Wi-Fi Protected Setup and Hacking Attacks

By Kevin Beaver

Wi-Fi Protected Setup (WPS) is a wireless standard that enables simple connectivity to “secure” wireless APs. The problem with WPS is that its implementation of registrar PINs make it easy to connect to wireless and can facilitate attacks on the very WPA/WPA2 pre-shared keys used to lock down the overall system. With security, everything’s a tradeoff!

WPS is intended for consumer use in home wireless networks. If your wireless environment is like most others that I see, it probably contains consumer-grade wireless APs (routers) that are vulnerable to this attack.

The WPS attack is relatively straightforward using an open source tool called Reaver. Reaver works by executing a brute-force attack against the WPS PIN. Reaver Pro is a device that you connect your testing system to over Ethernet or USB. Reaver Pro’s interface, as shown here, is pretty straightforward.

The Reaver Pro startup window.

The Reaver Pro startup window.

Running Reaver Pro is easy. You simply follow these steps:

  1. Connect to the Reaver Pro device by plugging your testing system into the PoE LAN network connection. You should get an IP address from the Reaver Pro device via DHCP.

  2. Load a web browser and browse to http://10.9.8.1 and log in with reaver/foo as the username and password.

  3. On the home screen, press the Menu button and a list of wireless networks should appear.

  4. Select your wireless network from the list and then click Analyze.

  5. Let Reaver Pro run and do its thing.

    This process is shown here.

    Using Reaver Pro to determine that Wi-Fi Protected Setup is enabled.

    Using Reaver Pro to determine that Wi-Fi Protected Setup is enabled.

If you wish to have Reaver Pro automatically start cracking your WPS PIN, you’ll need to click Configure and set the WPS Pin setting to On. WPS PIN cracking can take anywhere from a few minutes to a few hours, but if successful, Reaver Pro will return the WPA pre-shared key or will tell you that the wireless network is too far away or that intruder lockout is enabled.

Countermeasures against the WPS PIN flaw

It’s rare to come across a security fix as straightforward as this one: Disable WPS. If you need to leave WPS enabled, at least set up MAC address controls on your AP(s). It’s not foolproof, but it’s better than nothing! More recent consumer-grade wireless routers also have intruder lockout for the WPS PIN. If the system detects WPS PIN cracking attempts, it will lock out those attempts for a certain period of time. The best things to do to prevent WPS attacks in the enterprise is to not use low-end wireless routers in the first place.