Many home users leave their Wi-Fi networks partially or completely unsecured because they possess little understanding of traditional Wi-Fi configuration and security settings including what a SSID is and the difference between WEP, WPA, and WPA2 and their associated ciphers.
The Wi-Fi Protected Setup (WPS) standard is introduced to facilitate the deployment of secure Wi-Fi networks without any complicated procedures and the insertion of additional devices over time.
Recently, an important security vulnerability was discovered in the current WPS Registration Protocol specification and implementations putting Wi-Fi networks at risk. The exploit is explained in the WPS vulnerability section.
This tutorial also provides a general overview of the WPS technology.
Wi-Fi Protected Setup (WPS), developed by the Wi-Fi Alliance, helps users quickly and easily configure WPA/WPA2-Personal (PSK) security on wireless routers and clients. WPS currently supports two methods: Personal Information Number (PIN) and Push Button Configuration (PBC). The specification also includes a third method, Near-Field Communication (NFC) but there are currently no products that support NFC.
The PIN method allows users to use a PIN (taken either from a sticker label or a utility screen or a web-based control panel) and enter it in the Access Point (AP) or client WPS device to connect. This method is mandatory for all WPS certified devices.
The push button configuration (PBC) method allows users to simply push a button, either an actual or a virtual one, on both WPS devices to connect. This is an optional method on wireless clients.
In both methods, WPS users are not asked to enter a network name (SSID) and wireless security by hand. The whole operation often takes few seconds and it does not exceed a two-minute period.
There are three logical components involved in WPS:
- Registrar: a device with the authority to issue and revoke credentials to a network. A registrar may be integrated into a wireless access point (AP), or it may be separate from the AP.
- Enrollee: a device seeking to join an access point or a wireless network such as a laptop, a cell phone …
- AP: an Access Point functioning as a proxy between a registrar and an enrollee.
Interface E is logically located between the Enrollee and the Registrar (physically, the AP can work as a proxy to convey the messages). The purpose of Interface E is to enable the Registrar to discover and issue WLAN Credentials to the Enrollee.
Interface M is the interface between the AP and the Registrar. It enables an external Registrar to manage a WPS AP. WPS uses the same protocol for setting up the AP Management interface as for issuing Credentials to Enrollee devices.
Interface A is between the Enrollee and the AP. The function of Interface A is to enable discovery of the WPS WLAN and to enable communication between the Enrollee and IP-only Registrars.
The Registration Protocol is defined and detailed in the Wi-Fi Protected Setup Specification v1.0 document provided by the Wi-Fi Alliance. The Registration Protocol accomplishes the following purposes:
- It helps to troubleshoot basic connectivity problems with the wireless channel.
- It provides demonstrative identification of the Enrollee to the Registrar and the Registrar to the Enrollee using out-of-band information, enabling the credential configuration function.
- It establishes the roles of each device (AP, Registrar, or Enrollee).
- It securely conveys WLAN settings and other configuration from the Registrar to the Enrollee.
- It establishes an Extended Master Session Key EMSK, which can be used to secure additional application-specific configuration functions.
The Registration Protocol is used for a variety of scenarios resulting in a few variants in terms of optional parameters. The principal version, a series of EAP message exchanges, is described as below:
Enrollee -> Registrar: M1 = Version || N1 || Description || PKE
Enrollee <- Registrar: M2 = Version || N1 || N2 || Description || PKR [ || ConfigData ] || HMAC_AuthKey(M1 || M2*)
Enrollee -> Registrar: M3 = Version || N2 || E-Hash1 || E-Hash2 || HMAC_AuthKey(M2 || M3*)
Enrollee <- Registrar: M4 = Version || N1 || R-Hash1 || R-Hash2 || ENC_KeyWrapKey(R-S1) || HMAC_AuthKey (M3 || M4*)
Enrollee -> Registrar: M5 = Version || N2 || ENC_KeyWrapKey(E-S1) || HMAC_AuthKey (M4 || M5*)
Enrollee <- Registrar: M6 = Version || N1 || ENC_KeyWrapKey(R-S2) || HMAC_AuthKey (M5 || M6*)
Enrollee -> Registrar: M7 = Version || N2 || ENC_KeyWrapKey(E-S2 [||ConfigData]) || HMAC_AuthKey (M6 || M7*)
Enrollee <- Registrar: M8 = Version || N1 || [ ENC_KeyWrapKey(ConfigData) ] || HMAC_AuthKey (M7 || M8*)
• || this symbol means concatenation of parameters to form a message.
