Routers using WPS are intrinsically unsafe

Fred Langa

Simple hacker tools can easily sniff out Wi-Fi passwords from routers that have Wi-Fi Protected Setup enabled — quite possibly yours included.

Here’s how to protect your network — and even hack your own router to see whether it’s vulnerable.

Launched in 2007, Wi-Fi Protected Setup (WPS) is a technology standard that’s intended to make setting up a Wi-Fi network less of a hassle. According to an article on the Wi-Fi Alliance (a consortium of Wi-Fi vendors) site,

“Wi-Fi Protected Setup enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices, and enable security. More than 200 products have been Wi-Fi CERTIFIED for Wi-Fi Protected Setup since the program was launched in January 2007.”

Without a doubt, WPS does make it very easy to add wireless devices to a network. Instead of a laborious, manual setup, WPS offers four simple methods for connecting wireless devices to WPS-enabled routers.

  • 1. The PIN (Personal Identification Number) method is supported by Wi-Fi CERTIFIED routers. A short (just six to eight digits) PIN is either printed on a sticker somewhere on the router or is displayed in the router’s configuration software. The PIN serves as an alternate, low-security password separate from the router’s normal passphrase, which can be letters and numbers and up to 63 characters long.

    To connect a laptop, phone, tablet, or other wireless device to a WPS-enabled system, simply enter the short PIN when prompted on the wireless device. (For example, press the network Connect button in Windows 7; your notebook will communicate with the router, and a PIN entry box should appear.) The router’s software then recognizes the new device and allows it to connect.

  • 2. The pushbutton method requires pushing a physical button or clicking an on-screen graphical button on both the router and the device (such as a newer, wireless-enabled printer) that’s being connected to the network. Once both buttons are pushed, the devices negotiate and establish the connection.

  • 3. Some newer devices use near-field communication (NFC; Wikipedia info) to establish a WPS connection. Instead of pushing a real or virtual button, NFC uses close physical proximity (typically, a few inches) to trigger the initial WPS connection.

  • 4. Some devices support the older USB method, in which network configuration details are written to a USB flash drive and physically transferred between or among wireless devices.

Most routers support at least two methods; some support all four. No matter which one is used, setting up a network connection via WPS usually takes only a few seconds.

Easy, yes — but it might be all too easy

Many WPS routers are vulnerable to attack because the six to eight plain-text numerals that make up a WPS PIN aren’t very hard to hack. About a year ago, researcher Stefan Viehböck published a paper (site) illustrating how to find a WPS PIN via a simple, brute-force attack that can be carried out with an ordinary laptop — or even a smartphone. He also offered a proof-of-concept application to do the cracking.

A stolen WPS PIN opens the door to your entire Wi-Fi network. An attacker can access your router’s passphrase and, with that in hand, easily connect to other devices on the network without any further use of the PIN. An attacker can change the router’s configuration and otherwise use or exploit your Wi-Fi network. It’s like handing a thief the keys to your house.

Viehböck reported his findings to Carnegie Mellon’s CERT (site), a recognized global clearinghouse for computer-security information. CERT confirmed the security hole and published Vulnerability Note VU#723755, which stated:

“An attacker within range of the wireless access point may be able to brute-force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service. … We are currently unaware of a practical solution to this problem.”

Using Reaver for totally automated WPS cracking

In the year since Viehböck published his paper, white-hat security hackers (especially the folks at Tactical Network Solutions; site) have adapted and expanded his proof-of-concept program, creating the free, open-source Reaver WPS hacking application (site).

Reaver is a completely legitimate security-testing tool anyone can use to see whether a router is vulnerable to WPS cracking. (It can, of course, also be used for malicious system cracking.)

And that’s where the trouble lies; Reaver requires almost no networking knowledge, special skills, or unusual tools. Any digital delinquent with a Wi-Fi–enabled laptop, a copy of Reaver, and a couple of idle hours, can successfully crack your WPS-enabled network.

The Reaver site states:

“Reaver implements a brute-force attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in [Viehböck's original paper].

“Reaver has been designed to be a robust and practical attack against WPS, and it has been tested against a wide variety of access points and WPS implementations.

“On average, Reaver will recover the target AP’s [access point's] plain text WPA/WPA2 passphrase in 4–10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS PIN and recover the passphrase.”

Think about that for a moment. Regardless of how long and complex your Wi-Fi passphrase is, a system cracker using Reaver could effortlessly breach your WPS-enabled router (via the WPS PIN) in just a couple of hours.

I’ll come back to Reaver, to show you how to use it for its intended, legitimate purpose — to see whether your router is vulnerable to WPS cracking. But first, here’s what you can do to lock down your router to reduce the chances that Reaver — or any similar tool — will work.

Protecting against WPS-cracking attacks

CERT’s Vulnerability Note VU#723755 flatly states that the only known way to prevent WPS cracking is to disable WPS.

But router manufacturers don’t want to give up WPS. Users like it, and it keeps tech support calls down. So, instead of dropping WPS altogether, some manufacturers have adopted partial workarounds to reduce a router’s WPS vulnerability.

