Why Wi-Fi Protected Setup (WPS) Was Created at WLAN Book.com

December 31st, 2011

Why Wi-Fi Protected Setup (WPS) Was Created

by Zaib Kaleem

Why Wi-Fi Protected Setup (WPS) Was Created

Wi-Fi Alliance’s Wi-Fi Protected Setup specification describes how a wireless device can be automatically configured with wireless network security settings. The goal was to make it easier for non techies to configure devices to securely connect to wireless routers. For hardware sellers and manufacturers the specification is suppose to reduce product returns and end-user support costs. Wi-Fi Protected Setup is an optional certification program.

Statistics collected by Wi-Fi Alliance in 2006 are below.

2 in 5 consumers still have not activated the security on their Wi-Fi network*
44% of consumers described activating security on a Wi-Fi network as moderately to very difficult**
Most (83%) of people think using someone else’s Wi-Fi network without their knowledge is “stealing,” but about half of people admit that they have done so***

How Wi-Fi Protected Setup (WPS) Makes Security Easier

The specification outlines two ways to make it easier to configure secure connections to access points: a secure PIN code method and a Push button method. PIN entry is mandatory in all Wi-Fi Protected Setup devices, while push-button is optional. Per the Wi-Fi Alliance both methods reduce the number of steps from 8 to 4.

PIN Code Method

Push button Method

US-CERT WiFi Protected Setup PIN Brute Force Vulnerability

The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible.

[Vulnerability Note VU#723755]

Stefan Viehböck was first to report this vulnerability to US-CERT and released a paper describing the issue. A tool called Reaver has been released by a second researcher who independently was tracking same issue.

Reaver is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol design flaw in WiFi Protected Setup (WPS). This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. With a well-chosen PSK, the WPA and WPA2 security protocols are assumed to be secure by a majority of the 802.11 security community.