Wi-Fi security vulnerabilities

If you use a Wi-Fi router to provide network access to your home, business, or customer (for example, in a café), you need to take steps to protect your wireless network against a newly discovered security vulnerability. This security vulnerability in the Wi-Fi protection setting (WPS) was discovered by security researcher Stefan Viehbock at the end of 2011, affecting a large number of vendor-wide Wi-Fi devices. Details of the vulnerability have been made public. In other words, hackers already know this vulnerability and will undoubtedly exploit it in unprotected systems.

How does this Wi-Fi security vulnerability attack the network?

WPS is a widely used method of simplifying connections to Wi-Fi networks and ensuring security at the same time. The protocol uses a 8-digit PIN to identify the user. If you understand the basic theory of probability calculation, you can easily calculate the possible pin numbers. Hackers can make a choice from 108 (8 digits, each number containing 0 to 9). There are 100 million kinds of possibilities. This "brute force" method of attacking a WPS-protected Wi-Fi network simply tests all the different combinations of numbers. Given the number of combinations, this tedious process can even allow a computer to work for a while to complete. Of course, the brute force attack on the network will be less than the average test, but still close to 50 million times.

However, in the investigation of WPS's security vulnerabilities, Viehbock found that the protocol is flawed in design and can greatly simplify brute force attack. First, because a PIN is the only requirement for access, brute force attacks are possible without the need for other forms of identification. (If you need a username or other way of identifying, it's more complicated to break the network.) )

Second, the 8th digit of the WPS pin is a checksum, so the hacker only needs to count the first 7 digits. In this way, the number of unique pins is actually 107 (7 digits), which means there are 10 million variations. However, when implementing pin identification, the access point (router) is actually trying to find out whether the first half of the pin (top 4 digits) and the second half (the last 3 digits) are correct. In other words, instead of finding a 8-digit PIN (which is actually just a 7-digit PIN), the hacker only needs to find a 4-digit PIN and a 3-digit PIN (the last half of the pin includes the parity and the). The problem, then, is to figure out a number from 10 million digits, reduce it to a number from 104 (10000) or find a number from 103 (1000).

As a result, hackers with a WPS-enabled Wi-Fi router break through (without a patch) network only need to test 11,000 times, on average, only about 5,500 times a test can be cracked. This is far below the average of 50 million tests required to crack a router that does not recognize a design vulnerability.

How long does it take to crack the network?

Other related factors in this brute force attack are how long it takes to test for identification. Even with 11,000 possibilities, if a single identification takes a few minutes, the average break time can take days or weeks, almost an endless time, especially when access is needed. (a client sitting in a café for a few days may attract attention). However, Viehbock says, most users can't tolerate such a long wait time. A typical identification takes only 1-3 seconds. A clever hacker will also take some steps to reduce this time.

Suppose an identification process takes 1.5 seconds. With a maximum of 11,000 identification, the hacker may gain access for approximately 4.5 hours or less (perhaps nearly 2 hours). In the coffee shop or on many other occasions, two hours will certainly not attract the attention of others. As its name implies, this type of attack is indeed not advanced (although a more effective attack requires some knowledge), the attack is equivalent to knocking the door down rather than choosing to unlock it.

Who will be affected?

This Wi-Fi security vulnerability actually affects any router that uses WPS security measures. According to the US Computer Emergency Response Team (Us-cert), the affected manufacturers include Belkin, Buffalo, D-link, Linksys (Cisco), Netgear, Technicolor, Tp-link and ZyXEL. After identifying the pin for the access point, a hacker can extract the password for the wireless network, alter the configuration of the access point, or cause a denial-of-service attack. In other words, hackers can cause serious damage to your network.

So far, some vendors have provided more responses than others. According to Us-cert, there is no practical solution to the problem at the moment, but some circumvention measures can mitigate this weakness in some way. Some routers, such as those of Technicolor, provide measures to counter brute force attacks to prevent hackers from gaining access rights. Technicolor, in particular, says its routers will temporarily lock down an access attempt after attempting to identify some number of times (5). As Us-cert in Technicolor's Vendor Information section, the manufacturer says the feature has blocked brute force attacks on a WPS-capable router in less than one weeks. Other manufacturers reacted differently to the problem. But the real solution to the problem has not yet arisen.

What can we do?

If your home is in the middle of a 100-acre land, you may not have to worry about routers being breached. (In this case, you probably don't even need to use a password.) Wi-Fi routers require a certain distance to access the network. So, essentially, the scope of the problem is limited. Although not everyone needs to worry about the problem, if a single person is not authorized to use your network (or may abuse the network), the person should be within the scope of the router, you need to take action. You can be quite sure that the hacker is now fully aware of this WPS security flaw. There is no doubt that someone is already exploiting this security loophole.

The most effective way to protect your network may be to close WPS. However, even if you think you have closed WPS, you may not actually be shutting it down. The smallnetbuilder.com website points out that Sean Gallagher of the Ars Technica site found that the WPS feature was not turned off on the Linksys router. Currently, given that Cisco has not yet provided a fix for this problem, the Linksys router is a security breach, regardless of the steps you take. However, there is some good news (unfortunately for hackers, too): An available tool allows you to specifically test this security vulnerability on your Wi-Fi router (the attack tool for WPS pin vulnerabilities is released).

In addition to this action, you may have no alternative to your current router, waiting for the manufacturer to take further action. The manufacturer's future router will solve this problem. However, before that, you have to limit the ability to use WPS. In other words, you should not use the WPS function until then. If your router does not turn off this feature, you should use a different router.

Conclusion

This Wi-Fi WPS security vulnerability is just one example of how a security vulnerability can allow hackers to damage your network, your privacy, and your business. The struggle will continue: hackers (or "good people") find security vulnerabilities, and vendors and protocol teams will take countermeasures, and hackers then find a way around these countermeasures. This keeps the cycle going. To protect your network and your data, you need to be aware of the latest security issues.