<img height="1" width="1" src="https://www.facebook.com/tr?id=3323484487762706&amp;ev=PageView&amp;noscript=1">
Blog Post, Sonar

What Is WPS and Why Is It Dangerous?

Jul 21, 2021

Recent Content

Wi-Fi Protected Setup (WPS) is a functionality built into many wireless routers to make it easier for users to connect to the internet. The logic behind the development and adoption of WPS was to help users to add endpoints to a network without complex configurations. Even though WPS offers this convenience, it is appallingly insecure. Wireless networks with WPS enabled are highly vulnerable to cybersecurity threats. Attackers can easily target the WPS function to steal network passwords, regardless of how complex the password is. In essence, there is no point in creating a strong password in a weak network.

Understanding WPS

Creating a robust Wi-Fi Protected Access (WPA) password, commonly referred to as a Pre-Shared Key (PSK), and inputting it in all the Wi-Fi clients (users) is tedious. In most cases, the approach results in poor security practices, such as using weak passwords that you can memorize effortlessly.

Implementing WPS found in routers effectively allows users to enter a simple 8-digit PIN instead of the actual Wi-Fi password on their devices, which is verified by the access point. More frequently, the PIN is printed on a sticker under the router, which prevents remote attackers from getting hold of it. Upon entering the correct PIN, the router automatically sends the WPA PSK to the device for connection.

 

WPS Function Weaknesses

WPS can be a vector for malicious attackers to get onto your network without the need for your Wi-Fi password. WPS uses an 8-digit PIN which can be brute-forced, leaving your network vulnerable regardless of the strength of your password.

Cracking the 8-digit WPS PIN

But how easy can it be to crack the 8-digit PIN? Assuming WPS protocol checks all the eight digits for correctness, that means an attacker would require 108 or 100 million possible combinations to brute force the PIN. Let’s assume that an intruder could guess the PIN at the rate of 1 PIN per second, considering there is a delay waiting for the router to examine the input and respond. In this case, the attacker would take 1,157.4 days to try all the possible combinations. Even if the intruder succeeds in cracking the PIN in roughly half the time (578 days), that would not be a viable attack vector.  

What then makes WPS PIN weak? Firstly, the last digit of the eight is just a check digit calculated from the previous seven as a way of quickly spotting typing errors. Practically, with the 8th digit of the PIN representing a checksum for the prior digits, WPS PINs are only seven digits efficacious. This reduces the possible combinations from 108 (100 million) to 107 (10 million) and attack days from 1,157.4 days to 115.7 days based on a rate of 1 pin per second. Not only that, there is another flaw in the way WPS protocol verifies the remaining 7-digit PIN.

The second WPS PIN weakness involves the way WPS protocol validates the remaining seven-digit PIN. Instead of verifying the number in whole, it checks the first four digits, and only if the four are right does the protocol check the last three. This approach presents a considerable weakness in what would otherwise be a strong key. It means that if an intruder is brute-forcing the WPS PIN, they do not need to try all the seven-digit codes from 0000000 – 9999999; instead, they need to try the codes from 0000 – 9999, followed by the codes from 000 – 999. Therefore, instead of 107 choices, which translates to 10 million brute force attempts, WPS PINs only require 104 or 10,000 plus 103 or 1,000 guesses, making a total of merely 11,000 brute force attempts.

Going by our analogy of 1 PIN per second, it would take less than three hours to guess all possible combinations for the first four digits and a meager 16 minutes to guess the choices in the second half. We have gone down from a total brute force time of 4 months to 3 hours to try all possible combinations in WPS, indicating how the WPS protocol is the weak link in wireless network security.

Tools for cracking the WPS Pin

What’s worse, hackers do not need to crack PINs manually. They can leverage tools like Wash and Reaver to identify vulnerable WPS networks and crack the WPS PIN. Wash is a utility for identifying WPS-enabled access points. The tool effectively surveys live interfaces or scans a list of pcap files to display WPS-enabled access points. On the other hand, Reaver presents a powerful and practical attack against WPS registrar PINs to recover WPA passphrases.

Some may wonder, why not change the 8-digit PIN regularly to thwart potential attacks. Unfortunately, that procedure is not possible. WPS PIN is hardcoded into devices and printed on a sticker stuck to the side or bottom of the router.

 

How to disable WPS on your network

The idea of using WPS is counterintuitive, and security experts have regularly advised that the minimum wireless network security level should be Wi-Fi Protected Access (WPA) with a strong password (PSK). With the current sophisticated and frequent attacks targeting both businesses and individuals, the most obvious way to mitigate Wi-Fi attacks would be to disable the insecure WPS feature on routers and access points.

You can follow these simple steps to achieve that.

Accessing the WPS Function

Typically, the WPS feature is found under the WIRELESS configuration options. It is evident that all routers are different, and you will need to check with your vendor. Some devices feature the WPS function under the ADVANCED option. Others label it using the full names (Wi-Fi Protected Setup) instead of the acronyms (WPS).

It is essential to note that WPS comes in two broad options. The function can be a PIN or a button version. The button version requires users to press a WPS button on the router to activate the WPS function. In most cases, the WPS switches off automatically after some time. Conversely, the WPS PIN version is always on, making it more precarious.

What if My Router Does Not Provide the Disable Feature?

Unfortunately, some routers don’t provide the ability to disable the WPS function. You can check out with your vendor for possible solutions. On top of that, ensure the router is updated with the latest firmware. Some manufacturers release updates to resolve the WPS and other security-related issues.

Some router manufacturers are also addressing WPS issues by introducing a “lockout” period after a given number of incorrect PIN attempts, usually in the range of 3 to 5 failed attempts.

What Happens After Disabling WPS Feature

Once disabled, you forego convenience but enhance the security of your Wi-Fi. Instead of joining the Wi-Fi network automatically without needed to know the network password, disabling the WPS feature requires you to input the conventional password to connect a device to the network.

WPA – PSK, the Secure Alternative

In place of WPS, you can use WPA with a PSK length of at least 14 characters. The password should contain a mixture of both uppercase and lowercase letters (a-z and A-Z), a mixture of letters and numbers (0-9, a-Z), and the inclusion of at least one special character (!@#$%^&*()+=|}{).

Corey Belanger

Corey Belanger

Corey is a Security Consultant and leads QA of product development, using his expertise in these dual roles to more effectively test and secure applications, whether while building enterprise applications or while performing penetration tests and vulnerability assessments for customers. An Army veteran with a tour of duty in Afghanistan, Corey has built a post-military career in security while earning Network+, Security+, GIAC Certified Incident Handler, GIAC Python Coder, GIAC Web App Penetration Testing, and GIAC Penetration Tester certifications. Corey is also a BsidesNH organizer and founding member of TechRamp, avenues which he uses to help others build their skills for careers in security and technology. Fun Fact: When not manning a terminal or watching the Bruins, Corey can often be found snowboarding or riding his motorcycle.