A major vulnerability was found in WPS and routers using WPS. This vulnerability can lead to you being able to break the WPS and ultimately the WPA/WPA2 encryption on the router. Some important details in regard to this is even if the router has WPS disabled that it can still be circumvented.
This brute force attack is available via an code.google.com open source project called Reaver. This project is only supported on the Linux platform but is fairly straightforward for compiling. Just give it the interface to connect on and the BSSID of the target wireless network. I found I could get the BSSID via kismet easily enough.
Some devices they tested had a blocking mechanism to prevent brute force attacks. Below is a table in the PDF dealing with vendors and vulnerabilities.
| Vendor | Device Name | HW-Version | FW-Version | Lock down | WPS-certified |
|---|---|---|---|---|---|
| D-Link | DIR-655 | A4 (Web Interface) A5 (Label) |
1.35 | No | Yes |
| Linksys | WRT320 | 1.0 | 1.0.04 | ?6 | Yes |
| Netgear | WGR614v10 | ? | 1.0.2.26 | Yes | Yes |
| TP-Link | TL-WR1043ND | 1.8 | V1_110429 | No | No |
Firmware versions are up-to-date as of 18.10.2011.
Introduce sufficiently long lock-down periods in order to make an attack impractical. Of course this requires a new firmware release.
| Attempts before lock down | Lock down time | Attempts per minute | Maximum attack time | Maximum attack time | Comment |
|---|---|---|---|---|---|
| 11000 | 0 minutes | 46.15 | 3.97 hours | 0.17 days | no lock down |
| ?7 | 4.20 | 43,65 hours | 1,82 days | Netgear WGR614v10 | |
| 3 | 1 minutes | 2.82 | 65.08 hours | 2.71 days | Requirement for WSC 2.0 certification?8 |
| 15 | 60 minutes | 0.25 | 737.31 hours | 30.72 days | Lock down configurations making brute force less practical |
| 10 | 60 minutes | 0.17 | 1103.97 hours | 46.00 days | |
| 5 | 60 minutes | 0.08 | 2203.97 hours | 91.83 days | |
Assumed time per attempt: 1.3 seconds
?6 – WPS-functionality always stopped to work somewhere between 2 and 150 failed authentication attempts. The functionality did not even return after several hours. I would consider this a bug in the firmware which causes a DoS rather than lock-down functionality.
?7 – No consistent lock down pattern was found. However on average about 4.20 authentication attempts per minute were possible.
?8 – http://www.wi-fi.org/files/20110421_China_Symposia_full_merge.pdf