Wi-Fi Security: The Rise and Fall
of WPS
Wireless local-area networks which are also
referred to as WLANs or Wi-Fi are prevalent these days. They are so popular
that they can be found installed in offices, colleges, hotels, cafes, and even homes.
There are so many Wi-Fi product vendors and service providers, providing
different products with different services and features. The main reason behind
them being so popular is the convenience, mobility and ease of implementation they
provide compared to the wired network. The end user can easily access the
network without the hassle of managing the wires.
Wireless networks are basically based on
the Institute of Electrical and Electronics Engineers (IEEE) 802.11 set of
standards for WLANs. Following is the list of the IEEE 802.11 network protocol
standards.
Protocols:
802.11 network standards are shown in
figure 1.
Figure 1. 802.11 Network Standards (source: http://www.wikipedia.org )
Some years back, wireless networks were
only a niche technology used for very specific applications. But nowadays they
are everywhere and every now and then we find out a new Wi-Fi access point
through our smart phones, tablets or laptops, most of whom are not even secure.
Most of us have used these access points
at some point of time to access internet without realizing how much
(In)security they provide.
An insecure Wi-Fi network poses threat
not only to owner but to every user that accesses it. The first line of defense for a Wi-Fi network is encryption,
which encrypts the data transmitted between the Wi-Fi enabled device (Smart
phone, tablet, laptop etc.) and the wireless router. The Wireless Protected
Access (WPA) protocol and more recent WPA2 have replaced the older and
less-secure practice Wireless Encryption Protocol (WEP). It is better to go
with WPA2 as WEP is relatively easy to crack. Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) are two security protocols and
security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks by providing
encryption mechanism. But common users know little about wireless security and are
scared by the available options to set up these methods.
Because
of this unawareness and implementation issues with these protocols in 2007
Wi-Fi alliance came up with Wi-Fi Protected Setup (WPS) which allowed home
users to easily add new devices to an already existing Wi-Fi network without
entering long passphrases.
Wi-Fi Protected Setup (WPS) originally known as Wi-Fi Simple Config is a computing standard that attempts to allow
easy establishment of a secure wireless home network. Almost all
major Wi-Fi product vendors (Cisco/Linksys, Netgear, D-Link, Belkin, Buffalo, Technicolor
etc.) have WPS-certified devices. WPS is activated by default on almost all the
WPS supporting devices. The main emphasis of the standard is on providing
usability along with security.
Usage Methods
WPS
provides four usage modes for adding a new device to an existing network, which
are explained below but first some terminology that will used in the
explanation:
Terminology:
Enrollee: A new device that need to be added to the
network and does not have
the settings for the
wireless network.
Registrar: One which provides
wireless settings to the enrollee.
Access Point
(AP): One which provides normal wireless network hosting
and acts as
middleware
to pass messages between the enrollee and the registrar.
The
four modes provided by WPS can be classified into two groups: In-band and
Out-of-band.
This
classification is made based upon the channel utilized for the information
transfer.
In-Band modes:
Currently
only these two modes are covered by WPS certification.
Push-Button-Connect (PBC):
The user merely has to push a button,
either an actual or virtual one, on both the Access Point (or a registrar of
the network) and the new wireless client device (enrollee). Support of this
mode is mandatory for Access Points but optional for connecting devices. Figure
2 shows a Windows 7 machine as an enrollee. PBC on the AP will only be active
until authentication has succeeded or timeout after two minutes (or vendor
specific time). This Option is called as wps_pbc in wpa_cli (text-based frontend) which interacts with
wpa_supplicant; wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X,
and Windows with support for WPA and WPA2.
Figure 2.
Activated virtual push button (Windows 7: Enrollee)
(Source: http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf)
(Source: http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf)
PIN Mode:
In this method a Personal Identification
Number (PIN) has to be read from either a label or the display unit on the
new wireless device. Figure 3 shows a WPS PIN on the label of a D-Link
router. This PIN must then be inputted at the representant of the network (usually
AP). Alternately, a PIN on the Access Point may be entered into the new device.
This can also be explained on the basis of registrar, as following.
The user enters the PIN of the Wi-Fi
adapter into the web interface of the AP. This option is called wps_pin in wpa_cli.
External Registrar
The user enters the PIN of the AP into a
form on the client device (e.g. computer).
This option is called wps_reg in wpa_cli.
The PIN Method is the mandatory standard
method; every Wi-Fi Protected Setup (WPS) certified product needs to support
it.
Figure
3.WPS PIN on D-Link router
(Source: http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf)
(Source: http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf)
Out-of-Band
modes:
These
two modes are not covered by WPS certification.
Near-Field-Communication
(NFC) method:
In this method the user merely has to
bring the new client adjacent to the Access Point to permit a near field
communication among the two devices. The NFC method offers strong defense
against adding an unintended device to the network. Support of this mode is
optional and is not widely deployed.
USB method:
In this method the user uses a USB
drive to transfer data between the new client device and the Access Point
of the network. Support of this mode is optional, but denounced.
Protocol
Wi-Fi Protected Setup doesn’t enhance
security features to devices. It simply makes the existing security features
easy to enable and configure. One of the key elements of the WPS protocols is Extensible Authentication Protocol (EAP). EAP
is an authentication framework often used in wireless
networks and Point-to-Point connections. It provides
for the transport and usage of keying material and
parameters generated by EAP methods.
The
WPS protocol consists as a sequence of EAP message exchanges that are initiated
by a user action and relies on an exchange of descriptive information that should
precede that user's action.
