Wi-Fi’s WPA Hacked… Again

31 03 2013

Introduction

Since its implementation, Wi-Fi has had a troubled time establishing a reliable encryption standard despite its exponential growth in popularity among businesses and casual users alike. After the epic failure of the Wired Equivalent Privacy (WEP) algorithm in 2001 due to weak and predictable encryption methods, a new encryption standard was needed to pick up where WEP had failed (Borisov, Goldberg and Wagner). The Wi-Fi Alliance’s Wi-Fi Protected Access (WPA) and the Institute of Electrical and Electronics Engineers’ (IEEE) WPA2 standard, which provided stronger encryption and mutual authentication, was supposed to be the answer to all of our Wi-Fi woes (Wi-Fi Alliance 2). It has done a decent job; at least until the Wi-Fi Protected Setup (WPS) feature was introduced. This is a great example of how tipping the scale in favor of convenience rather than security didn’t work out so well.

A Brief Background on WPA/2

For the scope of this discussion, I will only be addressing the personal pre-shared key (PSK) flavor of WPA. While WPA and WPA2 are indeed much more robust security mechanisms than their predecessor, WEP, they do have problems of their own. Both implementations of WPA use a 4-way handshake for key exchange and authentication. WPA utilizes a constantly changing temporary session key known as a Pairwise Transient Key (PTK) derived from the original passphrase in order to deter cryptanalysis and replay attacks. During this process the user-selected PSK is input into a formula along with the Service Set Identifier (SSID) of the given network, and the SSID length and then hashed 4096 times to derive a 256-bit Pairwise Master Key (PMK). Another function is performed on the PMK using two nonce values and the two Media Access Control (MAC) addresses from the access point and the client which in turn generates a PTK on both devices (Moskowitz). These PTKs are then used to generate encryption keys to encrypt further communications (Wi-Fi Alliance). The problem is that this 4-way handshake can unfortunately be observed by a third party. If an outside device captures the handshake, then the two MAC addresses, nonce values, and the cipher suite used can be obtained. The PTK can then be generated by the outsider (Moskowitz). A dictionary or brute force attack can then be run against the PTK to find the corresponding original PSK it was derived from. Therefore choosing a weak password significantly reduces the effectiveness of WPA and greatly increases the chances that your PSK will be discovered.

Then Came WPS

In 2007 the Wi-Fi Alliance decided to make connecting to WPA enabled networks easier for home users and developed the WPS specification. Their goal was to promote best practices for security while providing ease of use (Wi-Fi Alliance 1) for home users. Essentially they accomplished this by creating a backdoor into your WPA enabled network.

WPS comes in two modes of operation, a push-button-connect mode and a personal identification number (PIN) mode. Furthermore the PIN mode is split into two subcategories, an internal registrar and external registrar mode (Viehböck 3-4). While the push-button mode has security implications of its own, we are going to focus on the external registrar PIN mode of operation.

This is Where Things Get Interesting

The external registrar PIN mode of operation only requires that a foreign wireless device send an 8 digit PIN that matches the 8 digit PIN set on the WPS-enabled access point or external registrar used to authenticate WPS clients. If the PIN that was sent matches, the access point or registrar responds with the PSK needed to authenticate to the network. Thus, the security of a WPA2 enabled network even with a strong 60 character passphrase could potentially be compromised by exploiting an 8 digit PIN. To add insult to injury, the 8 digit PIN is actually 7 digits, with the eighth digit being a checksum of the previous 7. The 8 digits are then split in half during transmission, with digits 1-4 being the first half of the PIN and 5-8 being the second half. During PIN authentication each half of the PIN is sent and authenticated separately. Based on the response given by the access point or registrar for a submitted PIN, an attacker can determine if the first and second halves were correct or incorrect independently of each other. At this point, to gain unauthorized access to the network, you essentially just need to brute force two 4-digit PINs or 104 + 104. That’s only 20,000 possible combinations. Additionally, since the eighth digit of the PIN is a checksum, you really only have a maximum of 104 + 103, or 11,000 possible values to brute force (Viehböck 4-6). Keep in mind that this has nothing to do with the strength of your actual WPA passphrase. The most disturbing implications of this are that an otherwise well-secured, unfeasibly penetrable WPA-PSK network could still be easily compromised by guessing 1 of 11,000 possible values.

What Devices are Affected by This?

This attack was published in late 2011 and unfortunately the vast majority of small office/home office (SOHO) wireless routers in use remain vulnerable. Additionally, most of the wireless routers and access points on the market have this WPS feature enabled by default and with certain vendors the user isn’t even given the option to disable it! Wireless router vendors have been notified of this vulnerability and some vendors have already released firmware updates disabling the WPS PIN feature by default and in some cases giving the user the option to disable it (Viehböck 9). The problem is that the average home user will probably not routinely update their router firmware and may remain vulnerable indefinitely. A recent scan using Wash, a tool which is used to identify WPA networks which are vulnerable to this attack, revealed 14 vulnerable SSIDs within close proximity to my home. There is also a spreadsheet of known vulnerable devices hosted on Google Docs (WPS Flaw Vulnerable Devices).

How to Protect Yourself

Update your router or access point to the latest firmware available and completely disable the WPS feature. If your device will not let you disable WPS, contact your vendor or consider purchasing a device that will let you. Also, it couldn’t hurt to run the Wash tool and see if your network is listed as being vulnerable. If you want to take it one step further, the Reaver tool will enable you to run the WPS PIN attack against your own network to determine if you are indeed susceptible to this vulnerability.

______________

Borisov, Nikita, Ian Goldberg and David Wagner. “Security of the WEP Algorithm.” n.d. (In)Security of the WEP algorithm. 16 February 2013.

Moskowitz, Robert. Weakness in Passphrase Choice in WPA Interface. 4 November 2003. 17 February 2013. <http://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface.html&gt;.

Viehböck, Stefan. Brute forcing Wi-Fi Protected Setup. 26 December 2011. Document.

Wi-Fi Alliance. “State of Wi-Fi Security.” January 2012. Wi-Fi Alliance. Document. 16 February 2013. <http://www.wi-fi.org/sites/default/files/uploads/20120229%20State%20of%20Wi-Fi%20Security_09May2012_updated_cert.pdf&gt;.

—. Wi-Fi Certified Wi-Fi Protected Setup. December 2010. Document.

“WPS Flaw Vulnerable Devices.” n.d. Document. 17 February 2013. <https://docs.google.com/spreadsheet/ccc?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c&gt;.

Advertisements