For example, some routers limit how long WPS is active. In this kind of setup, when you push the WPS button on your router, you have only a couple of minutes to complete an automated WPS connection with a wireless device. If the connection isn’t made in time, the WPS system is supposed to shut down. This time-out function should reduce the router’s WPS vulnerability to a short time.

Some routers also employ a lockout feature that temporarily disables WPS if the router detects several failed WPS connections in quick succession.

Unfortunately, if your router isn’t relatively new or isn’t running the latest firmware from the manufacturer, there’s a good chance it doesn’t support even these limited approaches to WPS hack prevention. And even if it does use these techniques, there’s no obvious way to know whether they’re actually working — and there’s good reason to suspect they might not be. (I’ll come back to this in a moment.)

Which brings us back to CERT’s advice: The only certain way to protect your Wi-Fi network from WPS cracking is to disable WPS entirely. I recommend you do that — right now!

Two quick ways to (possibly) disable WPS

The easiest way to disable WPS is the direct route — in the router’s configuration menu (see Figure 1). Although most current routers support this method, many popular older routers don’t.

Disable WPS manually

Figure 1. This Cisco/Linksys router-configuration page has a seemingly easy way to turn WPS off.

Shockingly, selecting the option to disable WPS on some routers doesn’t actually do anything! The configuration screen might say that WPS is disabled, but it actually isn’t. (I’ll also come back to this in a moment.)

The second method relies on the fact that WPS depends on SSID broadcasting. A Wi-Fi network’s SSID (service set identifier) is the name of the Wi-Fi network; by default, most routers continually broadcast their SSID (which is how wireless devices produce lists of available networks).

Disable SSID broadcasting, and your network will no longer show up as an available network — but it also prevents WPS from working (see Figure 2), which in turn prevents WPS cracking.

Disable SSID

Figure 2. Disabling SSID broadcasting also disables WPS.

Turning off SSID broadcasting creates a minor inconvenience when you want to add a device to your Wi-Fi network. Instead of picking the network’s SSID off a list of available networks, you’ll have to set up the connection manually, typing in both the SSID and the passphrase.

For more information on connecting to a Wi-Fi network that’s not broadcasting its SSID, see the TechNet article, “Non-broadcast wireless networks with Microsoft Windows.” Windows 7 users can also consult the TechNet article, “Connecting to wireless networks with Windows 7″ — scroll down to the heading, “Set up a connection or network dialog box.”

With SSID broadcasting turned off, or with WPS directly disabled, you’re probably safe from WPS hacking.

Why only “probably?” Read on.

Disabling WPS might not work as it should

As alluded to above, some routers don’t properly disable WPS, even if the router’s configuration menu says otherwise. This is especially true of Cisco/Linksys routers made a few years ago, including the extremely common Linksys WRT54G2 router. Turning off WPS via its menus didn’t do what it was supposed to — WPS remained active.

(Note: The most recent generation Cisco/Linksys routers apparently do correctly disable WPS when instructed to do so, and Cisco/Linksys has been issuing firmware updates for its older routers. See the Cisco Knowledge Base article 25154, “WPS vulnerability status update for Linksys devices,” and Cisco document 690, “Wi-Fi Protected Setup PIN brute force vulnerability.”)

The Linksys WRT54G2 router is noteworthy only because of its popularity. But WPS vulnerability isn’t unique to Cisco/Linksys products. Many router brands and models are vulnerable, and many router vendors have been issuing firmware updates since the WPS vulnerability was discovered.

If you haven’t done so recently, visit your router manufacturer’s support site to make sure you’re using the absolutely latest router firmware; it will likely include the lightweight timeout/lockout fixes mentioned previously plus fixes that should allow properly disabling WPS via the manual configuration interface.

Don’t trust what your router says. Verify!

As should be clear by now, don’t automatically accept your router’s WPS configuration setting. You might think it’s disabled, but it’s actually still active.

How can you be sure that you’ve really disabled WPS? How can you tell if your router really is WPS hack-safe?

The only way to be 100 percent sure is to test-hack your router yourself, using Reaver for its intended purpose as a white-hat, network-testing tool. If Reaver fails to crack your router’s WPS system, you can rest easy. But if Reaver succeeds even after you’ve updated your router with the latest firmware, you’ll know it’s time to scrap that router and get one that lets you truly control WPS.

Reaver’s site contains the free, open-source software and an associated wiki containing abundant information on setting up and using the hacking tool.

However, Reaver is Linux-based software and, as such, might be unfamiliar to Windows users. So in the next issue of Windows Secrets, I’ll present a complete, illustrated, step-by-step article on how to test-hack your router, using Reaver.

Stay tuned!



Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!

= Paid content

All Windows Secrets articles posted on 2012-12-13:

Fred Langa

About Fred Langa

Fred Langa is senior editor. His LangaList Newsletter merged with Windows Secrets on Nov. 16, 2006. Prior to that, Fred was editor of Byte Magazine (1987 to 1991) and editorial director of CMP Media (1991 to 1996), overseeing Windows Magazine and others.