This
descriptive information is transmitted through a new Information Element (IE; an information
component which when combined with other information provides the required
information product) that is added to the beacon (periodically send management
frame by AP), probe response and optionally to the probe request and
association request/response messages.
IEs
will hold the possible and the currently installed, configuration methods of
the device other than purely informative Type-length-values (TLV).
A
human trigger is required to initiate the actual session of the protocol after
the identification of the device's capabilities on both the ends. The session
consists of 8 messages followed by a message to indicate the protocol is
completed (in case of a successful session). The exact stream of messages may
change when configuring various kinds of devices (AP or STA).
Till
very recent this protocol used to provide the users with a feature of easy
implementation of security on their Wi-Fi networks, but a recently discovered
flaw has again put the wireless networks and hence the users at risk.
Security
Issue
In December 2011 a freelance information
security researcher Stefan Viehböck
reported a design and implementation flaw in WPS that makes it vulnerable
to a very basic hacking technique: brute-force attacks, feasible
to perform against WPS-enabled Wireless networks. It can be simply understood
as an attacker trying thousands of combinations in rapid sequence until he/she
happens on the correct 8-digit PIN that allows authentication to the device. A
successful attack on WPS allows unauthorized user to gain access to the
network. The research paper of Viehböck can be found at http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.
This vulnerability was also independently uncovered
by Craig Heffner of Tactical Network
Solutions, and involves how the router responds when incorrect PINs are
inputted. When a PIN is entered, the router implementing WPS indicates whether
the first or second halves of the PIN are correct or not.
The vulnerability revolves around the
acknowledgement messages transmitted between the registrar and enrollee during
the validation process of a PIN. The PIN, which is printed on the side label of
each WPS-enabled Wi-Fi router, is an 8 digit number. As the last digit is a checksum of
the previous digits, there are seven unknown digits in each PIN,
yielding total 107 = 10,000,000 possible combinations. The
first and second halves of the PIN are separately validated and reported by the
registrar when an enrollee tries to gain access through the PIN.
Now the maximum number of guesses
required for PIN recovery is 11,000 (104=10,000 from the first half
+ 103=1,000 from the second half). This is a drastic reduction of the orders
of degree from
the number of PINs that would have to be tested in the absence of the design
flaw (i.e. 107=100,000,000). The result of this flaw is the presence
of a practical attack which can be finished within hours. The difficulty of exploitation
of this flaw is dependent on the implementation of WPS by the vendor, as Wi-Fi
router manufacturers could guard against this attacks by slowing down or
disabling the WPS feature after some failed PIN validation efforts.
Two tools have been developed as proof
of concept, to show the attack is practical. Tactical Network Solutions, the Maryland based firm that released the first tool ‘Reaver’, states
that they are aware about the vulnerability since early 2011 and has been utilizing
it. Tactical Network
Solutions decided to release the tool after the vulnerability was made public.
It is also selling a commercial version called as Reaver Pro with some more
features. Reaver is hosted on Google Code at http://code.google.com/p/reaver-wps/. Its authors say that it can recover a router's
plain-text WPA or WPA2 password in 4 to 10 hours, depending on the access point.
The second tool is a PoC Brute force
tool implemented in python and is a
bit faster than Reaver, but supports less Wireless adapters, as stated on the
author’s website (http://sviehb.wordpress.com/).
This tool can be found at http://dl.dropbox.com/u/22108808/wpscrack.zip
. Figure 4 shows the help list of
the Reaver.
Reaver runs on Linux. The only
requirement it has is a wireless card capable of raw packet injection. To start
the process the wireless card must be put on monitor mode. This can be easily
done using airmon-ng tool from the wireless security testing aircrack-ng tool
suite. The only essential
arguments to Reaver are the interface name and the BSSID of the target AP. For
extra information output, the verbose option may be provided using the argument
‘–v’. Providing the verbose option twice (-vv) will increase verbosity and
display each pin number as it is attempted as shown in figure 5.
Reaver keeps on brute forcing the PINs
till a successful attempt. Figure 6 shows a successfully cracked WPS PIN in
32286 seconds.
Mitigation
End users can disable WPS to prevent an
attack, but because of the unawareness most people do not turn it off, some
access points don't even provide an option to disable WPS.
Vendors can mitigate the flaw by
introducing sufficiently long lock down periods (after unsuccessful attempts)
to make the attack impractical to implement. This will require new firmware
release. Vendors also need to intensively test the protocols before
implementing them on their devices, so that such flaws don’t come up in future.
Conclusion
Today we are all surrounded
by many Wi-Fi networks and have used them at some point of time, without
realizing the issue of the security. The issue discussed in the article is not
the only issue related to wireless security, but a recent and major one
affecting the privacy of the end users. As we already know that almost all
major router/AP vendors have WPS-certified devices and WPS–PIN (External
Registrar) is mandatory for certification, which makes it a lot of devices
vulnerable to such an attack.
Having a sufficiently long
lock-down period (vendor mitigation method) is most likely not a requirement
for WPS certification for the device. However it should be a requirement in the
new specifications. The vendors need to release new firmware to eliminate the
issue. The main argument this issue presents before us is that such other flaws
might be already present in other devices/protocols and misused by malicious
intruders, hence the only safeguard we need to take is awareness among end
users. Also the certifying authorities and the vendors need to extremely test
the devices/protocols before implementation so that security features
ultimately don’t lead towards insecurity.
You can learn Ehtical Hacking from the Infosec Institute, one of the leading institute in the field of Information Security training: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
