Wi-Fi Protected Setup (WPS; originally, Wi-Fi Simple Config) is a network security standard to create a secure wireless home network. Created by the Wi-Fi Alliance and introduced in 2006, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases. Prior to the standard, several competing solutions were developed by different vendors to address the same need.
A major security flaw was revealed in December 2011 that affects wireless routers with the WPS PIN feature, which most recent models have enabled by default. The flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack* and, with the WPS PIN, the network's WPA/WPA2 pre-shared key. Users have been urged to turn off the WPS PIN feature, although this may not be possible on some router models.
The WPS protocol consists of a series of EAP message exchanges that are triggered by a user action, relying on an exchange of descriptive information that should precede that user's action. The descriptive information is transferred through a new Information Element (IE) that is added to the beacon, probe response, and optionally to the probe request and association request/response messages. Other than purely informative type-length-values, those IEs will also hold the possible and the currently deployed configuration methods of the device.
After this communication of the device capabilities from both ends, the user initiates the actual protocol session. The session consists of eight messages that are followed, in the case of a successful session, by a message to indicate that the protocol is completed. The exact stream of messages may change when configuring different kinds of devices (AP or STA), or when using different physical media (wired or wireless).
brute-force attack*
In December 2011, researcher Stefan Viehböck reported a design and implementation flaw that makes brute-force attacks against PIN-based WPS feasible to be performed on WPS-enabled Wi-Fi networks. A successful attack on WPS allows unauthorized parties to gain access to the network, and the only effective workaround is to disable WPS. The vulnerability centers around the acknowledgement messages sent between the registrar and enrollee when attempting to validate a PIN, which is an eight-digit number used to add new WPA enrollees to the network. Since the last digit is a checksum of the previous digits, there are seven unknown digits in each PIN, yielding 107 = 10,000,000 possible combinations.
When an enrollee attempts to gain access using a PIN, the registrar reports the validity of the first and second halves of the PIN separately. Since the first half of the pin consists of four digits (10,000 possibilities) and the second half has only three active digits (1000 possibilities), at most 11,000 guesses are needed before the PIN is recovered. This is a reduction by three orders of magnitude from the number of PINs that would be required to be tested. As a result, an attack can be completed in under four hours. The ease or difficulty of exploiting this flaw is implementation-dependent, as Wi-Fi router manufacturers could defend against such attacks by slowing or disabling the WPS feature after several failed PIN validation attempts.
A tool has been developed in order to show that the attack is practically feasible. The firm that released the tool, Tactical Network Solutions in Maryland, says that it has known about the vulnerability since early 2011 and has been using it.
In some devices, disabling WPS in the user interface does not result in the feature actually being disabled, and the device remains vulnerable to this attack.Firmware updates have been released for some of these devices so that WPS can be disabled completely. Vendors could also patch the vulnerability by adding a lock-down period if the Wi-Fi access point detects a brute-force attack in progress, which disables the PIN method for long enough to make the attack impractical.
How it can be found from Beacon
AP support WPS advertise this information inside of Beacon as below. In below beacon packet capture, WPS support can be found from vendor specific field.
Detection by Extreme Wireless solution.
Most consumer-oriented APs released in the last few years support WIFI Protected Setup (WPS). Many APs are susceptible to brute force attacks that allow the attacker to learn the WPS pin number. Once the pin is learned the attacker can use it to get the WPA-PSK for the SSID from the attacked AP. Although forms of WPS can be used in the enterprise it is not normal for enterprise APs to support it. So the discovery of WPS-related IEs in beacons and probe responses is a potential indicator of an unauthorized AP in the vicinity.
Extreme WIPS can detect the WPS enabled AP and notify it to administrator. WPS is not supported on ExtremeNetworks Identifi Wireless platform.
hi JJ. i m testing one gateway here where we have a real problem in getting devices connected through WPS. Our customers use multiple devices eg - heatpumps, smart home devices which only has WPS. This particular gateway doesnt seem allow connections. We have designed it to use only WPS push button so a pin is not typed in. So i m trying to troubleshoot the issue and raise a fault to the vendor. I would like some help in the following - 1) how do i capture the packets( I have aircrack suite installed.) What should i look for when the handshake happens and a general in depth understanding from the start of the WPS process what happens between AP and STA. thanks
ReplyDeletedrop me an email if possible of any material i can read etc. to dilhan9@gmail.com
ReplyDelete