Don’t Use WiFi Protected Setup (WPS)
The IAG visits a wide range of tech products and services, doing our best to provide evergreen content in the context of ever-evolving technologies. As COVID-19 scourges populations globally, more people than ever work from home using their WiFi. This means more opportunities for black hats to intercept your data. You’ll see why we don’t use WiFi protected setup (WPS) and why you shouldn’t either if you’re serious about data security.
In his survey of wireless access points, a researcher found that 80% were vulnerable to WPS brute-force attacks. His is not a lone voice in the WiFi wilderness. You can read literally dozens of articles online documenting the security woes of WPS. Remember this rule of thumb in tech: convenience has an inverse relationship to security. While the Wi-Fi Alliance designed WPS with convenience in mind, it’s horribly insecure.
We’ve ranted about data security numerous times at the IAG, and this article shrieks in no uncertain terms about the dangers of WPS. In our take on WiFi Direct Printing, we mentioned our concerns with the WPS standard. Here, we reinforce the intrinsic insecurity of the WPS protocol.
To begin our admonition against WPS, have a look at this vid from Home Network Central:
What is WPS?
Unveiled by the Wi-Fi Alliance—the organization behind IEEE 802.11—in 2006, WPS was meant to serve tech-challenged WiFi users needing secure WLANs and an easy way to add devices to their networks. Vendors were quick to adopt the technology. Within weeks, they offered over 200 WPS “Wi-Fi Certified” products.
But, as security researcher Stefan Viehböck says, “When poor design meets poor implementation,” problems inevitably arise. Both he and analyst Craig Heffner, working independently from each other, soon discovered that WPS is vulnerable to brute force attacks.
Researcher Michael Horowitz is even blunter, stating: “The WPS protocol in consumer routers is like putting a virtual “HACK ME” sign on the box.” He adds, “WPS was a bad idea to begin with, has a huge design flaw, comes from an untrustworthy source and is overly complicated. (It also) has multiple instances of poorly written, buggy implementations.” He—as do virtually all WiFi security experts—strongly urges using a router that does not support WPS at all.
Many legacy routers (think 802.11n) don’t allow users to disable WPS. Even worse, some routers that do provide a disability option in fact don’t turn the feature off, with WPS still enabled unbeknownst to the user. As Ars Technica reported in 2012, “every Linksys and Cisco Valet wireless access point… tested” had this flaw.
Howtogeek.com added that some routers won’t allow a choice of WPS authentication methods while others “allow you to disable PIN-based WPS authentication while still using (PBC) authentication.” It’s evident that WPS is an inconsistent “standard” at best and that the most secure routers don’t support WPS, period.
We described earlier that one may choose one of three methods for WPS connectivity. In truth, there are four. We quote from our earlier article on”Wi-Fi Direct Printing”:
1. Push-button configuration (PBC): This button can either be physical or software-based. On a router, one will generally find a physical WPS button on the back of the device next to the Ethernet ports. Note that during the setup/pairing process, rogue devices in range could join the network. This is an optional approach, meaning the WiFi Alliance doesn’t require devices to include this setup mode.
2. PIN entry: All WPS-enabled devices require an 8-digit PIN code for network access, which is either fixed or dynamic. Users cannot change the PIN. Once the “registrar” device detects the presence of a new WiFi device, it queries for the PIN. In PIN entry mode, the WPS network encrypts data and authenticates network devices. The standard requires that all WPS-enabled devices include this mode.
3. Near-field Communication (NFC): This mode interface can transfer network settings to a new device with the use of manual PIN code entry. The Wi-Fi Alliance claims that this “method provides strong protection against adding an unintended device to the network.” Like PBC, it too is an optional setup mode.
The fourth method: use a USB flash device to add a device to a WLAN. We’ll skip details since the Alliance has deprecated support for this mode. Only PBC and PIN entry are WPS certified since they don’t perform out-of-band authentication.
Does Your Router Have WPS?
To see if your router has WPS, merely look on the underside of the box. Should you see a barcode atop “WPS PIN:” followed by 8 digits, your router is WPS-enabled. By the way, this PIN overrides the WPA2 password. And, of course, anyone who has this PIN can easily access your home WLAN.
Also, in PBC mode, you can enable WPS by either a physical or virtual button. A physical WPS button is usually located on the back of the router next to the Ethernet ports. See the image below:
Credit: Arnold Reinhold/Wikimedia Commons
CC BY-SA 3.0
Regrettably, most major OS platforms provide native support for WPS. Windows first implemented WPS with Vista in 2007 and has included it in every version up to Windows 10. Android 4.0 (“Ice Cream Sandwich”) began providing native support for WPS in 2011; subsequent versions still support the protocol. Apple, ever mindful of its reputation for data security, has never offered native support for WPS in either macOS or iOS.
We again cite the IAG article on WiFi Direct Printing to illustrate how easily brute-force attacks succeed in cracking a WPS PIN:
An 8-digit PIN has a maximum of 100 million possible combinations (108). But since the eighth digit is a checksum for the previous 7 digits, the possible combinations aren’t 100 million but 10 million (107). If all possible combinations are tried at 1 PIN/second, the code will be cracked in no more than 115.7 days.
Reasonable security, right? Wrong. WiFi Direct actually relays the 8-digit code in two 4-digit halves, which are then independently verified. Thus, a black hat doesn’t have to crack a 7-digit code, just a 4-digit code and a 3-digit code.
The first has a possible 10,000 (104) possible combinations which, at a rate of 1 PIN/second, can be tested in 2.7 hours. The second, with only 1,000 (103) combinations (thanks to the checksum digit) can be tried in just 16 minutes. So, instead of nearly four months, an intruder can crack a WiFi Direct PIN code in 3 hours using brute force.
In ” Brute Forcing Wi-Fi Protected Setup,” Stefan Viehböck describes the protocol’s security flaws:
1. “As the External Registrar option (i.e., PBC or router PIN) does not require any kind of authentication apart from providing the PIN, it is potentially vulnerable to brute force attacks.”
2. “An attacker can derive information about the correctness of parts the PIN from the AP´s responses.”
Moreover, Viehböck cites vendor WPS implementation flaws. Netgear, for example, “did not implement any kind of blocking mechanism to prevent brute force attacks.” Thus, a hacker can try all possible PIN combinations in under four hours. Even on devices with lock-down capabilities, the intervals don’t last long enough to deter attacks.
If we may dispense with a bit of editorial largess, the Wi-Fi Alliance should be ashamed of foisting this crappy “standard” on unsophisticated tech consumers.
Untold numbers of wireless routers still in use suffer from the fatal flaws of the WPS protocol. Too, inexplicably, the Alliance has never specified a lock-down interval of sufficient length into the standard for device certification.
The protocol is so shoddy that one wonders if incompetence is at play, or if WPS was intentionally constructed with regulatory surveillance in mind. We’ll go with the former. After all, the Wi-Fi Alliance is the collection of masterminds who gave us WEP—Wired Equivalent Piracy, er, Privacy.