US-Cert has put out a vulnerability note during December 2011 regarding a brute force attack against wireless routers. The vulnerability was first discovered by Stefan Viehb\u00f6ck and was subsequently independently reported by Craig Heffner. Craig and his team have now released their tool \u201cReaver\u201d over at Google Code which helps with the brute force attacks. <\/p>\n
<\/p>\n
\n<\/p>\n
<\/p>\n
\nStefan Viehb\u00f6ck’s PoC Brute Force Tool can be found here<\/a>. It is said to be a bit faster than Reaver, but will not work with all Wi-Fi adapters.<\/p>\n <\/p>\n \nMillions of users of wireless routers could possibly be affected by this vulnerability. The list of vendors affected, given below, are only those whose routers are confirmed (tested) to be vulnerable.<\/strong> Just because your router’s brand does not get mentioned in the list does not mean that you are safe. <\/p>\n <\/p>\n \nThe US-Cert Vulnerability statement – VU#723755<\/strong><\/p>\n <\/p>\n \nOverview<\/strong><\/p>\n <\/p>\n \nThe WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible.<\/p>\n <\/p>\n \nI. Description<\/strong><\/p>\n <\/p>\n \nWiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called “external registrar” that only requires the router’s PIN. By design this method is susceptible to brute force attacks against the PIN.<\/p>\n <\/p>\n \nWhen the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.<\/p>\n <\/p>\n \nIt has been reported that some wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.<\/p>\n <\/p>\n \nII. Impact<\/strong><\/p>\n <\/p>\n \nAn attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.<\/p>\n <\/p>\n \nIII. Solution<\/strong><\/p>\n <\/p>\n \nWe are currently unaware of a practical solution to this problem.<\/p>\n <\/p>\n \nWorkarounds<\/strong><\/p>\n <\/p>\n \nDisable WPS.<\/p>\n <\/p>\n \nAlthough the following will not mitigate this specific vulnerability, best practices also recommend only using WPA2 encryption with a strong password, disabling UPnP, and enabling MAC address filtering so only trusted computers and devices can connect to the wireless network.<\/p>\n <\/p>\n \n Vendor Information <\/strong><\/p>\n References<\/strong><\/p>\n <\/p>\n \nhttps:\/\/en.wikipedia.org\/wiki\/Wi-Fi_Protected_Setup Wi-Fi Protected Setup PIN brute force vulnerability<\/a><\/p><\/blockquote>\n\n
Vendor<\/TH>
\nStatus<\/TH> Date Notified<\/TH> Date Updated<\/TH><\/TR>
\nBelkin, Inc.<\/TD> Affected<\/TD> <\/TD> 2011-12-27<\/TD><\/TR><\/p>\n Buffalo, Inc.<\/TD> Affected<\/TD> <\/TD> 2011-12-27<\/TD><\/TR>
\nD-Link Systems, Inc.<\/TD> Affected<\/TD> 2011-12-05<\/TD> 2011-12-27<\/TD><\/TR>
\nLinksys (A division of Cisco Systems)<\/TD> Affected<\/TD> 2011-12-05<\/TD> 2011-12-27<\/TD><\/TR>
\nNetgear, Inc.<\/TD> Affected<\/TD> 2011-12-05<\/TD> 2011-12-27<\/TD><\/TR><\/p>\n Technicolor<\/TD> Affected<\/TD> <\/TD> 2011-12-27<\/TD><\/TR>
\nTP-Link<\/TD> Affected<\/TD> <\/TD> 2011-12-27<\/TD><\/TR>
\nZyXEL<\/TD> Affected<\/TD> <\/TD> 2011-12-27<\/TD><\/TR>
\n<\/table>\n
\nhttps:\/\/download.microsoft.com\/download\/a\/f\/7\/af7777e5-7dcd-4800-8a0a-b18336565f5b\/WCN-Netspec.doc
\nhttps:\/\/www.wi-fi.org\/wifi-protected-setup\/<\/p>\n