As you will read this software will break the pin based method of WPS. All the more reason to hunt down these SOHO devices in your network. Many devices apparently leave the WPS functioning even if you disable it. I will have to try this.
It seems hard to believe that protection against brute force attacks was simply left out.
It is difficult to determine if physical access to the AP is required to work this exploit. It's not as interesting if that is the case. If physical access is not required, then this is quite a condemnation of WPS.
Looking at the WFA site, it seems most of the WPs devices are SOHO as opposed to Enterprise.
The difference between WPS and "simple setup" is a little murky.
[quote]It is difficult to determine if physical access to the AP is required to work this exploit. It's not as interesting if that is the case. If physical access is not required, then this is quite a condemnation of WPS.[/quote]
No physical access required. The tool basically tries a new PIN every second until it gets it right. Once the PIN is known, the SOHO router just coughs up the PSK. Unfortunately, the PIN can be 'guessed' in two seperate chunks. This first half, and then the second half. This makes the brute force work much faster.
If you want to see it in action check out my latest blog post:
[url=http://www.simplywifi.co/blog/2012/1/1/wps-brute-force-thoughts-and-video.html]WPS Brute Force Thoughts and Video[/url]
Other than the fact that your demo showed you actually using the correct PIN,(and don't worry, I trust you), this is a very damning video in at least three different ways.
1. It shows that the AP lies about turning WPS off - even after you said "apply", and
2. That WPS PIN can definitely be broken, and
3. The [b]WPA2 passphrase[/b] is exposed with almost no work at all - unbelievable.
I've never been very impressed with what the software industry calls testing these days anyway, and this takes the cake. A big Zero for Linksys.
If it had taken only 10 years to break the PIN, then I might have said I can put up with that - but this is ghastly.
Is there any indication that the WFA has known of this for any amount of time prior to reaver's publication? If so, shame on them.
GREAT JOB !!!
I like the video you made. I only took screenshots lol I'm lame. I have to step up my Blog skills HaHa. What screen capture app did you use in BT or was it a VM?
[b]Wlanman[/b] - Yep, I just didn't feel like waiting hours just to record the final PIN crack. New Years celebrations were breathing down my neck ;-)
Definitely a bad situation for a large number of SOHO wireless routers. I'm not sure what WFA has planned, but I can only assume that vendors will be pushing out firmware updates to try and implement true 'on/off' capabilities, and/or more brute force detection. Sadly, the WPS brute force detection just delays the inevitable and doesn't actually stop a determined and patient attacker.
[b]Sean[/b] - Thanks! You blog post was actually what made me take a look at this. For video capture I use several different programs.
Windows - Camtasia Studio
Mac - ScreenFlow
For this video I just ran BT5 in a VM. However, in situations when I actually have to run native-linux I find it easier to VNC to the linux box from Windows and then just record fullscreen using Camtasia. That way I don't have to mess around with screen recording software in linux.
This is a great (or not so great however you're looking at it) attack vector for hackers. If I were a nefarious person I would do both of the following:
1. Attack SOHO AP's on a corporate network
2. Attack a corporate users device at their home
Two simple solutions to this:
1. A zero tolerance policy on SOHO devices in the enterprise, and use a WIPS to police it
2. Implement managed personal firewalls on every client device
Several comments here (thank you Wireless Jon and SimplyWifi for your great work here):
1. Even if this is a SOHO router issue with WPS, corporate laptop users go home and remote in via their home wifi routers. So potentially, corporate network laptops are vulnerable via home routers.
2. Most SOHO users are probably not going to know how to 'disable' WPS. And even if they do, there appears to be no guarantee it is disabled, except through a packet capture/inspection.
3. When will vendors and Wi-Fi.org come up with solutions?
4. It appears many third-party firmwares do not support WPS. I have done a cursory look and it appears flashing a SOHO router with DD-WRT, Tomato, HyperWRT will 'fix' these, as they do not natively support WPS (unless you script it). However, I'm not sure corporate users can be expected to flash their home routers.
6. Wikipedia now has this vulnerability listed in the first sentence of their online description. http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
5. Bottom line: this appears to be a HUGE issue, without clear mitigation. It may be bigger than WEP vulnerability. After all, WiFi "Protected" Setup makes the user sound like they are secure, doesn't it?
[quote]1. Even if this is a SOHO router issue with WPS, corporate laptop users go home and remote in via their home wifi routers. So potentially, corporate network laptops are vulnerable via home routers.[/quote]
You are 100% correct on this point, for sure! This was actually how a Facebook tiger-team managed to breach their own network during a internal pen test. (it was in the news a year or so ago but I can't find the article anymore). They couldn't get passed corporate security so they just went for the low-hanging fruit and got in indirectly.
As an attacker, this definitely opens a lot of doors. In fact, some people I've spoken to looked into their routers, saw that they couldn't turn it off, and then just decided to live with it saying: "Nobody in my neighbourhood would attack me anyway and I don't want to pay for a new router". Meanwhile, every script kiddie in the country is running around attacking anything they can see...
Makes me glad I run enterprise gear at home!
I also saw the internal pen test web page report, but also cannot locate it again. Will keep looking and post if I find it.
As for opening up doors, ran this vulnerability across one of my IT security coworkers today. Basically he said the same thing you mentioned ("Nobody in my neighborhood would attack me anyway....:") So, if an IT guy says that, what about the general public?
I run SOHO stuff at home and at non-profit orgs I support, but with DD-WRT installed. (Will upgrade to enterprise when money is available.) But, per your video, it does appear you cannot trust ANY AP firmware for disabling WPS unless you do a packet capture. Yep, the script kiddies must be having fun right now. Kinda scary.