26.12.2011 Version 3 Stefan Viehböck twitter/sviehb
Brute forcing Wi-Fi Protected Setup
When poor design meets poor implementation.
Introduction
“Wi-Fi Protected Setup™ is an optional certification program from the Wi-Fi Alliance that is designed to ease the task of setting up and configuring security on wireless local area networks. Introduced by the Wi-Fi Alliance in early 2007, the program provides an industry-wide set of network setup solutions for homes and small office (SOHO) environments.
Wi-Fi Protected Setup enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security. More than 200 products have been Wi-Fi CERTIFIED™ for Wi-Fi Protected Setup since the program was launced (sic!) in January 2007.”1
The Wi-Fi Simple Configuration Specification (WSC) is the underlying technology for the Wi-Fi Protected Setup certification.
Almost all major vendors (including Cisco/Linksys, Netgear, D-Link, Belkin, Buffalo, ZyXEL and Technicolor) have WPS-certified devices, other vendors (eg. TP-Link) ship devices with WPS-support which are not WPS-certified.
WPS is activated by default on all devices I had access to.
Although WPS is marketed as being a secure way of configuring a wireless device, there are design and implementation flaws which enable an attacker to gain access to an otherwise sufficiently secured wireless network.
Configuration Options Overview
WPS supports out-of-band configuration over Ethernet/UPnP (also NFC is mentioned in the specification) or in-band configuration over IEEE 802.11/EAP. Only in-band configuration will be covered in this paper.
Terminology2
∙The enrollee is a new device that does not have the settings for the wireless network.
∙The registrar provides wireless settings to the enrollee.
∙The access point provides normal wireless network hosting and also proxies messages between the enrollee and the registrar.
1/wifi-protected-setup/
2download.microsoft/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc
Push-Button-Connect (“PBC”)
The user has to push a button, either an actual or virtual one, on both the Access Point and the new wireless client device. PBC on the AP will only be active until authentication has succeeded or timeout after two minutes.
This Option is called wps_pbc in wpa_cli 3
(text-based frontend program for interacting with wpa_supplicant).
PIN
Internal Registrar
The user has to enter the PIN of the Wi-Fi adapter into the web interface of the access point. The PIN can either be printed on the label of the adapter or generated by software. This option is called wps_pin in wpa_cli.
3
hostap.epitest.fi/wpa_supplicant/
Firgure 1: activated “virtual Push Button” (Windows acts as enrollee) (Windows 7)
Figure 3: Description of PIN internal Registrar option (Linksys WRT320N User Manual)
Figure 4: PIN field – Router is Registrar (Linksys WRT320N Web Interface)
Figure 2: Description of PBC option (Linksys WRT320N User Manual)
External Registrar
The user has to enter the PIN of the access point into a form on the client device (eg. computer).
This option is called wps_reg in wpa_cli.
Figure 5: Description of PIN external Registrar option
(Linksys WRT320N User Manual)
Figure 6: Windows Connect Now Wizard acting as a
Registrar (Windows 7)
Figure 7: Label with WPS PIN on the back of a D-Link
router
Design Flaw #1
Option / Authentication Physical Access Web Interface
Push-button-connect X
PIN – Internal Registrar X
PIN – External Registrar
WPS Options and which kind of authentication they actually use.
As the External Registrar option does not require any kind of authentication apart from providing
the PIN, it is potentially vulnerable to brute force attacks.
Authentication (PIN – External Registrar)4
If the WPS-authentication fails at some point, the AP will send an EAP-NACK message.
4 based on download.microsoft/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc
Design flaw #2
An attacker can derive information about the correctness of parts the PIN from the AP´s responses.
∙If the attacker receives an EAP-NACK message after sending M4, he knows that the 1st half of the PI
N was incorrect.
∙If the attacker receives an EAP-NACK message after sending M6, he knows that the 2nd half of the PIN was incorrect.
This form of authentication dramatically decreases the maximum possible authentication attempts needed from 108 (=100.000.000) to 104 + 104 (=20.000).
As the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at most 104 + 103 (=11.000) attempts needed to find the correct PIN.
Brute Force Methodology
Figure 8: Flowchart showing how an optimized brute
force attack works