The WPS protocol relies on an eight digit Personal Identification Number (PIN) to allow the authentication of users on to the network. The protocol further relies on a session of eight Extensible Authentication Protocol (EAP) messages that are followed by a final message which identifies the successful completion of the session. WPS automatically configures the network name (SSID) and the WPA security key for the access point and the WPS enabled client. The benefit is that a user does not need to know what the SSID or the passcode or security key is.
Routers with WPS enabled will have an eight digit pin code typically printed on their case, with portable mobile Wi-Fi devices such as 3G or ...view middle of the document...
If the device is an external registrar the user will be required to enter the PIN from the access point onto the client device. On most SOHO routers a label is placed on the device at the point of manufacture with the Pin number. With many mobile 3G or 4G Wi-Fi devices, the PIN number tends to be the last 8 digits of the International Mobile Station Equipment Identify number (IMEI) (Alcatel 2013; Vodafone 2013; Huawei 2012). In the case of an internal registrar wishing to connect to the network, some devices will generate a dynamic PIN which would then be displayed on the device screen or in the cases of some printers, these are automatically printed out once the set up request has been triggered (Brother Printers USA 2012).
USB Drive: The network settings can be transferred on to a USB flash drive and then placed on to the new device. This method provides the added protection of ensuring that only the devices that should be, have access to the network. This method is known as an “out of band” method since the information does not use the Wi-Fi channel to exchange information. It has also been deprecated and is no longer part of the Wi-Fi Alliance approved certification process. (Sora 2013)
Near Field Communication (NFC): This works based on proximity, the target device is brought within NFC range of the network Access Point (AP) and the WPS Pin is exchanged between them. This, like the USB method is “out of band.” While the utilisation of NFC can help prevent the unintentional addition of unwanted devices on the network, in practice it can be problematic. For example many AP’s are placed in hidden or hard to get to areas such as ceilings and getting close enough may not be feasible. Additionally heavier items such as printers or TV’s may not be mobile enough to move towards an already fixed AP.
The next section discusses how and why WPS is vulnerable and to what extent.
3. The nature and extent of WPS Vulnerabilities
The simple fact that WPS relies on the use an eight digit numeric PIN for authentication makes it vulnerable for a brute force attack. Since the digits will be inclusively between 0 and 9 this means there are 108 possibilities (One hundred million). Viehböck’s work determined two things which would dramatically reduce the complexity of a brute force attack.
First, that the last digit is in fact a checksum of the first seven, therefore meaning that the number of unique possibilities was only 107 (Ten million).
Second, that during the authentication process, the access point advises the enrollee if either the first half (four digits) or second half (three digits plus the checksum) of the PIN is correct. This reduces the brute force requirements down even further from ten million possibilities to 104 (ten thousand) to brute force the first half and only 103 (one thousand) to brute force the second half.
Viehböck’s research revealed that the typical authentication takes between one and three seconds. The author has...