- Dec 2, 2013
- 31
- 0
- 10,530
My main question is why there are so many article on the internet that seem to conclude that WPS by button is much more safe than WPS by PIN, although most articles correctly advices to not use WPS at all.
Firstly I will elaborate on what I know about this, which may not be much, and why I am puzzled by that conclusion. So feel free to add your knowledge and thoughts about this. I may be very wrong in my conclusions here which would explain why the articles fails to emphasize how WPS by button is essentially just as bad. I write this with grammar indicating "we" are the evil "hackers" to better put oneself in the evildoers point of view.
I think many places explains very well why the WPS by 8-digit PIN is insecure, since the NACK is sent differently regarding whether the first four digits was OK, meaning you only have to brute-force a maximum of 10000 attempts to get the first four digits correct and then you can begin with the last 4. And since the last digit is a checksum digit, this will only be a maximum of 1000 attempts (since the first 7 will dictate the last one). So in all you will on average have to use about 5500 attempts.
Some routers then started adding a certain lock-out period after 3 incorrect attempts. But even that is probably not safe. If the average amount of attempts is 5500, you will on average have about 1833 lock-out periods (3667 is worst case assuming it's 3 attempts before lock-out) before you managed to find the right PIN anyway. With a 5 minute lock-out period, this would equate to 6-7 days of brute forcing it on average. However, that is not a long time at all, considering that the network are very often up 24/7 and consequently also a neighbour's access to try and brute force it.
Now as far as I have seen how WPS by button actually works on friends and families I have visited, I have never come across that it requires a PIN. I have read some routers use the button and PIN combo which is arguably rather safe since it effectively only give brute forcers a window of a minute or so to attempt brute forcing the PIN each time the button is pressed, but it can not be claimed to be the new default by the look of it. WPS by button without a PIN at all seem to be the new default.
Anyway what also puzzled me was the lack of information given regarding a succesful connection. It's only the connected device that gets an information that the connection was established. So if an average user presses the WPS button and an eavesdropper connects before the intended device do, the average user will most likely just assume “Argh, I didn't work, let's press the button one more time” without even consider for one second that it may have not worked because an intruder stole the connection invite that was intended to be for your new device.
What this means is that I could just let my devices such as phone, laptop or smart-TV constantly attempt to log-in to all locally available networks with WPS available and just hope someone in the building presses the WPS button some time and that my device detects it before their inteded device do? Correct me if I am wrong.
Of course, pressing the WPS button is not something people do that frequently but if they do (and there is no PIN as seem to be the norm), you instantly get access to the network. But yeah it will probably usually require you to attempt to log-in on all nearby networks for several months before you get a hit. However think about this, a new neighbour moves in the apartment next to you and you can see that they are carrying in all their stuff. It's then reasonable to assume that they will set-up their router during the next few days which will make them prone to press the WPS button if they don't know any better.
OK so to summarize my opinions regarding these option for WPS I would come to these conclusions
WPS by 8-digit PIN only and no lock-out mode:
Time to brute force: Hours
Technical know how to do it: Rather good, need to analyze packages, NACKs, set up some script that iterate the different PIN in two sections etc
Vulnerability: EXTREMELY HIGH
WPS by 8-digit PIN only a 5-15 minute lock-out mode after 3-5 failed attempts:
Time to brute force: Weeks
Technical know how to do it: Rather good, need to analyze packages, NACKs, set up some script that iterate the different PIN in two sections etc
Vulnerability: VERY HIGH
WPS by button only:
Time to brute force: Depends a lot. If you suspect some nearby is setting up a new router (moving into an apartment), it could be hours to days. If no special activities is going on, it could be many months, perhaps even years.
Technical know how to do it: Not that much, it could actually be done manually if you happen to know exactly when nearby networks are being set-up. Be talkative with the new neighbours and you might actually figure it out down to the hour. But even without such a tactic making your laptop or other devices systematically attempt to log-in to wireless networks with WPS is arguably much easier to set-up than performing the brute force attempt with package analysing and iteration of PIN codes.
