How secure is your Wi-Fi network?
Posted on 18 Feb 2013 at 14:00
Davey Winder warns about new Wi-Fi vulnerabilities and weak wireless passwords
A recent survey by web-hosting outfit UK2 in conjunction with YouGov reveals that the British public isn’t all that "bovvered" whether or not the public Wi-Fi hotspots they connect to are encrypted, although these same folk are more likely to check that their home Wi-Fi is secured.
It obviously isn't merely a matter of security awareness but one of trust – misplaced trust in the hotel, coffee shop or pub that offers the free Wi-Fi service (or the provider behind it). It shouldn't need saying today that the WEP and WPA protocols are about as safe as Lib Dem MPs’ seats, but now it appears that the Wi-Fi Protected Setup (WPS) protocol has been well and truly compromised too.
It shouldn't need saying today that the WEP and WPA protocols are about as safe as Lib Dem MPs’ seats
"WP what?" I hear you mutter. It's just that button you probably pressed to secure your wireless router when you set it up for your home or small-business network, the one that did away with manual security configuration and made wireless security so simple and quick. Or so you believed. The truth is rather less certain, because WPS is vulnerable to attack, although not through its big red button.
A different aspect of WPS is an eight-digit PIN you have to enter instead of pressing that button, and it’s this PIN version of the protocol that’s been shown to be much less secure than everyone had assumed.
It seems that in order to crack the encryption via standard brute-force attack, hackers don’t need to uncover all eight digits of that PIN – which would take quite a lot of time and computing resources – but have to decipher only the first four. That secure-looking PIN isn’t actually so secure after all.
Sure, your bank card employs a four-digit PIN, and both banks and customers seem happy enough to place their trust in that when placing it in an ATM, but there’s a big difference between these two seemingly identical authentication scenarios.
To take your money out of a cash machine, any would-be villain has to be both in possession of your physical card and able to guess or otherwise get hold of your PIN. To gain access to your supposedly secure wireless network, however, they don’t need physical access to your router, computer card or anything: they can just set their own computer loose on trying every possible combination.
There’s a useful "how long to crack my password" calculator – called Haystack – at the Steve Gibson GRC security site, which is accurate enough for a rough estimate, although the maths boffins will tell you that it’s far from perfect.
The trouble is, security researchers have now released a tool called Reaver that can exploit this imperfection to enable anyone to crack the more simple WPS PIN and access the clear-text version of your router’s WPA2 Pre-Shared Key (PSK), which is then revealed as a result.
The full eight-digit PIN would have more than 100 million combinations, whereas the reduced-digit PIN has only 11,000 or thereabouts. It matters not one jot how complex the PSK lying behind the PIN is, because by using the WPS method you’re in effect "protecting" your Wi-Fi network with a simple four-digit PIN.
Am I being stupid, how you get 11000 combinations from 4 digits?
By ChrisH on 19 Feb 2013
Only 11,000 ?
At the risk of being facetious. four hex digits give you 65,536 possible combinations. I'll get my coat.
By howardabates1 on 21 Feb 2013
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Will HP finally split into two companies?
- Chromebooks get version of Photoshop
- Toshiba beats retreat from consumer PC market
- Ellison steps down: but who's really running Oracle now?
- Microsoft set to make more job cuts
- Is Peter Pan panto tickets email genuine? Oh no, it isn't
- Intel triples Xeon E5 chip performance, adds DDR4
- Patch Tuesday targets critical IE flaw
- Microsoft refuses to hand over customer emails
- Microsoft yanks Windows 8.1 update after crash reports