Some apparent design flaws in the Wi-Fi Protected Setup (WPS) likely affects millions of devices, according to recent technology warnings.
“A few really bad design decisions … enable an efficient brute force attack,” advised security specialist Stefan Viehbock after studying the issue. The result is that the security “of pretty much all WPS-enabled Wi-Fi routers” is broken, Viehbock adds. The design could impact many wireless access points, too, according to a report from PC World.
Because of the design flaws, it would take just 10,000 attempts to break a PIN rather than the expected 100 million attempts, PC World says, based on a study from Viehbock.
PC World also points out that the last digit of the number is the “checksum of the other seven.”
It may take about four hours for someone “to go through all 11,000 combinations” but it could even take half of that amount of time, Viehbock says, according to PC World.
Linksys (News - Alert), Netgear, D-Link, Buffalo, Belkin, ZyXEL, TP-Link and Technicolor are the companies that could be impacted by the design flaw, PC World said. There are likely others out there, too.
Viehbock reported his findings to the U.S. Computer Emergency Readiness Team (US-CERT). There is no clear solution but there are workarounds such as disabling WPS, US-CERT said.
WPS was developed by the WiFi Alliance (News - Alert) for the wireless home network, US-CERT adds.
“It has been reported that some wireless routers do not implement any kind of lock out policy for brute force attempts,” US-CERT says in an official statement. “This greatly reduces the time required to perform a successful brute force attack.”
US CERT also recommends the use of “WPA2 encryption with a strong password, disabling UPnP, and enabling MAC address filtering so only trusted computers and devices can connect to the wireless network.”
US-CERT is part of the National Cyber Security Division at the U.S. Department of Homeland Security. It was set up in 2003, TMCnet said.
Ed Silverstein is a TMCnet contributor. To read more of his articles, please visit his columnist page.Edited by Rich Steeves