An attacker can remotely infiltrate your home Wi-Fi router even if you have protected it with a password, according to an Austrian security researcher.
Stefan Viehböck created a proof-of-concept hack to demonstrate the out-of-the-box security flaw in Wi-Fi Protected Setup (WPS), a protocol designed to simplify the connection and configuration process for wireless local-area network devices, the daily online tech publication The Register reported.
Most major wireless-device vendors, including Cisco/Linksys, Netgear, Belkin and D-Link, sell WPS-certified devices. As Viehböck demonstrated, the insecurity of these routers could become a huge problem.
Routers don't ask for authentication
WPS devices require the customer to enter a unique eight-digit PIN. Viehböck discovered that after entering an incorrect code, the wireless devices he targeted – all of which had WPS activated by default – returned additional information that allowed him to modify subsequent login requests, reducing the amount of time it takes to crack the device.
One WPS configuration, called the "external registrar," requires the user to simply enter the PIN (which is printed on a label on the router) into the router's activation Web page. This method, as opposed to "push-button-connect," requires no additional verification from the user.
"As the external registrar does not require any kind of authentication apart from providing the PIN, it is potentially vulnerable to brute force attacks," Viehböck wrote in his paper, titled "Brute Forcing Wi-Fi Protected Setup." (A brute force attack is a hacking method of flooding a target device or computer with an automated onslaught of possible passwords.)
From 100 million choices to 11,000
WPS, Viehböck explained, reports back after the first four digits of the eight have been entered, indicating whether or not they are correct. Exploiting this feature, Viehböck was able to reduce the number of potentially correct PINs from 100 million (the number of possible combinations in an eight-digit sequence) down to just 11,000.
With a brute-forcing tool he built that presented a new password to the routers every 0.5 to 3 seconds, Viehböck was able to infiltrate each sample PIN-protected device in an average of two hours.
No practical solution
The government has taken notice of Viehböck's research. The United States Computer Emergency Readiness Team (US-CERT) issued a warning Dec. 27 about the WPS vulnerability.
"It has been reported that some wireless routers do not implement any kind of lockout policy for brute force attempts," the US-CERT wrote. "This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot."
The advisory continued: "An attacker within range of the wireless access point may be able to brute-force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service."
The US-CERT said it is "currently unaware of a practical solution to this problem."