-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                    National Cyber Alert System

              Technical Cyber Security Alert TA12-006A


Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack

   Original release date: January 06, 2012
   Last revised: --
   Source: US-CERT


Systems Affected

   Most Wi-Fi access points that support Wi-Fi Protected Setup (WPS)
   are affected.


Overview

   Wi-Fi Protected Setup (WPS) provides simplified mechanisms to
   configure secure wireless networks. The external registrar PIN
   exchange mechanism is susceptible to brute force attacks that could
   allow an attacker to gain access to an encrypted Wi-Fi network.


I. Description

   WPS uses a PIN as a shared secret to authenticate an access point
   and a client and provide connection information such as WEP and WPA
   passwords and keys. In the external registrar exchange method, a
   client needs to provide the correct PIN to the access point.

   An attacking client can try to guess the correct PIN. A design
   vulnerability reduces the effective PIN space sufficiently to allow
   practical brute force attacks. Freely available attack tools can
   recover a WPS PIN in 4-10 hours.

   For further details, please see Vulnerability Note VU#723755 and
   further documentation by Stefan Viehbock and Tactical Network
   Solutions.


II. Impact

   An attacker within radio range can brute-force the WPS PIN for a
   vulnerable access point. The attacker can then obtain WEP or WPA
   passwords and likely gain access to the Wi-Fi network. Once on the
   network, the attacker can monitor traffic and mount further
   attacks.


III. Solution

   Update Firmware

   Check your access point vendor's support website for updated
   firmware that addresses this vulnerability. Further information may
   be available in the Vendor Information section of VU#723755 and in
   a Google spreadsheet called WPS Vulnerability Testing.

   Disable WPS

   Depending on the access point, it may be possible to disable WPS.
   Note that some access points may not actually disable WPS when the
   web management interface indicates that WPS is disabled.


IV. References

 * Vulnerability Note VU#723755 -
   <http://www.kb.cert.org/vuls/id/723755>

 * Wi-Fi Protected Setup PIN brute force vulnerability -
   <http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/>

 * Cracking WiFi Protected Setup with Reaver -
   <http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.html>

 * WPS Vulnerability Testing -
   <https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c>

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA12-006A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA12-006A Feedback VU#723755" in
   the subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2012 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________

Revision History

  January 06, 2012: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTwdgcT/GkGVXE7GMAQLtAQgAtUPVSW+g9O7PdjUab+1XGBHUN4S1cZxX
O3d9r3S6U282dPATsU5tTVj9ovfrngm6f4Rs4wZO1SC80FfQZ04+37gabuab0/G0
bXI8OUzMiKh8nEI55KREkDOCVouZgKqIGw1Hn3oXaqPL2wYSY4vhf9/1yX4MYS8q
2qvfFGtTXVeDzblzKI/8AYjh3tEFCZR06ix2YvDvvuZvJ8tupo1y+JGSYL4JSPD7
kePOqmGSWZoc5pO08QdNYdqmBPf7QBCK3Zk/3HFCZw7WYSsQ5W8Rzz5wlLq6MY/W
1s+L5/APkbin1sqR4abFZ85LOqBGRfXBsedAxkuDIoMTuaGZHm4wNw==
=omg5
-----END PGP SIGNATURE-----