Exploit of Wi-Fi Protected Setup Flaw Poses Risks for Consumers, Not Enterprises
Many home Wi-Fi networks are at risk thanks to an exploit released over the holidays, but enterprise organizations are generally unaffected by the vulnerability.
There is a price that comes with simplicity -- and when it comes to security, that price is often increased risk. That's exactly what is now happening with Wi-Fi Protected Setup (WPS), which is intended to be a simple way for consumers to configure security settings on wireless networks at home.
Over the holidays, a detailed white paper was released by security researcher Stefan Viehbock, titled, "Brute Forcing Wi-Fi Protected Setup." In the paper, Viehbock explains that there are design and implementation flaws in WPS that make it exploitable, leaving wireless networks at risk. The weakness comes by way of the PIN that is used to activate WPS.
"As the External Registrar option does not require any kind of authentication apart from providing the PIN, it is potentially vulnerable to brute force attacks," Viehbock wrote in his white paper.
Viehbock's WPS attack isn't just theoretical, it has now been fully weaponized as well. Security research firm Tactical Network Solutions has released an open source project on Google Code called Reaver. The Reaver tool is able to crack the vulnerable WPS PIN, thereby giving the attacker unauthorized access to the network. In addition to the open source tool, the company also has a commercial tool that provides better performance and a graphical web interface.
While Viehbock's white paper and the Reaver tool are new, enterprise Wi-Fi security vendors have been aware of the risks of WPS for some time.
"Vulnerabilities in the Wi-Fi Protected Setup (WPS) protocol that allow attackers to recover WPA/WPA2 passphrases have existed for over one year now," Tom Kellermann, CTO of Wi-Fi security vendor Air Patrol told InternetNews.com. "The routers can and will be hijacked as man-in-the-middle attacks begin to evolve to compromising base stations."
While WPS is available on many consumer-grade devices from vendors including D-Link and Cisco's Linksys division, the feature isn't typically an option on enterprise networking gear.
"Aruba does not support WPS, a consumer-grade security solution that is not well-suited to enterprise environments," Donald Meyer, Senior Manager of Product Marketing at Aruba Networks told InternetNews.com. "Aruba supports and encourages all of its customers to use WPA2 with AES encryption and 802.1x authentication for security."
Juniper Networks also does not deploy WPS on any of its wireless gear today and neither does HP Networking. Jeff Schwartz, senior product manager of Mobility and Wireless at HP Networking noted that WPS is a quick setup option designed for the consumer market in order to encourage consumers to enable some degree of encryption on their home products.
Derrick Scholl, director of the security incident response team at Juniper Networks told InternetNews.com that it seems that the ease of setup provided by WPS comes at a cost of potentially weaker security.
"This flaw in WPS does not change what is required to properly secure Wi-Fi," Scholl said. "It simplifies the administration required to add new clients, but exposes networks that utilize WPS to potential brute force attacks of the WPS PIN."
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network.
December 29, 2011
The WPS attack tool was released this week by Tactical Network Solutions.