How secure is your Wi-Fi network?
Posted on 18 Feb 2013 at 14:00
Davey Winder warns about new Wi-Fi vulnerabilities and weak wireless passwords
A recent survey by web-hosting outfit UK2 in conjunction with YouGov reveals that the British public isn’t all that "bovvered" whether or not the public Wi-Fi hotspots they connect to are encrypted, although these same folk are more likely to check that their home Wi-Fi is secured.
It obviously isn't merely a matter of security awareness but one of trust – misplaced trust in the hotel, coffee shop or pub that offers the free Wi-Fi service (or the provider behind it). It shouldn't need saying today that the WEP and WPA protocols are about as safe as Lib Dem MPs’ seats, but now it appears that the Wi-Fi Protected Setup (WPS) protocol has been well and truly compromised too.
It shouldn't need saying today that the WEP and WPA protocols are about as safe as Lib Dem MPs’ seats
"WP what?" I hear you mutter. It's just that button you probably pressed to secure your wireless router when you set it up for your home or small-business network, the one that did away with manual security configuration and made wireless security so simple and quick. Or so you believed. The truth is rather less certain, because WPS is vulnerable to attack, although not through its big red button.
A different aspect of WPS is an eight-digit PIN you have to enter instead of pressing that button, and it’s this PIN version of the protocol that’s been shown to be much less secure than everyone had assumed.
It seems that in order to crack the encryption via standard brute-force attack, hackers don’t need to uncover all eight digits of that PIN – which would take quite a lot of time and computing resources – but have to decipher only the first four. That secure-looking PIN isn’t actually so secure after all.
Sure, your bank card employs a four-digit PIN, and both banks and customers seem happy enough to place their trust in that when placing it in an ATM, but there’s a big difference between these two seemingly identical authentication scenarios.
To take your money out of a cash machine, any would-be villain has to be both in possession of your physical card and able to guess or otherwise get hold of your PIN. To gain access to your supposedly secure wireless network, however, they don’t need physical access to your router, computer card or anything: they can just set their own computer loose on trying every possible combination.
There’s a useful "how long to crack my password" calculator – called Haystack – at the Steve Gibson GRC security site, which is accurate enough for a rough estimate, although the maths boffins will tell you that it’s far from perfect.
The trouble is, security researchers have now released a tool called Reaver that can exploit this imperfection to enable anyone to crack the more simple WPS PIN and access the clear-text version of your router’s WPA2 Pre-Shared Key (PSK), which is then revealed as a result.
The full eight-digit PIN would have more than 100 million combinations, whereas the reduced-digit PIN has only 11,000 or thereabouts. It matters not one jot how complex the PSK lying behind the PIN is, because by using the WPS method you’re in effect "protecting" your Wi-Fi network with a simple four-digit PIN.
Am I being stupid, how you get 11000 combinations from 4 digits?
By ChrisH on 19 Feb 2013
Only 11,000 ?
At the risk of being facetious. four hex digits give you 65,536 possible combinations. I'll get my coat.
By howardabates1 on 21 Feb 2013
- How to fix Facebook: Social Fixer
- Taking the stress out of WordPress updates
- Where to download free web fonts
- Turn your tablet into a Sky+ remote control
- How to measure the success of a new IT system
- Three years on: the state of the tablet market
- Windows 8: what works and what doesn't
- Yes, I write down my passwords
- How to make money from apps
- Hack your own radio transmitter
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- The government website that doesn't work with IE, Chrome, Firefox, Safari, Macs or smartphones
- Dell profits slide 79% amid buyout talks
- Forget cloud subscriptions: users prefer standard licences
- McAfee: cloud storage could help spread viruses
- Analysts question Windows 8 as UK PC shipments slump
- Google pools storage across Gmail and Drive
- Ofcom accused of killing off VoIP competition
- ShoreTel dock turns iPhones and iPads into desk phones
- Bill Gates says iPad users "frustrated"
- Intel Silvermont promises three-fold boost for tablets
- Customers fume as BT introduces IP sharing