: key information
- Cisco: 100% of companies hosting malware
- Microsoft supercharges PowerPoint with Office Mix
- Microsoft and Nokia deal tweaked ahead of completion
- Microsoft slashes custom XP support price
- Ubuntu LTS Server 14.04 extends cloud support
- Intel: PC sales are "encouraging"
- Google to rank encrypted pages higher
- Heartbleed: the race to reissue security certificates
- Dropbox boosts app line-up with Carousel and Mailbox for Android
- BlackBerry CEO says not selling off phones "any time soon"