Many have speculated about the ubiquity of vulnerable devices, with some outlets simply stating that "most" routers are vulnerable. In the interest of more specific and accurate figures, I took a scientific approach, based on gathering the information broadcast by nearby wireless devices. Focusing on SOHO wireless routers, which are most likely to implement the WPS standard, I scanned my neighborhood surroundings in Austin, Texas -- a fairly dense, urban area composed mainly of residences, with scattered small businesses and office buildings.
Dan Kaminsky undertook a similar survey a few weeks ago, using data gathered in Berlin and compared against Wigle's online database to extrapolate that "26.3% of APs with crypto enabled exposed methods that imply vulnerability to the WPS design flaw... suggests at least 4.1M vulnerable hosts".
Using the Wigle WiFi active 802.11 scanner for Android (discussed in a previous post) to identify and enumerate basic information broadcast by wireless networks in an approximately 3 mile radius, I arrived at slightly higher numbers. The numbers below suggest 27.1% of the APs support WPS:
$ cat WigleWifi_20120102134243.csv | grep WIFI | wc -l
71046
$ cat WigleWifi_20120102134243.csv | grep WIFI | grep -v -i wps | wc -l
51789
$ cat WigleWifi_20120102134243.csv | grep WIFI | grep -i wps | wc -l
19257
A more interesting and meaningful number is the percentage of WPA(2)-enabled devices supporting WPS (since unencrypted and WEP-enabled devices can be easily compromised through other attacks):
$ cat WigleWifi_20120102134243.csv | grep WIFI | grep -i wpa | wc -l
37985
This figure indicates that 50.7% of the wireless devices otherwise (likely) well-protected by WPA-based security advertise support for WPS.1Now the question becomes -- of these 50% of WPA-enabled devices that support WPS, what portion are vulnerable to a brute-force PIN guessing attack? Because support for the PIN method is mandated for WPS-certified products, nearly all devices advertising WPS capabilities should allow PIN authentication.
In search of empirical data (albeit a very limited data set), I initially tested a variety of devices myself. In doing so, I was able to learn greater details about the attack, how software to exploit the issue works, and how to defend against it.
I tested a spare router that supports WPS, and four others belonging to friends and neighbors (with their permission, of course). It goes without saying that my sample set of five devices is insufficient to draw meaningful conclusions from. Having said this, I was surprised by the varied results. I used several software tools to test for this vulnerability -- Viehböck's 'wpscrack', and the previously-commercial, now open-sourced 'reaver' were used to brute-force guess PIN values; the 'wps_tools' wpscan and wpspy were useful for enumerating WPS-capable routers, and monitoring changes in a target network's state (such as locking). Results were as follows:
- D-Link DIR-615, hardware version B2 -> not vulnerable due to WPS lock implementation that activates after approximately 60 failed PIN attempts, and requires a system reboot to unlock2;
- Cisco Linksys WRT320N -> seemingly not vulnerable due to repeated "WPS transaction failed (code: 0x2)" messages (Reaver), indicating an "Unexpected timeout or EAP failure";
- D-Link DIR-625, hardware version C2 -> vulnerable; PIN successfully cracked in approximately five hours;
- Netgear N150 WNR1000, version 3 -> vulnerable to a DoS condition, but not PIN discovery -- repeated PIN attempts resulted in the router ceasing to provide connectivity; a hard reboot was required to restore service;
- Cisco Linksys E4200 -> vulnerable; PIN successfully cracked in approximately four hours.
Demonstrating use of the 'Reaver' tool to brute-force guess the PIN value, and extract the network's pre-shared key. |
Two out of five devices tested vulnerable to PIN discovery; one of five vulnerable to DoS.
Of course, significantly more results were desirable, and while the crowd-sourced test data submitted to the 'WPS Vulnerability Testing' Google document created by jagermo on January 2nd initially seemed inconsistent and confusing, the results are becoming more clear. Testing results and direct submissions from some vendors (Cisco, D-Link) have been incorporated into the document, lending additional credibility and accuracy to the results.
Aggregated entries submitted to this point, viewable at the response summary page show that 79% of submissions identify the WPS PIN method enabled by default, and 64% indicate a device vulnerable to the WPS attack. An additional 16% indicate a device 'maybe' vulnerable. (Whether devices that experience a DoS condition as a result of the attack, but do not disclose the PIN value should be considered 'vulnerable', 'maybe', or 'not' in this taxonomy is unclear.)
Whether we use the very conservative 20% figure arrived at in my small-scale testing (50% of discovered routers supporting WPS * 40% vulnerability rate in five tested routers) or the 64% figure from crowd-sourced data (keeping in mind a possible reporting bias), extrapolation based on Wigle's mapping project data suggests that millions of devices have been recently identified as vulnerable.
Disclosure of this weakness has changed the SOHO wireless security world for some time to come -- until device vendors issue firmware updates, customers update their devices, old and vulnerable routers are replaced, and/or a new Wi-Fi Simple Configuration Specification (WSC) is released addressing this design weakness.
1 – Results from a larger dataset -- Wigle scanning results over the past 18 months, covering much wider and more diverse areas, including business districts and office environments -- produce similar statistics: 28.0% of all 71,046 APs, and 49.2% of WPA-enabled devices support WPS (back to post)
2 – Router logs recording failed authentication attempts and activation of lock state as follows:
...
[INFO] Sat Jan 13 13:02:09 2012 Wireless system with MAC address 00401B0323D0 associated
[INFO] Sat Jan 13 13:02:11 2012 Peer configuration error 0
[WARN] Sat Jan 13 13:02:11 2012 AP failed to registere to Registrar () through EAP reason (input fail) err code (3)
[INFO] Sat Jan 13 13:02:12 2012 Wireless system with MAC address 00401B0323D0 associated
[INFO] Sat Jan 13 13:02:12 2012 Wireless system with MAC address 00401B0323D0 disconnected for reason: Received Deauthentication.
[INFO] Sat Jan 13 13:02:13 2012 Wireless system with MAC address 00401B0323D0 associated
[INFO] Sat Jan 13 13:02:13 2012 Wireless system with MAC address 00401B0323D0 disconnected for reason: Received Deauthentication.
[WARN] Sat Jan 13 13:02:14 2012 Lock AP setup
[INFO] Sat Jan 13 13:02:14 2012 Peer configuration error 0
[WARN] Sat Jan 13 13:02:14 2012 AP failed to registere to Registrar () through EAP reason (input fail) err code (3)
[INFO] Sat Jan 13 13:02:15 2012 Wireless system with MAC address 00401B0323D0 associated
[INFO] Sat Jan 13 13:02:15 2012 Wireless system with MAC address 00401B0323D0 disconnected for reason: Received Deauthentication.
[INFO] Sat Jan 13 13:07:47 2012 Wireless system with MAC address 00401B0323D0 disconnected for reason: Received Deauthentication.
...
(back to post)
No comments:
Post a Comment