The Woops of WPS (Wi-Fi Protected Setup) raises its ugly head again

WPS (Wi-Fi Protected Setup) is an alternate on-ramp to a Wi-Fi network. Thinking that clicking on the name of a network and entering its password is too hard, the Wi-Fi Alliance came up with the WPS protocol back in 2007.

WPS allowed for both push-button and PIN-based access to Wi-Fi networks. Passwords? We don't need no stinking passwords. 

A recent ZDNet article mentioned that the WPS protocol has been enhanced to include Near Field Communication (NFC). Now smartphones with NFC capability can join in the WPS fun. A press release from the Wi-Fi Alliance says "With the NFC method, the user connects two or more NFC-enabled products by tapping them together. Wi-Fi Protected Setup then automatically configures the network name and activates WPA2™ security."

The ZDNet article is typical of a large journalistic failure in that it omits the security issues. WPS is a huge security problem. A Wi-Fi network running WPS can be breached in a matter of hours, no matter how long or complex the Wi-Fi password is. Give the router a PIN number (usually on a sticker on the router) and it responds with the Wi-Fi password.

Change the password and WPS will happily provide the new one to anyone patient enough to ask repeatedly. Although the PIN is eight digits, a flaw in the protocol meant that bad guys only needed 11,000 guesses (CERT Vulnerability Note VU#723755 has details). Every possible PIN can be guessed in a matter of hours. After three wrong guesses, routers were supposed to pause for 60 seconds before accepting new guesses, but many did not.

The security issues with WPS PIN numbers were revealed at the end of 2011 (I blogged about it in January 2012).

All along I have felt that the security issues did not get their due in the press. Perhaps it was too technical. WPS is fairly complicated. For example, it can also do the initial configuration of an out-of-the-box router, setting up both WPA2 and a somewhat long password (note the S for Setup in the protocol name). And, it is shrouded in terminology that seems designed to keep people out. 

Optimists will point out that WPS can be disabled in the router firmware. Pessimists will point out that this is not always the case.  Back when the security problems first became public, a number of routers were buggy and did not actually turn off WPS when instructed to. 

The security problem only exists with the PIN authentication method, not with the push-button method (who knows about NFC). Sadly, routers must include PIN authentication to be Wi-Fi certified. It's mandatory. No router that I have seen lets you disable PIN authentication while keeping the push-button method. 

Routers are typically marketed to consumers based on features, not on security. As a result, all consumer routers include WPS. 

Personally, I want nothing to do with WPS. If the nerd next door wants into my wireless network, he's going to have to get the password the old fashioned way - brute force guessing among trillions and trillions of possibilities. 

Because of WPS, I clung to a router so old it could have been on the Titanic. It pre-dated WPS. 

There used to be two ways to avoid WPS: use a relatively expensive business-oriented router or install an alternate firmware such as DD-WRT or Tomato. Recently, however, I came across a third alternative, cheap routers without WPS.

Ubiquity offers two models, each under $100. I have worked with their cheapest offering that sells for around $40 and verified that it does not support WPS. However, the firmware is clearly designed for techies rather than consumers. 

More approachable is my favorite non-WPS router from Peplink, the Pepwave Surf SOHO. It retails for about $130 with internal antennas; adding optional external antennas costs $30.

WPS exists for ease-of-use which has always been the enemy of security. Plus, it's from the same group that brought us WEP. Nuff said.

Copyright © 2014 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon