Update 5 - Yes, Wi-Fi Protected Setup is broken. Here's what vendors are doing to fix it and steps you can take in the meantime.
Updated 1/27/2012: Cisco fix dates added
You've probably heard by now that Wi-fi Protected Setup, the quick and easy way to set up wireless security, can be hacked. If you haven't heard, you can get the basic information in the US CERT Vulnerability Note VU#723755.
In a nutshell, researchers found that WPS' PIN method is vulnerable to brute force attack. Two Linux-based tools that can run the attack are available (links are in the CERT note). Sean Gallagher over at ArsTechnica ran the Reaver tool and was able to guess the WPS PIN and SSID from a Cisco Linksys WRT54G2 Wireless-G Broadband Router in about six hours. To make matters worse, Sean discovered that disabling WPS on the Linksys router did not really shut it off.
The CERT note specifically names Belkin, Buffalo, D-Link, Linksys, NETGEAR, Technicolor, TP-Link and ZyXEL. But since all WPS implementations must support PIN and push-button methods to obtain Wi-Fi Certification, all WPS-enabled products are vulnerable. However, all products don't necessarily share the Cisco/Linksys can't-disable-WPS problem.
As you can imagine, wireless product manufacturers are scrambling to verify and fix the problem. Given that WPS is implemented and enabled by default on virtually all consumer wireless routers sold today, they have their work cut out for them.
I polled my contacts at a handful of vendors to see what they had to say. I specifically asked for comment on whether their products had the same vulnerability as Cisco, i.e. that disabling WPS does not prevent the exploit. Here are the responses:
ASUS - A reader reports that he tested an ASUS N13U and found it automatically disables WPS after 2mins. I did not confirm this.
Buffalo - Buffalo provided the most informative response. After saying they were working on an official statement, my contact provided some information that should make DD-WRT users smile in smug satisfaction:
Our DD-WRT equipped products are protected from this however. The WDS AP Pin method must be manually enabled in the UI, once enabled it times out in a few minutes which is not sufficient for the attack. Furthermore, there is a function that after 3 failed attempts at entering the correct PIN, a timeout feature is enabled, and the timeout increases for each subsequent failure after the third failure.
Buffalo is still working on verifying the status of their own firmware. But they did confirm that turning WPS off, really does turn it off and prevent the exploit.
Cisco - Update 1/11/2012: Cisco released this statement:
We are aware of the security flaw that is inherently part of Wi-Fi Alliance's Wi-Fi Protected Setup design which many vendors have implemented in their wireless routers in order to be compliant and interoperable. Cisco is actively working on the recommended field-upgradable methods by the Wi-Fi Alliance to mitigate this vulnerability on Linksys wireless routers. These recommended methods would help improve the security and be compliant with the WPS 2.0 certification. We will provide our Linksys customers with instructions on how to minimize their risk as soon as we have options available."
Cisco issued a separate statement for many of its small business products including the RV1XX, RV2XX, WRV and SRP lines. The gist of the advice is:
While the affected devices listed below implement the WPS 1.0 standard which requires that a 60-second lockout be implemented after three unsuccessful attempts to authenticate to the device, this does not substantially mitigate this issue as it only increases the time to exploit the protocol weakness from a few hours to at most several days. It is our recommendation to disable the WPS feature to prevent exploitation of this vulnerability [emphasis mine].
Thanks to Michael Horowitz for the heads-up on this.
Update 1/27/2012: Cisco announced March dates for firmware to disable WPS for the following products: E1200v1/v2; E1500; E1550; E2100L; E2500; E3200; E4200v1; RE1000
Thanks to David Smith and others who sent this in.
D-Link - This response came via D-Link's PR firm:
As you know, security is a top concern for D-Link and we are working with the Wi-Fi Alliance to ensure the security and performance of routers for customers. We should have an update next week and will be back in touch as soon as possible.
