03. WPS (WiFi Protected Setup)

WPS Theory

• WPS only works with WPA/WPA2-Personal.
• WPS currently supports two methods:
  • Personal Information Number (PIN)
  • Push Button Configuration (PBC)
• 8-digit PIN.
• 1 digit of the PIN is a checksum.
• First group of 4 digits is checked independently => max 10000 tries for breaking the first group, then max 1000 tries for the second group (only 3 digits because of the checksum digit).
• Average of about 5500 attempts needed for bruteforce.
• Many routers now implement timeout, e.g. 60s locked out after 3 consecutive bad attempts.

WPS Attacks

• WPS PIN smart bruteforce using:

  • Known PINs for certains APs from given manufacturers
  • Known PIN generation algorithms

• WPS Bruteforce (online): Usually not very practicable due to timeouts...

• WPS Pixie Dust Attack (offline bruteforce):

  • Some APs have weak ways of generating nonces (known as E-S1 and E-S2) that are supposed to be secret (insecure PRNG) => Attack is possible only if the AP uses a vulnerable chipset.
  • List of vulnerable routers: https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit#gid=2048815923
  • Technical details: http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf

• WPS Null PIN attack: Some really bad implementations allowed the Null PIN to connect.