About a decade ago a small button marked “WPS” started to appear on home routers. You may have also seen it on your personal mifi devices. This feature is known as Wifi Protected Setup (WPS) and it allows users to override the process of entering SSID credentials, and instead access wireless networks with either an eight-digit pin or the simple press of the button.
WPS is often enabled out of the box, with settings modifiable from the device’s admin control panel. When accessing a home network, typically once a device is connected, the credentials are stored and do not have to be entered again. So, is this process really that much of an inconvenience that we need to shorten it even further? Have we reached this level of first world problems where typing ~15 characters one time is just too much to ask? Apparently so.
The WPS pin option is vulnerable to remote brute-force attacks. Surprise! An eight-digit pin is easier to crack than a passphrase. And despite this being published by CERT in 2011, not much has changed since then, with WPS still available on newly developed routers and mifis—this remains a very real threat.
And while it could take a brute force program many lifetimes to crack a password such as “Geek00Sexy%News,” it would take the same program just a couple of hours to do this with a WPS pin. In addition, most routers and mifis do not lock users out after too many pin attempts.
Another reason the WPS pin is so easy to crack is because it’s actually not strictly eight digits. WPS pins are authenticated through a two-step process, which can indicate to a brute force program, such as Reaver, if the first four digits are not correct. With this confirmation, there is no reason to continue trying that sequence. This further simplifies the brute-force process, allowing the program to make only 10,000 attempts for four digits instead of 100,000,000 attempts for eight.
One program that is particular effective at doing this is Reaver. Reaver is installed by default on Kali Linux, can be configured in less than five minutes, and is simple and easy to use. Once a wireless network is chosen, Reaver goes to work, and within a few hours the WPS pin is cracked. It’s that simple.
The easiest way for users to protect themselves against a WPS attack is to disable WPS completely. While balancing security and convenience can sometimes be a challenge, when it comes to the lax security associated with WPS, the cost of this convenience is clear.