Exploits Into Wireless Security Explained

Updated: Sep 15, 2021

One of the toughest responsibilities, when tasked with building a network, is anticipating and discovering all the possible entry points that could be found and used by threat actors.


Even when a person is tasked with the duty of maintaining a network and responding to incidents as they occur while focusing on the latest trends in cybersecurity, the following is a very common vulnerability that is often overlooked, either for the sake of convenience or otherwise.


The tools used for WiFi hacking in particular have become simpler over the years, now available with turn-key functions that can automate and expedite the hacking process. These eliminate the need for amateurs to learn complex sequences of commands, making the attacks more commonplace, and more widely available to want-to-be threat actors.


Convenience-wise, there is a little-known configuration issue called Wi-Fi Protected Setup (WPS) found in most of the latest routers, which is enabled by default. What’s more, is it is well known to most hackers worth their salt. This particular setting perfectly illustrates the case of the security-vs-convenience trade-off: when the feature is enabled, it is less of a wireless component and more like a vulnerability.


Enabling WPS can effectively mean that a threat actor trying to find a way into your wireless network is no longer burdened with the arduous task of trying to crack your password. Let's explore the topic further.



What Is WiFi Protected Setup (WPS) And Why Is It Exploitable


WPS is a wireless network security standard designed to make connections easier and faster between a router and wireless devices. It only works when a wireless network is protected with a WiFi Protected Access Personal (WPA) or WiFi Protected Access2 (WPA2) password.


But when WPS is enabled and the wireless access point is readily discoverable, an attacker within range can connect to the network without knowing your password via employing some rudimentary wireless attacks. In the same manner, if you have a wireless network that you'd like to make available to others without divulging your password, you can share the 8 digit PIN instead. Such WPS PINs can often be found on a sticker attached to the router.


Obviously, this can create an additional security concern if the router is physically accessible or even visible to a potential threat actor. Likewise, factory routers often come with a sticker with a randomly generated password printed on them. Needless to say, it is a matter of prudence and priority to change the password that comes with a router if you aren’t going to properly conceal the device itself.


Additionally, it is just as crucial to swap out the default password that comes with a router that is used for accessing the device’s actual configurations. Once a threat actor has access to the wireless network, either by cracking the WPS PIN or by cracking the WPA 4-way handshake, logging into the router is often as simple as Googling the default login credential for that manufacturer. The default router configuration access password can thus be easily obtained, changed, and security log files can be erased or altered, destroying any obvious trace of a break-in.


"A compromised router can spy on you," rightfully said Horowitz, a security expert at the HOPE X hacker conference in New York. He explained that a router that has been hijacked by an attacker can leverage a man-in-the-middle attack, alter unencrypted information passing through the network or send the victim to "evil twin" websites, which appear legitimate on the surface, but are actually camouflaged, serving malicious purposes.


There are other devices that are commonly used at home and in the workplace that have the same WPS functions, such as wireless printers, range extenders, TV’s and smart home products which normally have their own WPS button that enables users to make quick connections. By pressing the WPS button, wireless devices can connect to the user, and each other, quickly, bypassing credentials input during the connection process. WPS automatically sends the network password, which can then be stored on the device, allowing it to connect to the same network again in the future without further interaction from the user.


You should be able to determine if your router or smart device has this feature by finding a button that is usually situated on the back of it, typically labeled “WPS”. That said, some WPS-enabled routers do not have a physically "pushable" WPS button, yet the feature can be toggled from the router’s web-based setup page.


Going back to the issue, the severity of the vulnerability inadvertently introduced by the WPS feature is not about whether or not the button is pushed, but rather how fast a threat actor can brute-force the static 8-digit WPS PIN, regardless of how complex a password you use otherwise.


Guessing an 8-digit PIN number by launching a brute force attack consists of well over one hundred million possibilities, and could theoretically take a lifetime to crack.


However, according to Horowitz, "This is a huge ... security problem...a plumber comes over to your house, turns the router over, takes a picture of the bottom of it, and he can now get on your network forever."


He elaborated, saying that having to crack the 8-digit PIN really isn’t the focus of what would be needed by a threat actor. First of all, the hacker really only needs to obtain 7 digits, plus a final checksum digit. Additionally, the first four digits are authenticated as a single sequence and the last three as another sequence - so technically, instead of needing to crack a 7-digit number, the threat actor needs to crack one 4-digit number, and another 3-digit one.


This results in only 11,000 possibilities, guessing which is expedited by high-powered CPUs often used by professional hackers. In fact, this would be a piece of cake for the hardware found within a decent smartphone.


The computer hardware required to successfully brute-force such a simple PIN number is even further reduced if the attacker knows how to launch the attack from his or her graphics processor unit, increasing the overall processing power at work. With this in mind, realistically speaking, cracking a WPS PIN can take anywhere from a few minutes to a couple of hours, after which the attacker can authenticate on your network and perform additional attacks as they please.


Do you really need WPS? Convenience says "yes". Security says "no". What do you say?


An article by

Jesse McGraw


Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

99 views1 comment