WPS uses the PIN Method, in which an 8 digit Personal Identification Number (PIN) has to be read from the router (often written on a sticker on the router) in order to access the wireless network. However, if anyone could guess (hack) that PIN they could illegally access your wireless network.
Up until now it had been thought that the PIN was very secure as the random 8 digit PIN code should have 100 million possible combinations – far too many to successfully hack as even automated ‘brute force’ attacks would take years to guess the correct combination (brute force attack = using a computer program to generate thousands of possible combinations until the correct sequence of numbers is found).
So far so good, and that is why most modern wireless routers include WPS – and it is enabled by default.
Major WPS Security Flaw Exposed – Kaspersky Lab reports that researchers have now found a huge flaw in the PIN security used by WPS which “results in too much information about the PIN being returned to an attacker and makes the PIN quite weak”.
In practise, the WPS standard is flawed because, if an attacker takes a guess at the 8 digit PIN, the router responds by confirming whether the first 4 digits are correct or not. This is very bad as it means that an attacker can just brute force attack the first 4 numbers until the router confirms they are correct – as there are only 10,000 possible combinations of the first 4 numbers, it is relatively simple to hack them in just a few hours.
Even worse, the 8th digit is a checksum of the whole PIN so this digit is easily calculated too. Now an attacker knows the first 4 and the last digit – that only leaves the middle 3 digits left to guess. As there are only 1000 possible combinations of these 3 digits, it is a piece of cake to guess those too!
So an attacker could crack all 8 digits in just a few hours (not years) and the router will then let the attacker access your wireless network – exactly what WPS security was designed to prevent!
Prevent Hackers Using WPS Security Flaw To Break Into Your Wireless Router
WPS has been around for 4 years now so most wireless routers will include it – which means this WPS security flaw could put at risk millions of WiFi routers and access points around the world.
- A mitigating feature would be if your router had a ‘lock out’ policy which, after a certain number of failed attempts, blocked all further attempts for a certain time period e.g. after 5 failed attempts, all further attempts are blocked for 10 minutes. In that case, trying to brute force up to 11,000 possible combinations could take weeks (an attacker might get very lucky in the first few hours but would likely give up).
Unfortunately, it appears that many routers do not include such a lock out policy – and as there seems to be no way to tell if your own router includes it (or how good a policy it might be even if it did) this can’t be relied upon as a fix.
- In time, router manufacturers may release updated firmware to implement a lock out policy on existing routers, or even change the way WPS works, but this might never happen for your own router and certainly does not solve the current problem.
- Therefore the best solution now is to disable WPS in your wireless router – you will need to access your router’s configuration pages (see guide) to disable WPS completely (it will probably be in the WiFi or Security settings).
Once WPS is disabled, check you are using WPA2 security with a strong password (i.e. 10+ characters with a mix of upper/lower case letters, number and symbols) to ensure that your wireless network is still protected against attackers.
WPA2 itself (with a strong password) continues to be secure – it is only the WPS PIN method that has been exposed as a risk.