Security
In December 2011 researcher Stefan Viehböck reported a design and implementation flaw that makes brute-force attacks against PIN-based WPS feasible to perform on WPS-enabled Wi-Fi networks. A successful attack on WPS allows unauthorized parties to gain access to the network. The only effective workaround is to disable WPS.
The vulnerability centers around the acknowledgement messages sent between the registrar and enrollee when attempting to validate a PIN. The PIN is an eight digit number used to add new WPA enrolees to the network. Since the last digit is a checksum of the previous digits, there are seven unknown digits in each PIN, yielding 107 = 10,000,000 possible combinations.
When an enrollee attempts to gain access using a PIN, the registrar reports the validity of the first and second halves of the PIN separately. Since the first half of the pin consists of four digits (10,000 possibilities) and the second half has only three active digits (1000 possibilities), at most 11,000 guesses are needed before the PIN is recovered. This is a reduction by three orders of magnitude from the number of PINs that would have to be tested absent the design flaw. As a result, an attack can be completed in under four hours. The ease or difficulty of exploiting this flaw is implementation dependent, as Wi-Fi router manufacturers could defend against such attacks by slowing or disabling the WPS feature after several failed PIN validation attempts.
A tool has been developed in order to show the attack is practical. The firm that released the tool, Tactical Network Solutions in Maryland, says that it has known about the vulnerability since early 2011 and has been using it.
In some devices, disabling WPS in the user interface does not result in the feature actually being disabled. The device remains vulnerable to attack. Firmware updates have been released for some of these devices so that WPS can be disabled completely.
Read more about this topic: Wi-Fi Protected Setup
Famous quotes containing the word security:
“It seems to me that our three basic needs, for food and security and love, are so mixed and mingled and entwined that we cannot straightly think of one without the others. So it happens that when I write of hunger, I am really writing about love and the hunger for it, and warmth and the love of it and the hunger for it ... and then the warmth and richness and fine reality of hunger satisfied ... and it is all one.”
—M.F.K. Fisher (b. 1908)
“...I lost myself in my work and never felt that marriage would give me the security I wanted. I thought that through the trade union movement we working women could get better conditions and security of mind.”
—Mary Anderson (1872–1964)
“To have in general but little feeling, seems to be the only security against feeling too much on any particular occasion.”
—George Eliot [Mary Ann (or Marian)