Turn off WPS on routers for WiFi security

A Swiss researcher is advocating turning off WPS to secure routers after finding a flaw that eliminates the randomness of codes generated by some routers when WPS is switched on...

Aggressive Wi-Fi attack malware developed - in a lab
Aggressive Wi-Fi attack malware developed - in a lab
If you've paired a wireless device with a WiFi-enabled router in recent years, then there's a strong chance you have used the WPS - WiFi Protected Set-up - button, which allows one-button-press pairing, rather than keying lengthy pass codes into a Web browser.

Unfortunately it seems that the WPS technology on routers that have chips from Broadcom and another major supplier, is flawed, allowing a hacker to carry out a series of offline calculations and come up with the relevant over-the-air codes - in a few seconds - to circumvent the wireless security mechanism.

According to Dominique Bongard, a reverse engineering specialist and founder of 0xcite, a Swiss security firm, the WPS vulnerability is sufficiently prevalent that users of wireless routers should switch the WPS facility off if they are worried about security.

The insecurity appears to be due to a flaw in the pseudo-random number generator used by the modem chipsets, meaning that the codes generated over the air when the WPS button is pressed can easily be predicted.  

Bongard says that, because many router manufacturers use the reference software implementation as the basis for their customised router software, the problems affect many final products.

Broadcom's reference implementation had poor randomisation, he adds, whilst the second vendor uses a special seed of zero, so - bizarrely - eliminating any randomness.

According to Pentura managing director Steve Smith, it is hard to say from Bomgard's research how widespread the security issue is, as specific vendors' models have note been named.

"Hardware hacking is an increasingly common problem. It's usually made easy for attackers because in many case, routers are shipped with services such as remote administration and remote FTP open by default, and users often forget to change these," he said.

"It's always good for users to ensure that these defaults are changed, and that a strong password is used. Let's hope that the vendors of the affected routers make updates available quickly to fix this problem," he added.

Nigel Stanley, practice director for cyber security at OpenSky UK, said the flaw seems to stem from the PRNG - the pseudo-random number generator - process in the WPS modem chipset.

"In this day and age I would have thought that this technology had been suitably refined, meaning that a flaw of this type with the PRNG implementation should not be possible," he said.

One solution to this latest wireless router flaw, he explained, may be to add MAC filtering to the security process, meaning that wireless handshaking can be completed between devices with a given MAC address.

"Although MAC filtering can be bypassed, it all comes to the onion approach to security - with multiple layers of security, your security becomes a lot stronger," he said.

Mike McLaughlin, senior pen tester with First Base Technologies, said that moving away from wireless and going for hard-wired network connections may seem a potentially good idea, but it is one that is not viable in a modern corporate environment, especially given the arrival of BYOD in the workplace.

"It's not easily possible to plug an Ethernet cable into an iPad, for example, so you cannot really take wireless out of the equation," he said.

"The good news from this research, however, is that it's not the WPS protocol itself that has been cracked, but the implementation on certain types of modem. There may be an argument to turn off WPS, but the reality is that wireless is here to stay in the company workplace," he added.