One of the vulnerabilities of WPS technology

First, consider what WPS is.

Most modern routers support the WPS (Wi-Fi Protected Setup) mechanism. With it, the user can set up a secure wireless network in seconds, without even bothering with the fact that “somewhere else you need to enable encryption and set the WPA key.

WPS allows a client to connect to an access point using an 8-digit code consisting of numbers (PIN). However, due to an error in the standard, only 4 of them need to be guessed. Thus, it suffices only 10,000 picking attempts, and regardless of the complexity of the password for accessing the wireless network, you automatically get this access, and with it in addition - this same password as it is.

Given that this interaction takes place before any security checks, you can send 10-50 login requests via WPS per second, and in 3-15 hours (sometimes more, sometimes less) you will receive the keys.
')
When this vulnerability was revealed, manufacturers began to introduce a limit on the number of attempts to enter (rate limit), after exceeding which the access point automatically for some time disables WPS - however, until now there are no more than half of these devices already released without this protection. Even more - a temporary outage does not fundamentally change anything, since with one attempt to log in per minute we only need 10,000/60/24 = 6.94 days. And the PIN is usually found before the whole cycle passes.

How it works:

The mechanism itself sets the network name and encryption, i.e. the user does not need to go into the web interface and configure anything. His task is to simply enter the correct Pin and he will get all the necessary settings.

Further I will show one of the ways to connect to a wifi connection without a password. Of course, this is not a 100% connection guarantee, but there is a possibility.

For this we need two programs: Dumpper and Jumpstart.

The first one we need in order to find out the same Pin from the found WiFi connections.

So let's get started:

Run the program Dumpper. On the redes tab, which is marked in Figure 1, we check for the presence of a WiFi adapter, and then click the Scan button. This is necessary in order to check the availability of wireless networks.


Figure 1 - Redes Tab

After that, the number and the list of found wireless networks appear in the Redes detectadas field as shown in Figure 2.


Figure 2 - Found networks

Next we need to go to the WPS tab. Here you must click on the Todas las redes button in order to determine the pin devices available for connection. And click on Scan. After that, the output of connections and their pin will appear.


Figure 3 - WPS

Next, select the WiFi connection and click on it. For example, I’ll choose the connection RVK_576 as shown in Figure 4. Now in the WPS Pin field we can see the pin for copying, which is what we need to do.


Figure 4 - WPS Pin

The next step is to check the connection to the WiFi connection RVK_576 through the pin. To do this, run the program JumpStart.

Select the item “Join a wireless network” and click “next” as shown in Figure 5:


Figure 5 - JumpStart

Next, we need to select the item “Enter the pin from my access point” and in the appeared field insert a Pin copied from the Dumpper program.

It is important to uncheck the “Automatically select the network” box as shown in Figure 6.
After that, click on.


Figure 6 - Insert Pin

After that, select the desired connection as in Figure 7 and click next.


Figure 7 - Connection selection.

After that, start the process of connecting to the network RVK_576 through the pin, as in Figure 8:


Figure 8 - Connection process.

If in the settings of the router to which we are connected the WPS connection function is enabled, then we will see a window with the message, as in Figure 9, that the connection is established.


Figure 9 - Connection

After all these actions, the password from the WiFi connection we can see in the properties of the wireless network by ticking "display the entered characters." The example in Figure 10.


Figure 10 - Wireless Network Properties

If the Wps function is disabled, the connection will be interrupted.

How to protect your Wifi network from such connections?

To date, the only option is to disable WPS. If you or your friends have difficulty with “setting up” the network, turn on WPS only when a new device is connected. True, not all routers / firmwares generally provide this feature. However, not everything is so bad. Newer firmware limits the rate of selection using rate limiting - after several unsuccessful authorization attempts, WPS is automatically disabled. Some models increase the shutdown time even more, if in a short interval more unsuccessful attempts were made to enter.