WiFi and the WPS Vulnerability

Millions of WiFi routers are vulnerable to hacking due to a flaw in WPS. Is your router one of them?

1943 0
1943 0

The WiFi WPS vulnerability has been known for over a year so it hardly qualifies as news. On the other hand, I’m willing to bet that, even a year later, 99.99% of the general population has no idea that their home or small office WiFi router is potentially vulnerable to an easy hack!

Even smart folks who use strong WPA/WPA2 passwords are at risk. I was even caught out by this one! I started to feel bad that I missed it, but then I asked a few of my tech friends about it and discovered they knew even less than I did!

The Risk

If you have a modern home or small office router with WiFi (wireless) and the WPS (WiFi Protected Service) functionality you may be at serious risk of being hacked! Software is readily available that takes advantage of an inherent security flaw within the WPS system and enables hackers to derive the router PIN and thus your WPA/WPA2 pre-shared key or password! Once someone has your wireless password they can get access to nearly anything on your local network.

The only good news here is that the vulnerability is limited to WiFi. That means your risk is to local hackers and not those from the other side of the globe. To take advantage of this vulnerability someone has to be close enough to your home or office to receive your WiFi signal. They might be in the house down the street or  a car parked half a mile away. If the attacker has a good antenna and line of sight they may be able to hack you from several miles away. Just because you live in small town or rural area doesn’t mean you can afford to ignore this threat. Thieves are everywhere!

I saw headlines about a problem with WPS nearly a year ago but I didn’t dig deep enough. I don’t use WPS to configure wireless devices so I thought I was safe. I was WRONG!

The truth is that the WPS flaw is a serious security issue that affects possibly millions routers in current use. Some routers with newer firmware are smart enough to foil the attack. Others are only safe if you disable WPS. It is reported that some routers remain unsafe even with WPS disabled!

The only way to know if a router is vulnerable is to test it yourself!

Test Your Router

The software used to exploit the WPS vulnerability is known as reaver. There is an excellent step-by-step article on how to use reaver with Backtrack Linux here.

I use Xubuntu 12.04 but neither reaver or the required aircrack are in the repositories. I downloaded and installed them per the instructions here.

The reaver software doesn’t need a super computer to work its magic.  I used a cheap old Asus 901 netbook for my tests. Almost any notebook with a wireless card is enough. If you use BackTrack Linux you may find that you need to install wireless drivers.

The first router I tested was a Netgear N600 Dual Band model. I started the brute force attack against the N600 in the evening before I went to bed. By the time I got up the next morning the WPA password was neatly displayed on the screen of my netbook.  Yikes! This is definitely not a preferred outcome!

Later, I upgraded the firmware on the Netgear N600 and tested again. This time, the reaver attack progressed slower than before. I didn’t let the test continue to completion but I have every reason to believe that I could have eventually obtained the password. I then disabled WPS and tried again. This time the router didn’t respond to the attack. It seems that disabling WPS on this router foils the attack.

I then tested a Cradlepoint MBR1400 router. This time I was lucky and I couldn’t get the router to play ball with the attacking computer. I presume this is because the Cradlepoint had gone through several firmware upgrades over the past year and one of them must have done something to fix the problem. On the other hand, I’m not a very good hacker so perhaps I wasn’t using the reaver program to its fullest potential? I still turned off WPS just to be safe!

I also tested an older Linksys WRT54G that I had stashed in a drawer for a backup. This one responded to the reaver queries but at a relatively slow rate.  I have every reason to believe that given enough time it would have eventually yielded to the attack.

Last weekend I tested a Qwest (now CenturyLink) ActionTec PK5000 router with the latest firmware. With WPS enabled the reaver attack processed about 4 PINs per second. I was short on time so I didn’t let the attack run to completion but it was clear that a password was only a few hours away. With WPS disabled, I saw no response from the router. Thus, the ActionTec PK5000 with latest firmware seems safe provided you disable WPS.

Summary

I have only tested a handful of routers, but 3 out of 4 of them were vulnerable with WPS enabled. Since WPS is enabled by default, there are likely a lot of vulnerable routers out there!

From what I can gather, most major manufacturers have issued firmware updates that will limit the damage reaver can do. The problem is that most people buy a router, bring it home, hook it up, and never look back. Thus, there are a lot of routers with old and vulnerable firmware just waiting to be hacked!  Hopefully, by reading this article, yours won’t be one of them!

What to do?

The best advice I can give you is this:

  1. Upgrade your router to the latest firmware.
  2. Disable WPS.
  3. Test the router to see if it is vulnerable.

If you don’t have skills or time to test it yourself, then you should contact the router manufacturer to see if your particular router and firmware is vulnerable.

If you are really paranoid, now is the time to ditch wireless altogether and use wired connections. WiFi may be convenient, but wired connections are faster and definitely more secure!

If any of you take time to test your routers, it would be helpful if you post results in the comments section so others can benefit.

Thanks for reading!

In this article

Join the Conversation