Authentication Cracking: WPS

Summary

Authentication Cracking: WPS
Excerpt From Wi-Fi Vulnerabilities parT 2 webinar
What is Authentication Cracking: WPS With CTO Dr. Brett Walkenhorst.
In the video below, CTO Dr. Brett Walkenhorst, talks about the WPS push-button configuration and PIN-based authentication methods, along with the practicality versus security trade-off that WPS entails. The disadvantages of using a static PIN and how brute-force attacks might arise during the PIN validation process.

Video Transcript

I think this is a great example of the classic functionality versus security tug of war. WPS was created to simplify authentication, and the simplest mode that's available and probably the most recognizable is the push button configuration. On the back of a router, you may have a button that says WPS on it.

You push that button, And for, you know, some short period of time, a client can connect to that router without entering a password. It's simply okay. I'm gonna I'm gonna open up my security, and anybody can connect. Obviously, that's problematic in a lot of different environments. Frankly, I I wouldn't recommend using this even in a home environment.

It does reduce friction as far as implementing or or connecting a new device, but it also opens you up to attack. If anything's nearby listening during that window, they've got your credentials. They connect, and the router will literally give the passphrase to the client that connects. So I wouldn't recommend it.

You can, but probably people who live remote without a lot of other people around might be a little safer. I I just I just wouldn't use it. Another way that WPS can come into play is using a PIN. The PIN there's two different ways that I know of that this can take place.

The PIN can be dynamically generated by a client. So if I've got a laptop, for example, and I've enabled WPS on my router, I can generate a PIN on my client where I'm trying to connect to the router. I then have to enter that pin on the access point, which is not hackable.

It's quite secure, but it's also quite a lot of friction. So it makes me wonder about the utility of that, but it's something you can do. The other way that a PIN can be implemented is unfortunately hackable, and that is a static pin in the access point that you need to enter into your client software in order to get access.

So instead of some complicated passphrase, and I hope your pass phrase is complicated. If it's not, maybe rethink that. So trying to reduce friction, we just implement this PIN so that you don't have to enter this long and complicated pass phrase. Well, the PIN is eight digits, which should mean that it would take one hundred thousand attempts at worst case, of course.

There's a hundred thousand or sorry. Not hundred thousand. A hundred million combinations of pins that would be required to brute force attack this. But, unfortunately, the way that the pin is validated makes this very weak. So the first four digits of the PIN get validated initially, which means I only need ten thousand combinations to crack those four digits.

And then the second four digits, you would think there's another ten thousand, but it turns out the eighth digit is a check sum of the previous seven. So once I have the first four, then I really only have one thousand combinations left to try to brute force that pin.

So I can brute force it with eleven thousand attempts, worst case, and that's very doable. In addition, there was at a time not too long ago, there was a weakness in the generation of the nonce in some APs that allowed one to hack the pin with one attempt.

So you could attempt to connect. You would get some cryptographic information that was weak because of the way this nonce was generated, and that's all you needed. You could crack that that hash and and enter the pin, and you're good to go. That has been patched, but, you know, not everyone updates their firmware.

So another good lesson for security. I'm sure you've heard a thousand times. Update your firmware, but this this is out there as well. And then finally, there is a mechanism for NFC to enforce physical proximity before WPS will allow a client to connect. And that that's a good idea.

If you're gonna do WPS, that's probably a good way to go. It's not impervious to attack, but it it it is pretty good. I mean, a client to to really subvert that is gonna have to get through physical security and get close enough to an access point. There's some tricks you can play with some hardware to try to extend that range, but NFC is challenging.

You're not gonna extend it really far just because of the way that it couples energy. So, anyway, I wouldn't recommend using WPS at all, but those are some of the mechanisms that can be used to crack authentication when WPS is enabled.