Preparing an "official response" that will be
sent "shortly".Updated 1/7/2012: NETGEAR's response follows:
Wi-Fi Protected Setup (WPS) is a method developed by the WiFi Alliance for setting up a new wireless router for a home network which includes a way for users to easily connect to a secure network by pushing a button or entering a PIN code. Recently a security researcher posted an article highlighting security vulnerabilities with the WiFi Alliances WPS-PIN (WiFi Protected Setup-PIN) security protocol. Wireless routers that support WiFi Alliance WPS are vulnerable to a brute force attack. This vulnerability is likely to be addressed in the upcoming WPS 2.0 standard.
Today, NETGEAR routers go beyond the requirements of the WiFi Alliance WPS standard to deter such attacks. NETGEAR routers are the only ones mentioned in this article to have implemented a 'lock-down' feature, which locks down WPS PIN on the router after a number of failed attempts to connect using the PIN method. This hampers the brute force attack, but it doesn't completely eliminate the possibility of a brute force attack. Therefore NETGEAR recommends that customers manually turn off the WPS-PIN feature on their routers by following the simple steps posted below and on NETGEAR's support site. NETGEAR is one of the few networking vendors to have the capability to manually turn off WPS-PIN (WPS Push Button will still work), thus eliminating the possibility of the brute force attack mentioned in the article.
To disable the Router PIN method:
1. Login to the router GUI by typing www.routerlogin.net on an Internet browser's address bar. Note: Default logins are: Username = admin, Password = password.
2. Go to Advanced Setup menu and select Wireless Settings.
3. Under WPS settings, put a check mark on Disable Router's PIN box.
4. Hit Apply button to save settings.
NETGEAR is working diligently to develop easier and more stringent methods of preventing such attacks, and partnering with the WiFi alliance and networking technology community to drive such methods into universal standards. Short term we are looking at several options and even disabling the WPS Pin by default.
TRENDnet - Even though TRENDnet was not listed in the CERT note, they confirmed that TRENDnet products are affected and that they are "scrambling". They further stated that "our strategy at the moment is to update our firmware with the goal of removing all PIN WPS support while keeping the more popular Push Button WPS support", but aren't sure of the feasibility.
ZyXEL - ZyXEL's response was a bit odd:
ZyXEL takes WLAN security very seriously. It's always disappointing when a security flaw is found in an industry standard like WPS and we look forward to the creation and implementation of security improvements as they become available. This is also a great time to remind business users that they should be using the "Enterprise" version of WPA/WPA2 which does not suffer from the weaknesses found in WPS, or the brute-force vulnerabilities present in the "personal" version of WPA/WPA2.
I thought "we look forward to the creation and implementation of security improvements" was strange; like they were waiting for someone else to solve the problem.
The takeaway from this is that help is not on the way anytime soon. So what can you do in the meantime?
- Disable WPS: WPS is really needed only when you first set up your router. After it runs, the strong passwords are entered into the router and client(s) and the WPA2/AES security mechanism takes over.
- Test that WPS is really off: If you shut off WPS, you should then try to run a PIN session. You can do this by going into your wireless client and deleting the profile for your network. Then scan for networks and try to join your network again. If you get an "enter your password" prompt, WPS is off. If you get the "setup your network automatically" prompt, are prompted to enter a PIN or are prompted to push the button on your router, WPS is not disabled.
- Shut off wireless when you aren't using it: Many routers offer the ability to schedule wireless on/off times. Use this feature to shut off wireless while you sleep or are out at work. If your router doesn't offer this feature, consider putting your router on a lamp timer. Yes, this shuts off all Internet access, but that just makes you even more secure
- Monitor your connections: If you are in a high-risk area (like an engineering school dorm or an apartment building/dense neighborhood with known geeky neighbors), you should really keep an eye on your DHCP leases / wireless connections. I know this isn't easy to do (when is someone going to make a router with a wireless connection alert feature?), but it could be worth it.
I'll be updating this article as I get more information from vendors. In the meantime, if you have other information or comments, let me know in the Forums or contact me.