It all started on December 27th when a white paper was released by Stefan Viehböck on his blog .braindump. This was quickly picked up by the security community and then the global community at large. Unfortunately many of the people that then reported on this vulnerability were not security experts or even all that knowledgeable about wireless technologies in general. Too often these news articles gave a, “the sky is falling” air of impending doom. Many, including a big name technology magazine which shall remain nameless, even got the abbreviation wrong when they first posted about the problem which didn’t help matters.
The mistake this magazine, and others, had made is assuming WPS has anything to do with WPA(2), the underlying security mechanism of current wireless products. We all remember when WEP was so completely compromised that it made its use a polite gesture and little else. WPA(2) was a response to the weaknesses with WEP and the worry was that this too had become useless. Fret not! This is absolutely not the case. The vulnerability has nothing at all to do with the encryption methods employed by WPA(2).
So, just what is WPS then? For that matter what is WPA(2) and why do I keep adding a 2 in parenthesis? Here’s it is, the history of wireless security in one paragraph. When wireless first started to make inroads it was obvious pretty quickly that transmitting all your personal data in clear text out into the ether for anyone with a strong enough antenna to pick up was going to seriously limit its adoption so WEP was created. WEP stands for “Wired Equivalent Privacy”. The title ended up being ambitious to say the least. Research into WEP quickly revealed glaring faults that over the years has turned cracking WEP into a 5 minute or less endeavor. In response the IEEE (the standards body that defines networking protocols) started work on 802.11i which was then integrated into the 802.11-2007 standard. The important part of 802.11i (at least for our discussion) was the creation of RSNs (Robust Secure Networks). The problem was that the IEEE is not exactly known for their speed so we had this proposed standard that was going to take forever to get ratified and a seriously broken security protocol. This is where the Wi-Fi Alliance stepped in. You may have see Wi-Fi plastered all over your new wireless device. It’s important to note that the primary goal of the Wi-Fi Alliance is merely to certify products. They take the products produced by various companies and make sure they work the way those companies say they do and can all talk to each other. Well, the Wi-Fi Alliance looked at the 802.11i spec and created WPA (Wi-Fi Protected Access) as a stopgap measure until the standard could be ratified. When 802.11i finally did make it to a full fledged standard the Wi-Fi Alliance went back and created WPA2 to take advantage of all the aspects of 802.11i.
If these are all the security methods used with wireless then what is WPS? WPS stands for “Wi-Fi Protected Setup” and you’ve probably never heard of it because almost nobody actually uses it. The idea was that setting up routers and client computers could be difficult for even the most tech savvy of end user so what if they could make it simple enough for a 2 year old? There are 4 methods you can use with WPS: PIN, push button, NFC and USB. As it generally works you have a button on your router/access point and a button on your wireless card. You push the button on the router to initiate the protocol and and then push a button on the wireless card and everything is set up for you automagically. Now, I used the word “button” but it may not always be an actual physical button, it could be a software button you click. It’s not always practical to have a physical button, especially it laptops, cellphones and tablet devices.
The type of WPS that was found to be vulnerable lies on the PIN method. Basically the problem is PINs are short and WPS lets you try as often as you want without getting locked out. You should see where this is going. It was fairly trivial to create a program (Reaver) that lets you try every possible PIN and effectively bypass the security of the network. Reaver is pretty simple to use and several tutorials and videos have already been put together to show just how easy this flaw is to take advantage of.
So what’s our take away here? The underlying security mechanisms of today’s wireless networks, namely WPA(2), are as safe as they ever were. I also implied that while WPS is trivial to take advantage of it’s also rarely used. This is true… but it also doesn’t take one important piece of information into account. You don’t have to actually be using WPS for it to be turned on and thus exploitable. Unfortunately many consumer routers and access points ship with this “feature” enabled by default. To effectively secure your network just make sure WPS is turned off (assuming your hardware even supports it, it is optional after all). This process is usually as simple as going to the hardware’s management interface and changing a radio button from “yes” to “no” or “on” to “off” and saving the configuration. The problem here should be fairly obvious. The people using WPS were exactly the people that didn’t want to deal with the management interface to begin with. WPS was designed specifically to keep consumers out of that area and make everything as simple as possible.
So, is this security risk the end of the world? Clearly not, but it’s also not something that can just be ignored. As is often the case the reality lies somewhere in the middle.