• Mn* is message Mn excluding the HMAC-SHA-256 value.
• Version identifies the type of Registration Protocol message.
• N1 is a 128-bit random number (nonce) specified by the Enrollee.
• N2 is a 128-bit random number (nonce) specified by the Registrar.
• Description contains a human-readable description of the sending device (UUID, manufacturer, model number, MAC address, etc.) and device capabilities such as supported algorithms, I/O channels, Registration Protocol role, etc. Description data is also included in 802.11 probe request and probe response messages.
• HMAC_AuthKey(…) This notation indicates an Authenticator attribute that contains a HMAC keyed hash over the values in parentheses and using the key AuthKey. The keyed hash function is HMAC-SHA-256 per FIPS 180-2 and RFC-2104. To reduce message sizes, only 64 bits of the 256-bit HMAC output are included in the Authenticator attribute.
• ENC_KeyWrapKey(…) This notation indicates symmetric encryption of the values in parentheses
using the key KeyWrapKey. The encryption algorithm is AES-CBC per FIPS 197, with PKCS#5 v2.0 padding.
• PKE and PKR are Diffie-Hellman public keys of the Enrollee and Registrar, respectively. If support for other cipher suites (such as elliptic curve) is added in the future, a different protocol
Version number will be used.
• AuthKey is an authentication key derived from the Diffie-Hellman secret, the nonces N1 and N2, and the Enrollee’s MAC address. If M1 and M2 are both transported over a channel that is not susceptible to man-in-the-middle attack, the Enrollee’s device password may be omitted from the key derivation.
• E-Hash1 and E-Hash2 are pre-commitments made by the Enrollee to prove knowledge of the two halves of its own device password.
• R-Hash1 and R-Hash2 are pre-commitments made by the Registrar to prove knowledge of the two halves of the Enrollee’s device password.
• R-S1 and R-S2 are secret 128-bit nonces that, together with R-Hash1 and R-Hash2, can be used by the Enrollee to confirm the Registrar’s knowledge of the first and second half of the Enrollee’s device password, respectively.
• E-S1 and E-S2 are secret 128-bit nonces that, together with E-Hash1 and E-Hash2, can be used by the Registrar to confirm the Enrollee’s knowledge of the first and second half of the Enrollee’s device password, respectively.
• ConfigData contains WLAN settings and Credentials for the Enrollee. Additional settings for other networks and applications may also be included in ConfigData. Although ConfigData is shown here as always being encrypted, encryption is only mandatory for keys and key bindings. Encryption is optional for other configuration data. It is the sender’s decision whether or not to encrypt a given part of the ConfigData.
The PIN method (mandatory for certification) requires only the knowledge of the PIN making the WPS potentially vulnerable to brute force attacks. Discovering the PIN exposes the WPA/WPA2 PSK found in ConfigData which contains the WLAN settings and Credentials for the Enrollee.
Basically, these attacks rely on discovering the PIN much quicker than brute forcing the PSK and work as follow:
- If the WPS Registration Protocol fails at some point, the Registrar will send a NACK message.
- If the attacker receives a NACK message after sending M4, he knows that the first half of the PIN was incorrect. See definition of R-Hash1 and R-Hash2.
- If the attacker receives a NACK message after sending M6, he knows that the second half of the PIN was incorrect.
This method dramatically decreases the maximum possible authentication attempts needed from 10^8 to 10^4 + 10^4. The 8th digit of the PIN is always a checksum of digit one to digit seven. As result, there are at most 10^4 + 10^3 (=11.000) attempts needed to find the correct PIN.
Consequently, less than four hours are needed to allow an attacker to try all possible PIN combinations with a reasonable 1.3 seconds per attempt.
An attack tool called Reaver has been released to get WPS enabled devices PIN, and has been tested against a wide variety of WPS implementations.
As nearly all major router and access point vendors have WPS certified devices, a lot of devices are vulnerable to this kind of attack. WPS is often enabled by default and implemented without any kind of blocking mechanism to prevent brute force attacks making this vulnerability even worse.
Since this vulnerability can only be patched with a firmware update, it is recommended to apply one of the following solutions:
- If allowed by your WPS device, disable the WPS feature using your WEB management interface then configure your wireless connectivity manually.
- Check your WPS device vendor’s support website for updated firmware that addresses this vulnerability.