Sign up to save your podcasts
Or
Share E02 – Wi-Fi Protected Setup, Battered or Broken?
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
E02 – Wi-Fi Protected Setup, Battered or Broken?
In episode 02 of the show, Andrew vonNagy hosts and welcomes guests Matthew Gast from Aerohive and Dan Cybulskie from Simply Wi-Fi to the show to talk about the recently announced Wi-Fi Protected Setup vulnerability. Matthew brings Wi-Fi expertise to the show from through his work at Aerohive, participation in the IEEE 802.11 standard, and as acting task chair for Wi-Fi Alliance security task groups. Dan brings extensive Wi-Fi security knowledge and has performed quite a bit of research into the WPS vulnerability since the announcement.
First, we discuss the background of Wi-Fi Protected Setup (WPS) – yet another acronym to remember and/or confuse with so many others – and it’s creation to “ease” security setup for non-technical users, typically in the consumer market. We make the distinction that WPS is not the same as WPA/WPA2 and that Wi-Fi security through use of those protocols is definitely not compromised by this vulnerability. Furthermore, WPS supports various methods of setup, including PIN and Push-Button Configuration, with the PIN mode the only one being affected by the vulnerability.
Matthew brings up a great point, that although this is a protocol design flaw, proper vendor implementations can make the attack much harder to execute. This is because it is a brute-force attack and implementation of user lockout / timeout feature after consecutive failed PIN attempts will slow-down the attack.
Next, we dig into the WPS vulnerability details:
* Independently discovered by two parties: Stefan Viehbock and Tactical Network Solutions
* Does NOT affect WPA/WPA2 enterprise (802.1X) or personal (PSK)
* Only the WPS PIN mode is affected
* Root cause is due to poor protocol design, which is something the Wi-Fi industry is familiar with because of WEP’s well-documented issues
* This is an “active” attack, meaning the attacker must send and receive frames to the target. It cannot be exploited passively.
* All WPS capable routers are affected
* Some vendor implementations reduce attack effectiveness due to the use of a lockout feature after failed attempts
* Static PINs (printed on the equipment) are generally more susceptible because WPS is typically “always-on”. Equipment with user-configurable PINs typically require WPS setup to be activated every time it needs to be used, and are less susceptible.
Then we discuss the impact to consumers, SMBs, and enterprises:
* Consumer and some SMB equipment is vulnerable. No enterprise equipment has been found that supports WPS.
* Enterprises should still be mildly concerned due to rogue APs and home VPNs connecting back into the corporate network.
* Apple’s product focus on good user experience actually serves as a security benefit in this case, because they didn’t need to implement WPS.
* Client devices are technically vulnerable too, but none of the show participants think it’s much of an attack vector and are not too concerned.
* Vulnerability was discovered over 1 year ago by Tactical Network Solutions, which is why their Reaver attack tool was promptly available after the U.S. CERT announcement.
* An exploit is in the wild… home users need to take action NOW by researching their router to see if it’s vulnerable.
Mitigation Steps:
* Turn off WPS, if possible. Some equipment does not allow it to be disabled.
* Watch for firmware updates from the vendor. However, given consumer manufacturers historical lack of support and upgrades for existing products, it’s probably best to buy a new router that does not support WPS or allows WPS ...
View all episodes
By No Strings Attached ShowIn episode 02 of the show, Andrew vonNagy hosts and welcomes guests Matthew Gast from Aerohive and Dan Cybulskie from Simply Wi-Fi to the show to talk about the recently announced Wi-Fi Protected Setup vulnerability. Matthew brings Wi-Fi expertise to the show from through his work at Aerohive, participation in the IEEE 802.11 standard, and as acting task chair for Wi-Fi Alliance security task groups. Dan brings extensive Wi-Fi security knowledge and has performed quite a bit of research into the WPS vulnerability since the announcement.
First, we discuss the background of Wi-Fi Protected Setup (WPS) – yet another acronym to remember and/or confuse with so many others – and it’s creation to “ease” security setup for non-technical users, typically in the consumer market. We make the distinction that WPS is not the same as WPA/WPA2 and that Wi-Fi security through use of those protocols is definitely not compromised by this vulnerability. Furthermore, WPS supports various methods of setup, including PIN and Push-Button Configuration, with the PIN mode the only one being affected by the vulnerability.
Matthew brings up a great point, that although this is a protocol design flaw, proper vendor implementations can make the attack much harder to execute. This is because it is a brute-force attack and implementation of user lockout / timeout feature after consecutive failed PIN attempts will slow-down the attack.
Next, we dig into the WPS vulnerability details:
* Independently discovered by two parties: Stefan Viehbock and Tactical Network Solutions
* Does NOT affect WPA/WPA2 enterprise (802.1X) or personal (PSK)
* Only the WPS PIN mode is affected
* Root cause is due to poor protocol design, which is something the Wi-Fi industry is familiar with because of WEP’s well-documented issues
* This is an “active” attack, meaning the attacker must send and receive frames to the target. It cannot be exploited passively.
* All WPS capable routers are affected
* Some vendor implementations reduce attack effectiveness due to the use of a lockout feature after failed attempts
* Static PINs (printed on the equipment) are generally more susceptible because WPS is typically “always-on”. Equipment with user-configurable PINs typically require WPS setup to be activated every time it needs to be used, and are less susceptible.
Then we discuss the impact to consumers, SMBs, and enterprises:
* Consumer and some SMB equipment is vulnerable. No enterprise equipment has been found that supports WPS.
* Enterprises should still be mildly concerned due to rogue APs and home VPNs connecting back into the corporate network.
* Apple’s product focus on good user experience actually serves as a security benefit in this case, because they didn’t need to implement WPS.
* Client devices are technically vulnerable too, but none of the show participants think it’s much of an attack vector and are not too concerned.
* Vulnerability was discovered over 1 year ago by Tactical Network Solutions, which is why their Reaver attack tool was promptly available after the U.S. CERT announcement.
* An exploit is in the wild… home users need to take action NOW by researching their router to see if it’s vulnerable.
Mitigation Steps:
* Turn off WPS, if possible. Some equipment does not allow it to be disabled.
* Watch for firmware updates from the vendor. However, given consumer manufacturers historical lack of support and upgrades for existing products, it’s probably best to buy a new router that does not support WPS or allows WPS ...