Vulnerability: VERY HIGH/EXTREMELY HIGH
WPS by button and a PIN:
Time to brute force: On average assuming you will always get the connection before the intended user, people will have to push the button on average 1833 times assuming the connection locks-out after 3 failed attempts. If it does not lock-out and the button is activated for 2 minutes and we assume the average user will use 30 seconds to send the signal from his device (so the 2 minute will actually not matter) and that you can effectively do one log-in attempt every 2 seconds, an average of 367 button presses will be needed (11000/2/(30/2)). Assuming an average user presses the WPS button 3 times each year this would equate to centuries.
However since three quick missed log-in attempts, causing a router to lock-down for a while, is likely to cause the neighbour to re-press the button several times (he could not get his device online after all) before either giving up or him/her entering the correct PIN before you have time to enter three incorrect keys, the average number of times the WPS button is pressed could be much higher than 3 times per year due to "your" very activity.
Technical know how to do it: Rather good, need to analyze packages, NACKs, set up some script that iterate the different PIN in two sections etc
Vulnerability: HIGH. It will still most likely be the weakest link in your wireless security set-up unless you have a trivial password. Still significantly better than all the other WPS set-ups, but still an unnecessary security risk due to stupid laziness. This is especially true since it is not obvious that the PIN code is even random, but perhaps it can somehow be derived from the MAC address and serial number of the router or something similar. Although the serial number is hard to get hold off, the MAC address is not and it has been proven already that some routers makes it easier to guess the PIN code only from knowing the MAC address (which is rather easily attainable), effectively reducing the time to brute force it into months or years. So what can make us so sure that there aren't more of these uncertainties out there for routers previously thought to be safe on this regard? Why take the chance?
One of the main factors contributing to that I would argue WPS by only button ought be regarded as equally insecure is how many more people are likely do be technically capable of performing the attempts in a reasonably effective manner. In contrast, only a very small fraction of the general population would be capable of doing the brute forcing of the PIN.
Feel free to comment about this. Why aren't more articles more prone to also point out the obvious risk of the way the WPS button is implemented in most routers?
Firstly I will elaborate on what I know about this, which may not be much, and why I am puzzled by that conclusion. So feel free to add your knowledge and thoughts about this. I may be very wrong in my conclusions here which would explain why the articles fails to emphasize how WPS by button is essentially just as bad. I write this with grammar indicating "we" are the evil "hackers" to better put oneself in the evildoers point of view.
I think many places explains very well why the WPS by 8-digit PIN is insecure, since the NACK is sent differently regarding whether the first four digits was OK, meaning you only have to brute-force a maximum of 10000 attempts to get the first four digits correct and then you can begin with the last 4. And since the last digit is a checksum digit, this will only be a maximum of 1000 attempts (since the first 7 will dictate the last one). So in all you will on average have to use about 5500 attempts.
Some routers then started adding a certain lock-out period after 3 incorrect attempts. But even that is probably not safe. If the average amount of attempts is 5500, you will on average have about 1833 lock-out periods (3667 is worst case assuming it's 3 attempts before lock-out) before you managed to find the right PIN anyway. With a 5 minute lock-out period, this would equate to 6-7 days of brute forcing it on average. However, that is not a long time at all, considering that the network are very often up 24/7 and consequently also a neighbour's access to try and brute force it.
Now as far as I have seen how WPS by button actually works on friends and families I have visited, I have never come across that it requires a PIN. I have read some routers use the button and PIN combo which is arguably rather safe since it effectively only give brute forcers a window of a minute or so to attempt brute forcing the PIN each time the button is pressed, but it can not be claimed to be the new default by the look of it. WPS by button without a PIN at all seem to be the new default.
Anyway what also puzzled me was the lack of information given regarding a succesful connection. It's only the connected device that gets an information that the connection was established. So if an average user presses the WPS button and an eavesdropper connects before the intended device do, the average user will most likely just assume “Argh, I didn't work, let's press the button one more time” without even consider for one second that it may have not worked because an intruder stole the connection invite that was intended to be for your new device.
