Wi-Fi Protected Setup Protocol Vulnerability
The US Computer Emergency Readiness Team has published a security bulletin describing a vulnerability in the Wi-Fi Protected Setup ( WPS) protocol, which is designed to make security of wireless routers and networks much easier. The protocol itself - its original name Wi-Fi Simple Config - was developed in 2009 by experts of the Wi-Fi Alliance Association with the goal of enabling people with a certain amount of security to use Wi-Fi for people who are not well versed in protocols and strong encryption methods.
A typical scheme of WPS operation is as follows: traditionally, when creating new WLANs, it was necessary to select a network name and a passphrase for the access point, and later the same thing for each new device added to the network. WPS assigns the network name generation function to the access point itself. To add a new client device to a protected network, it will be enough to enter a PIN code of 4 or 8 digits or click on the special keys available on the router and the device being added.
The essence of the vulnerability lies in the specifics of communication between an access point and a new wireless device. The attacker, wanting to gain access to the victim’s network, sends a PIN for authentication on the router. In response to an incorrect PIN, an EAP-NACK message is sent in such a way that the hacker is able to determine the first half of the digits of the PIN code, and it is possible to determine the second half by analyzing the checksum during the transfer of the PIN. All this leads to the fact that the attack by the “brute force” method is most likely to succeed, since the number of necessary attempts decreases from 10 8 to 10 3 .
While there is no solution to the problem, and for those who have a router configured for a simplified security scheme, it is recommended to use a different authentication scheme. Netgear, D-Link, Belkin and other manufacturers have not yet commented on the vulnerability report.
')
UPD: with the filing of the hacker user siniy : anyone interested can get acquainted with the source code of the program that exploits the vulnerability.
[ Source ]
A typical scheme of WPS operation is as follows: traditionally, when creating new WLANs, it was necessary to select a network name and a passphrase for the access point, and later the same thing for each new device added to the network. WPS assigns the network name generation function to the access point itself. To add a new client device to a protected network, it will be enough to enter a PIN code of 4 or 8 digits or click on the special keys available on the router and the device being added.
The essence of the vulnerability lies in the specifics of communication between an access point and a new wireless device. The attacker, wanting to gain access to the victim’s network, sends a PIN for authentication on the router. In response to an incorrect PIN, an EAP-NACK message is sent in such a way that the hacker is able to determine the first half of the digits of the PIN code, and it is possible to determine the second half by analyzing the checksum during the transfer of the PIN. All this leads to the fact that the attack by the “brute force” method is most likely to succeed, since the number of necessary attempts decreases from 10 8 to 10 3 .
While there is no solution to the problem, and for those who have a router configured for a simplified security scheme, it is recommended to use a different authentication scheme. Netgear, D-Link, Belkin and other manufacturers have not yet commented on the vulnerability report.
')
UPD: with the filing of the hacker user siniy : anyone interested can get acquainted with the source code of the program that exploits the vulnerability.
[ Source ]
Source: https://habr.com/ru/post/135500/
All Articles