WiFi Protected Setup PIN vulnerability

Posted on September 5, 2012

In December of 2011, a team with the United States Department of Homeland Security released a document that detailed a critical security flaw with access points/routers that use WiFi Protected Setup (WPS).

WPS is a security option that allows an individual to use a PIN predefined by the access point/router, or create a new PIN that will be hard-coded to the access point/router, which will allow a user to connect a computer or other device to a wireless network.

The security flaw in WPS exists in how the PIN is transmitted to the client device when that device fails to authenticate to the access point/router. When authentication fails, a message is sent to the client device. This message includes the first half of the PIN, along with the last digit of the PIN, which is used as an error check digit for the PIN. This broadcasting of over half the PIN allows an attacker significantly less attempts to crack the PIN than would be needed if other methods of WiFi security were used; such as WiFi Protected Access (WPA, or WPA2).

A quick, but not necessarily definitive, way to identify if your access point/router has WPS capability will be to look for this symbol:

This is the WPS symbol, and will most likely be on the back of your access point/router.

SIRKit Ltd. highly recommends the following steps be taken to minimize the risk of being exploited by this flaw:

  1. Update your access point/router’s firmware. Most manufacturers are aware of this vulnerability, and have already released updates for their products to resolve this flaw.
  2. Disable WPS. If no firmware update exists to resolve this vulnerability, disabling WPS will prevent someone from taking advantage of this flaw.

A Few common access points/routers that have WPS capability are:

  • D-Link DIR-655 Xtreme N Gigabit Router
  • Linksys E2500 Advanced Dual-Band N Router

A few access points/routers that do not have WPS capability:

  • D-Link DIR-615 Wireless N 300 Router
  • D-Link WBR-2310 RangeBooster G Router

As always, SIRKit Ltd. will be more than happy to provide assistance updating your access point/router’s firmware, disabling WPS, as well as to source out access points or routers that do not have WPS capability.

Photograph by Andrew Binne