WiFi Protected Setup

WPS ‘Pixie Dust’

WPS is an acronym standing for WiFi Protected Setup, and in short it allows for a user to connect a device to their wireless network without the need for a complicated passphrase such as the often complex WPA2 passphrases that have come to prominence today. It is common knowledge these days that a password, especially one for a network, must be secure. Most users these days understand the importance of having a password, and not having it be something that is easily guessed (i.e ‘password’, ‘1234’, favorite sports team, etc) by a human or dictionary attack. What many users are not aware is that many routers, regardless of make, have an WiFi Protected Setupin-built vulnerability that undermines even the most sophisticated of passwords; a vulnerability known as WPS.

What is WPS & How does it work?

WiFi Protected Setup (WPS) is used in two different forms; the ‘push-button’ method and the ‘PIN’ method. The ‘push-button” method is just that; there is a button on the router that is pressed and essentially drops the guard of the router and allows any client who attempts to make a WiFi Protected Setup connection to connect to the router. The ‘PIN’ method is when the router has an 8 digit pin (much like a telephone number) that the user would input into the device they are trying to connect, making the process shorter and easier than typing out a full WPA2 passphrase. The issue of the ‘PIN’ method is that the router’s WPA2 passphrase no matter how complex it may be, can be circumvented using the WiFi Protected SetupPIN (8 digit number), even the most novice observer can certainly appreciate why an 8 digit number is easier to guess than an 8-16 character, random phrase. To complicate matters even further, recent developments have shown many manufactures determine the PIN used by the device via the messages sent from the router when a WiFi Protected Setup request is made. What this means is that when a user attempts to connect to WiFi Protected Setup a message is sent from the router to the client, inside this message the “recipe” for how WiFi Protected Setup codes are generated; making it very easy to determine what the ‘PIN’ may be simply by knowing the naming-scheme used by that manufacturer. This type of attack is referred to as an “offline” WiFi Protected Setup attack or by its development name “PixieDust”.

How does the attack work?

The attack is implemented rather simplistically; a program called “Reaver” is used to bombard a router with random 8 digit numbers, utilizing ‘PIN-method’ that we mentioned earlier in the article. “Reaver” continually makes random guesses until the password is found, much like a user typing their password over and over to attempt to remember it. Upon retrieving this ‘PIN’ “Reaver” is then able to connect to the network and obtain its WPA2 passphrase in plain text, regardless of complexity. With this basic method users have reported getting a router’s full WPA2 passphrase in anywhere from 5 minutes to 24 hours, while this may seem like quite a long time the average WPA2 passphrase takes double this timeframe; if it can be guessed at all. Since the initial implementation of this primitive attack many manufacturers took preventative measures such as ‘rate limiting’. ‘Rate limiting’ is essentially self-explanatory, but it means the router will stop allowing WiFi Protected Setup connection attempts after a few failed attempts; while it can be thwarted with patience ‘rate limiting’ adds major time barriers between the attacker and the router. While these changes made by router manufacturers may have stopped the traditional method of exploiting WiFi Protected Setup via ‘PIN’ method, hackers have responded by creating an attack that circumvents these rate limits called “PixieDust”.

How does an offline or “PixieDust” attack work?

As previously mentioned, rate limiting did a fairly sufficient job of locking out random PIN attempts. In response an attack called “PixieDust” has been formulated using a program called “Pixiewps”. “Pixiewps” is performed in an offline fashion, meaning the router is not being bombarded with ‘PIN’ attempts, essentially circumventing the rate limiting imposed by router manufacturers. “Pixiewps” exploits the generic parameters used by router manufacturers to come up with the WPS ‘PIN’, by doing this a router can have its PIN possibilities narrowed down to only a few hundred entries, taking seconds divulge the password. In Turbo Technician’s testing, our test router was able to secrete a 12 digit randomized password (one of the most complex and secure forms of passphrases) within .1 seconds!

Who is at risk?

One of the most alarming facts about WiFi Protected Setup is that it is an official Wi-Fi alliance protocol; virtually any device that uses the Wi-Fi standard (practically every consumer router in the USA) employs WiFi Protected Setup. Although many routers have implemented some sort of rate limiting, there are routers that exist in an un-updated state with firmware that could be many years old. Advancements such as “PixieDust” may also nullify efforts previously implemented by router manufacturers, setting security progress back substantially. A router database is available, featuring routers that have been tested against this attack, illustrating which are vulnerable. Of particularly notable mention Comcast supplied Wi-Fi routers by Arris Group INC, using SSIDs (network names) of ‘HOME-XXXX’ seem to be especially afflicted, with some secreting PINs in a fraction of a second!

What can you do to protect yourself?

Due to this calamity, Turbo Technicians makes the dire recommendation of disabling WiFi Protected Setup in its entirety via your router’s control panel; the convenience offered by such a service is not at all outweighed by the extreme security issue that this poses. The truth in the matter remains that your WPA2 passphrase should never be equated to something as simplistic as an 8 digit number, and there is not a likely solution possible so long as WiFi Protected Setup is tied to such a form.

Turbo Technicians can help!

With our free network assessment and assortment of networking services, Turbo Technicians can help protect or resolve attacks like WiFi Protected Setup exploits and more.

Contact Us!

Want to learn more? Check out the WiFi Protected Setup Wikipedia article.