CERTVU:723755WiFi Protected Setup (WPS) PIN brute force vulnerability
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.041 Low
EPSS
Percentile
92.2%
Overview
The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on many wireless routers makes this brute force attack that much more feasible.
Description
WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called “external registrar” that only requires the router’s PIN. By design this method is susceptible to brute force attacks against the PIN.
When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 10^8 to 10^4 + 10^3 which is 11,000 attempts in total.
It has been reported that many wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.
Impact
An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.
Solution
We are currently unaware of a practical solution to this problem. Please consider the following workarounds:
Disable WPS
Within the wireless router’s configuration menu, disable the external registrar feature of WiFi Protected Setup (WPS). Depending on the vendor, this may be labeled as external registrar, router PIN, or WiFi Protected Setup.
Vendor Information
723755
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Belkin, Inc. Affected
Updated: January 06, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Buffalo Inc Affected
Updated: December 27, 2011
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Cisco Systems, Inc. __ Affected
Updated: January 30, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Additional information about affected devices can be found in the links below.
Vendor References
D-Link Systems, Inc. Affected
Notified: December 05, 2011 Updated: December 27, 2011
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Linksys (A division of Cisco Systems) __ Affected
Notified: December 05, 2011 Updated: January 30, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Additional information about affected devices can be found in the links below.
Vendor References
Netgear, Inc. Affected
Notified: December 05, 2011 Updated: January 12, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
TP-Link Affected
Updated: December 27, 2011
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Technicolor __ Affected
Updated: February 09, 2012
Status
Affected
Vendor Statement
The vendor has provided the information found below.
Vendor Information
The vendor states that Technicolor products use an anti brute-force mechanism: after 5 retries, the access point is locked for 5 minutes. A penetration test performed by the vendor found that to exhaust every possible PIN would take around 189.44 hours (about 7.89 days).
Technicolor will follow the WiFi Alliance (WFA) recommendation concerning the fix for this vulnerability to keep WFA certification for their devices. Technicolor will implement the following:
Access point is locked after 10 faulty PIN code attempts. Then, the end-user resets the access point lock state via the GUI/CLI or a reboot of the access point.
Customers should contact the vendor to inquiry when firmware updates will be available that include this feature.
It is possible to disable WPS completely using the command line interface (when available) by issuing the following command:
:wireless wps config state disabled``
ZyXEL Affected
Updated: December 27, 2011
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
| Temporal | 9.3 | E:H/RL:U/RC:C |
| Environmental | 9.3 | CDP:/TD:/CR:ND/IR:ND/AR:ND |
References
- <http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/>
- <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup>
- <http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc>
- <http://www.wi-fi.org/wifi-protected-setup/>
- <https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c>
- <http://en-us-support.belkin.com/app/answers/detail/a_id/75/~/disabling-wps-on-the-router>
Acknowledgements
Thanks to Stefan Viehbཬk for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2011-5053 |
|---|---|
| Severity Metric: | 17.86 Date Public: |
References
download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc
en-us-support.belkin.com/app/answers/detail/a_id/75/~/disabling-wps-on-the-router
en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/
www.wi-fi.org/wifi-protected-setup/
docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c
Related
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.041 Low
EPSS
Percentile
92.2%