WiFi Protected Setup (WPS) PIN brute force vulnerability

2011-12-27T00:00:00
ID VU:723755
Type cert
Reporter CERT
Modified 2012-05-10T00:00:00

Description

Overview

The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on many wireless routers makes this brute force attack that much more feasible.

Description

WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called "external registrar" that only requires the router's PIN. By design this method is susceptible to brute force attacks against the PIN.

When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 10^8 to 10^4 + 10^3 which is 11,000 attempts in total.

It has been reported that many wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.


Impact

An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.


Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:


Disable WPS

Within the wireless router's configuration menu, disable the external registrar feature of WiFi Protected Setup (WPS). Depending on the vendor, this may be labeled as external registrar, router PIN, or WiFi Protected Setup.


Vendor Information

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Belkin, Inc.| | -| 06 Jan 2012
Buffalo Inc| | -| 27 Dec 2011
Cisco Systems, Inc.| | -| 30 Jan 2012
D-Link Systems, Inc.| | 05 Dec 2011| 27 Dec 2011
Linksys (A division of Cisco Systems)| | 05 Dec 2011| 30 Jan 2012
Netgear, Inc.| | 05 Dec 2011| 12 Jan 2012
Technicolor| | -| 09 Feb 2012
TP-Link| | -| 27 Dec 2011
ZyXEL| | -| 27 Dec 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal | 9.3 | E:H/RL:U/RC:C
Environmental | 9.3 | CDP:/TD:/CR:ND/IR:ND/AR:ND

References

  • <http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/>
  • <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup>
  • <http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc>
  • <http://www.wi-fi.org/wifi-protected-setup/>
  • <https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c>
  • <http://en-us-support.belkin.com/app/answers/detail/a_id/75/~/disabling-wps-on-the-router>

Credit

Thanks to Stefan Viehböck for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2011-5053
  • US-CERT Alert: TA12-006A
  • Date Public: 27 Dec 2011
  • Date First Published: 27 Dec 2011
  • Date Last Updated: 10 May 2012
  • Severity Metric: 17.86
  • Document Revision: 51