What this means is that I could just let my devices such as phone, laptop or smart-TV constantly attempt to log-in to all locally available networks with WPS available and just hope someone in the building presses the WPS button some time and that my device detects it before their inteded device do? Correct me if I am wrong.
Of course, pressing the WPS button is not something people do that frequently but if they do (and there is no PIN as seem to be the norm), you instantly get access to the network. But yeah it will probably usually require you to attempt to log-in on all nearby networks for several months before you get a hit. However think about this, a new neighbour moves in the apartment next to you and you can see that they are carrying in all their stuff. It's then reasonable to assume that they will set-up their router during the next few days which will make them prone to press the WPS button if they don't know any better.
OK so to summarize my opinions regarding these option for WPS I would come to these conclusions
WPS by 8-digit PIN only and no lock-out mode:
Time to brute force: Hours
Technical know how to do it: Rather good, need to analyze packages, NACKs, set up some script that iterate the different PIN in two sections etc
Vulnerability: EXTREMELY HIGH
WPS by 8-digit PIN only a 5-15 minute lock-out mode after 3-5 failed attempts:
Time to brute force: Weeks
Technical know how to do it: Rather good, need to analyze packages, NACKs, set up some script that iterate the different PIN in two sections etc
Vulnerability: VERY HIGH
WPS by button only:
Time to brute force: Depends a lot. If you suspect some nearby is setting up a new router (moving into an apartment), it could be hours to days. If no special activities is going on, it could be many months, perhaps even years.
Technical know how to do it: Not that much, it could actually be done manually if you happen to know exactly when nearby networks are being set-up. Be talkative with the new neighbours and you might actually figure it out down to the hour. But even without such a tactic making your laptop or other devices systematically attempt to log-in to wireless networks with WPS is arguably much easier to set-up than performing the brute force attempt with package analysing and iteration of PIN codes.
Vulnerability: VERY HIGH/EXTREMELY HIGH
WPS by button and a PIN:
Time to brute force: On average assuming you will always get the connection before the intended user, people will have to push the button on average 1833 times assuming the connection locks-out after 3 failed attempts. If it does not lock-out and the button is activated for 2 minutes and we assume the average user will use 30 seconds to send the signal from his device (so the 2 minute will actually not matter) and that you can effectively do one log-in attempt every 2 seconds, an average of 367 button presses will be needed (11000/2/(30/2)). Assuming an average user presses the WPS button 3 times each year this would equate to centuries.
However since three quick missed log-in attempts, causing a router to lock-down for a while, is likely to cause the neighbour to re-press the button several times (he could not get his device online after all) before either giving up or him/her entering the correct PIN before you have time to enter three incorrect keys, the average number of times the WPS button is pressed could be much higher than 3 times per year due to "your" very activity.
Technical know how to do it: Rather good, need to analyze packages, NACKs, set up some script that iterate the different PIN in two sections etc
Vulnerability: HIGH. It will still most likely be the weakest link in your wireless security set-up unless you have a trivial password. Still significantly better than all the other WPS set-ups, but still an unnecessary security risk due to stupid laziness. This is especially true since it is not obvious that the PIN code is even random, but perhaps it can somehow be derived from the MAC address and serial number of the router or something similar. Although the serial number is hard to get hold off, the MAC address is not and it has been proven already that some routers makes it easier to guess the PIN code only from knowing the MAC address (which is rather easily attainable), effectively reducing the time to brute force it into months or years. So what can make us so sure that there aren't more of these uncertainties out there for routers previously thought to be safe on this regard? Why take the chance?
One of the main factors contributing to that I would argue WPS by only button ought be regarded as equally insecure is how many more people are likely do be technically capable of performing the attempts in a reasonably effective manner. In contrast, only a very small fraction of the general population would be capable of doing the brute forcing of the PIN.
Feel free to comment about this. Why aren't more articles more prone to also point out the obvious risk of the way the WPS button is implemented in most routers?
Facebook
Twitter
Instagram