Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0029
Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack
9 January 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Wi-Fi Protected Setup (WPS)
Publisher: US-CERT
Operating System: Network Appliance
Impact/Access: Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
http://www.us-cert.gov/cas/techalerts/TA12-006A.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA12-006A
Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack
Original release date: January 06, 2012
Last revised: --
Source: US-CERT
Systems Affected
Most Wi-Fi access points that support Wi-Fi Protected Setup (WPS)
are affected.
Overview
Wi-Fi Protected Setup (WPS) provides simplified mechanisms to
configure secure wireless networks. The external registrar PIN
exchange mechanism is susceptible to brute force attacks that could
allow an attacker to gain access to an encrypted Wi-Fi network.
I. Description
WPS uses a PIN as a shared secret to authenticate an access point
and a client and provide connection information such as WEP and WPA
passwords and keys. In the external registrar exchange method, a
client needs to provide the correct PIN to the access point.
An attacking client can try to guess the correct PIN. A design
vulnerability reduces the effective PIN space sufficiently to allow
practical brute force attacks. Freely available attack tools can
recover a WPS PIN in 4-10 hours.
For further details, please see Vulnerability Note VU#723755 and
further documentation by Stefan Viehbock and Tactical Network
Solutions.
II. Impact
An attacker within radio range can brute-force the WPS PIN for a
vulnerable access point. The attacker can then obtain WEP or WPA
passwords and likely gain access to the Wi-Fi network. Once on the
network, the attacker can monitor traffic and mount further
attacks.
III. Solution
Update Firmware
Check your access point vendor's support website for updated
firmware that addresses this vulnerability. Further information may
be available in the Vendor Information section of VU#723755 and in
a Google spreadsheet called WPS Vulnerability Testing.
Disable WPS
Depending on the access point, it may be possible to disable WPS.
Note that some access points may not actually disable WPS when the
web management interface indicates that WPS is disabled.
IV. References
* Vulnerability Note VU#723755 -
<http://www.kb.cert.org/vuls/id/723755>
* Wi-Fi Protected Setup PIN brute force vulnerability -
<http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/>
* Cracking WiFi Protected Setup with Reaver -
<http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.html>
* WPS Vulnerability Testing -
<https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA12-006A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA12-006A Feedback VU#723755" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2012 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 06, 2012: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTwdgcT/GkGVXE7GMAQLtAQgAtUPVSW+g9O7PdjUab+1XGBHUN4S1cZxX
O3d9r3S6U282dPATsU5tTVj9ovfrngm6f4Rs4wZO1SC80FfQZ04+37gabuab0/G0
bXI8OUzMiKh8nEI55KREkDOCVouZgKqIGw1Hn3oXaqPL2wYSY4vhf9/1yX4MYS8q
2qvfFGtTXVeDzblzKI/8AYjh3tEFCZR06ix2YvDvvuZvJ8tupo1y+JGSYL4JSPD7
kePOqmGSWZoc5pO08QdNYdqmBPf7QBCK3Zk/3HFCZw7WYSsQ5W8Rzz5wlLq6MY/W
1s+L5/APkbin1sqR4abFZ85LOqBGRfXBsedAxkuDIoMTuaGZHm4wNw==
=omg5
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTwos1e4yVqjM2NGpAQLR6xAAh3TlFGLhEkhAIHrAdRRhXfDk1Nz0LAoy
/HNHVw7l2imiS/WpIQybI8xwVqLToujDFjGQOhUIo/OF5IuXQrtrlL+824A4xq8b
5/5sOlW+y+MFoux4XUF+SLeFqA4N7eJcBvtBPrKXaAyqrkAPtt2y8nK4vSjdHHeV
6IfipM2+6ecsbimDZ9P0CkHWPPXzUHck2BtJTq3zmn0MR0EX0T3xPir8o6g//mbN
DfxRWtLYa4kjgfPSGVEMy1XVWy/wCSmmeDc2eM35bni9Gxurpfse6TMEB7KKe3tc
fCiv2KcdJiiyu3OzKcl+ohIcUZ2XZz5lAg52+VdoxSS2DK2DiuQawRGWrRyC2C9T
ozPv2fKN4h7YtND0CGR/bzCWVHC1Liqq/9muhGiLc1vKHAgZBiqMnSxOyg1R31JU
OteYzInvc++hb+GAIP4fwqeBfb8T+8iS6rYmTgvmYeLCL/5AaxF8/d6gAv5kMwdY
UEHdR6xhcWQXKOUEVujCzPz8N+pusjzaMdu9IlT367IVCZIJ+OKE6REOyGrolHMs
oH0uu9qx0wLlZdL6iTDtVJzgE0pgLceYYVP3l3WZr9KPIKkf/yIO72WBxQmYPxcl
V6hukXLtNDkaZrw9qh0cyBZCWLlHI5DG717budwDvgRQ+VR7E4nF5fEjJyRNdNvK
78ty96hlBeM=
=XdUl
-----END PGP SIGNATURE-----