

Cracking WPA in 10 hours or less - sbierwagen
http://www.devttys0.com/2011/12/cracking-wpa-in-10-hours-or-less/

======
jacquesgt
There's a detailed description of the weakness in the WPS protocol here:
<http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf>

It looks time there are two issues here. The first is that the pin is
confirmed in two stages, each of which can be individually NAKed. That brings
e complexity down from 10^7 to 11,000. It seems like this could be fixed by
always ACKing the first stage and then ACKing/NAKing the second stage based on
the result of both stages (unless doing so would somehow lead to leaking
information about the PIN).

I think the first issue comes from an attempt at doing mutual authentication.
Basically the device (like a wireless printer) wants to tell an access point
(AP) that it knows the PIN. But, the device wants to make sure the AP also
knows the pin. Otherwise, someone could spoof the AP and say for any
connection attempt "yup, that's the PIN, now here's your (fake)
configuration". I think they're also trying to cover the case where the HMAC
they're using has a vulnerability, allowing a fake AP to discover the secret
key by using nonces that expose a weakness in the HMAC.

Instead of just trusting HMACs to do their thing, they break the mutual
authentication into stages. The AP and the device each prove they know the
first half of the key. If either side fails that test, then the other side
refuses to move on, supposedly protecting the second half of the key even if
the HMAC is found to be broken. In reality of course, it leads to the attack
described above. If both sides just always ACK the first stage, everything is
fine as long as the HMAC is secure (which it most likely is). If you're
worried about the HMAC being broken, you could use a dummy PIN for the second
stage if the first stage fails.

The second issue is that most vendors don't implement lockouts after too many
failed attempts. Even if they do, the issue above means a brute-force attack
is still possible in a few months' time because of the greatly reduced
complexity. Fixing both issues would probably make a brute force attack
impractical.

Until both issues are fixed, the best solution is to disable pin-based WPS.
Unfortunately many low-cost wireless printers and similar devices require WPS
to connect to a secured wireless network. Turning off WPS may make such
devices unusable.

It's possible that enabling MAC address filtering will also solve the
issue(actually... not).

~~~
bwooce
Surely MAC address filtering is well and truly proven to be pointless to any
serious attempts to, erm, join your network?

Spoofing MAC addresses is trivial, even under Windows.

~~~
jacquesgt
Errr, right. MAC addresses are sent in the clear, so filtering is pointless.

------
jaylevitt
Good God, what a comedy of errors. First, that WPS even lets you get around a
256-bit key with a 10^8 PIN (like others, I thought WPS was pushbutton-only),
but second, that this vulnerability brings the brute-force complexity down to
10^4 + 10^3, or 11,000 attempts: <http://www.kb.cert.org/vuls/id/723755>

~~~
noneTheHacker
Can you, or maybe someone else please explain why it becomes 10^4 + 10^3. My
math skills are a little rusty.

~~~
obtu
10^4 attempts (worst case) to bruteforce the first four digits using the early
NACK, 10^3 attempts (worst case) to bruteforce the entire pin once you know
the first four (this part only has to iterate on three digits of the second
half, and compute the checksum to get the last digit).

~~~
noneTheHacker
Thanks. This explains it perfectly to me.

------
yuhong
Add "using WPS" to the title please.

~~~
teilo
Yes, please. This is a side-channel attack. It _should_ get more exposure so
that people get wise and turn off WPS in their APs.

~~~
Maxious
I had no idea that the WPS specification included two PIN number options
(client->AP which is this attack and AP->client) - thought it only worked when
you pressed the physical button.

------
kaze
Factual error: It is not WPA that is cracked here. It is WPS.

------
sounds
It's interesting that he's using a freemium business model: the commercial
version supposedly has more features and speed improvements.

I don't really care whether he does that or not, but I see it as part of a
larger trend: open source software supported by a freemium business model.

~~~
regularfry
It can go rather hideously wrong, with the open source version being
neglected, downgraded, or simply made non-functional to push people onto the
paid version. This was happening for a while with SugarCRM - I don't know if
anything's changed there since I last looked, but it feels just like a bait-
and-switch.

Where I know of it working well, it's where there are separate legal entities
to manage the open source code and the premium version.

------
jimbobimbo
Pardon my ignorance, but don't I need to initiate WPS somehow (like pressing
the button on the router), or mere presence of enabled WPS feature is enough
to start the attack?

------
hackermom
Misleading headline. WPA isn't cracked - WPS is, due to its flawed design.
Simply disable WPS and your AP is fine.

------
xxiao
does this mean wpa/wpa2 is totally unsafe now? or just for pre-shared key
method(which is 99% home users use)?

~~~
jacquesgt
Neither. This doesn't affect WPA2 in any mode, as long as WPS (WiFi Protected
Setup) is turned off.

WPA has known vulnerabilities that an attacker can use to cause a router to
leak data over its WAN Ethernet port, so it should be considered unsafe at
this point. But, that has nothing to do with this attack.

