cancel
Showing results for 
Search instead for 
Did you mean: 

WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

WelshPaul
Grafter
Posts: 45
Registered: ‎28-11-2011

WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

I've seen a few news articles come through in the past 24 hours about a new Wi-Fi attack. It uses an attack on the implementation of WPS (ironically, WiFi Protected Setup) to crack WPA and WPA2 network passwords:
http://nakedsecurity.sophos.com/2011/12/30/most-wi-fi-routers-susceptible-to-hacking-through-securit...
http://isc.sans.edu/diary.html?storyid=12292
Here is a more technical write-up of the vulnerability:
http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
I won't link to the tool, but there is already some free software around to do this.
Long passwords are no defence against this as it actually cracks an 8 character PIN. Best thing you can do is to search for the model of your router and see if you can disable WPS.
[Moderator's note by Dick (Strat) First and last URLs fixed.
21 REPLIES 21
Strat
Community Veteran
Posts: 31,320
Thanks: 1,588
Fixes: 565
Registered: ‎14-04-2007

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

WPS appears to be off by default on my Billion 7800N.
Windows 10 Firefox 109.0 (64-bit)
To argue with someone who has renounced the use of reason is like administering medicine to the dead - Thomas Paine
Oldjim
Resting Legend
Posts: 38,460
Thanks: 741
Fixes: 63
Registered: ‎15-06-2007

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Kelly
Hero
Posts: 5,497
Thanks: 373
Fixes: 9
Registered: ‎04-04-2007

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

We ship all our technicolor routers with WPS off.
Kelly Dorset
Ex-Broadband Service Manager
alanf
Aspiring Pro
Posts: 1,931
Thanks: 78
Fixes: 1
Registered: ‎17-10-2007

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

I cannot find anywhere in the setup of my BT Voyager 2110 (supplied by Plusnet) to check this setting. Does this mean the router does not have this feature? I know its a few years old but the firmware has been updated during that time.
www.voyager.bt.com is not responding at present.
VileReynard
Hero
Posts: 12,616
Thanks: 579
Fixes: 20
Registered: ‎01-09-2007

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Isn't WPS a Windows "feature"?

"In The Beginning Was The Word, And The Word Was Aardvark."

prichardson
Grafter
Posts: 1,503
Thanks: 1
Registered: ‎05-04-2007

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

The Voyager 2110 does not support WPS.
WPS is a wireless specification. Microsoft decided to adopt it within the Windows 7 core wireless functionality, through wireless cards that support it (supply the required API calls to windows).
Gus
Aspiring Pro
Posts: 3,240
Thanks: 34
Fixes: 3
Registered: ‎31-07-2007

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Buffalo WBMR-HP-GN have it enabled by default
FTTP 500 regrade from Tues 28th November
alanf
Aspiring Pro
Posts: 1,931
Thanks: 78
Fixes: 1
Registered: ‎17-10-2007

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Thanks Phil. It pays not to be using state-of-the-art kit it seems!
Colin1234
Grafter
Posts: 28
Registered: ‎11-04-2008

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

I can't see what the problem is as you need access to the router for this to work. You need to press a button on it to activate WPS. Am I missing something?  Cool
WelshPaul
Grafter
Posts: 45
Registered: ‎28-11-2011

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Taken from the first link:
Quote
It has three methods of simplifying the connection of wireless devices to WPA2 protected access points:
Push Button Connect (PBC) requires the user to push a button on the router which allows it to communicate with a client needing configuration. The client attempts to connect and the router simply sends it the security configuration required to communicate.
Client PIN mode is where the client device supports WPS and has a PIN assigned by the manufacturer. You then login to the router's management interface and enter the PIN to authorize that client to obtain the encryption configuration.
Router PIN mode allows a client to connect by entering a secret PIN from a label on the router, or from its management interface which authorizes the client to obtain the security configuration details.
The first method requires physical access, while the second requires administrative access, both of these pass muster. The third however, can be accomplished only through the use of the Wi-Fi radio.

So no you don't need to have physical access to the router.
ReedRichards
Seasoned Pro
Posts: 4,927
Thanks: 145
Fixes: 25
Registered: ‎14-07-2009

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

This doesn't surprise me.  The thinking must have been:
1)  Lets invent a secret password system to protect our wireless networks
2)  Oh dear, some people are too ignorant/stupid to cope with the secret password; lets invent a way of handing out the password even if they can't-remember/don't-know what it is.  And WPS was born.
Now it turns out that the means of handing out the secret password is open to abuse.  Well what a surprise!
Anonymous
Not applicable

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Much like all those Windows users who disable the User login password and use the machine with full administrator privileges at all times !
w23
Pro
Posts: 6,347
Thanks: 96
Fixes: 4
Registered: ‎08-01-2008

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

I know someone with a Talk-Talk router that thoughtfully has the WPA2 passcode printed on a label on the side of the router (helpful for users who don't think to look underneath), the router is kept on the front windowsill near the master socket.....  Crazy  Who needs WPS?  Lips_are_sealed
Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.
Vargster
Newbie
Posts: 1
Registered: ‎04-01-2012

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Quote from: Kelly
We ship all our technicolor routers with WPS off.

Am I right in thinking my Thomson TG585 v7 is a Technicolor router?
Cheers!