Your wireless router may be vulnerable!

Does your wireless router have PIN technology? This is where you can connect your computer to the router by pressing a button on the router, then entering the 8-digit PIN code that is (usually) printed on the router itself. It allows people with limited computer knowledge to follow simple instructions and get their laptop or desktop computer onto their wireless network.

Unfortunately, the PIN technology used (known as Wi-Fi Protected Setup (WPS for short) has been demonstrated as weak and vulnerable to a brute force attack. Stefan Viehbock (@sviehb on Twitter) did the research and found that most WPS-enabled routers take around 3 hours to crack. One make of router did implement a weak attacker detection algorithm, but was still cracked within a day. Read Stefan's blog post and PDF article at .braindump: Wi-Fi Protected Setup PIN brute force vulnerability. There is also a CERT (US Computer Emergency Readiness Team) vulnerability note on this issue: WiFi Protected Setup (WPS) PIN brute force vulnerability.

What action we should take

Disable WPS! You can do this by logging into your router (usually through a web browser, or through software you installed on your computer) and locating the WPS Settings. On my Netgear WNR2200 router the option to disable the router's PIN was buried under the 'Advanced' tab, and then under 'Advanced Setup' - the 'Wireless Settings' option. Note that the 'WPS Wizard' does NOT allow you to turn off WPS!

Alternatively, you can take the view that the risk is very low of someone attempting this on your network, in which case you can leave your router alone and assume that all is well and that nobody is accessing your private network. Is the risk worth it? That's up to you.

Comments