If you set WPA/WPA2 security protocol on your home or small business wireless router, and you think your Wi-Fi is secure, there two recently released brute force tools that attackers may use to bypass your encryption and burst your security bubble. The irony is that the vulnerability which can be exploited was intended to be a security strength, a usability issue to help the technically clueless setup encryption on their wireless networks. Wi-Fi Protected Setup (WPS) is enabled by default on most major brands of wireless routers including Belkin, Buffalo, D-Link, Cisco's Linksys and Netgear, leaving millions of wireless routers around the world vulnerable to brute force attacks which can crack the Wi-Fi router's security in two to ten hours.
Most wireless routers come with a WPS personal identification number (PIN) printed on the device. When a user is setting up a wireless home network via a network setup wizard, enabling encryption is often as easy as pushing a button on the router and then entering the eight digit PIN which came with it. When an attacker is attempting to brute force the PIN and an incorrect value was entered, a message is sent that basically tells an attacker if the first half of the PIN was right or not. Additionally, according to Stefan Viehbock, the security researcher who reported the flaw, "The 8th digit of the PIN is always the checksum of digit one to digit seven," meaning it only takes an attacker about 11,000 brute force guesses to own the password. Unfortunately most wireless routers don't have a lockout policy after several failed password attempts.
Viehbock reported the Wi-Fi Protected Setup (WPS) PIN brute force vulnerability to the Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT). US-CERT issued a warning which included, due to a "design flaw" in WPS, "an attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service....The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible."
Viehbock released a whitepaper, "Brute forcing Wi-Fi Protected Setup - When poor design meets poor implementation" [PDF] as well as a proof-of-concept brute force tool called wpscrack which is capable of cracking a home Wi-Fi network in about two hours but does not work with all Wi-Fi adapters.
Tactical Network Solutions (TNS), another security team, had also discovered the WPS wireless router flaw that comes enabled by default in "roughly 95% of modern consumer-grade access points." After the vulnerability went public, TNS released Reaver, an open-source tool that also exploits the vulnerability via a brute force attack. "Once you have the WPS pin you can instantly recover the WPA passphrase, even if the owner changes the passphrase," TNS reported. "Reaver is capable of breaking WPS pins and recovering the plain text WPA/WPA2 passphrase of the target access point in approximately 4-10 hours (attack time varies based on the access point)."
The US-CERT advisory states, "We are currently unaware of a practical solution to this problem." The recommended workaround is to disable WPS. "Within the wireless router's configuration menu, disable the external registrar feature of Wi-Fi Protected Setup (WPS). Depending on the vendor, this may be labeled as external registrar, router PIN, or Wi-Fi Protected Setup."
Below is a video of Viehbock's wpscrack in action.