January 3, 2012 No Comments-
If you’ve bought a new wireless router in the last three years, watch out. A security flaw inside a feature created to make wifi safer may actually put you at risk.
The problem occurs in the WPS (Wi-Fi Protected Setup) function. It’s a standard feature on almost all modern routers, developed to make it super-easy to connect to your wireless network via a simple PIN code.
WPS itself should be a huge benefit to us consumers. It allows us to connect to a router as easily as entering an eight-digit PIN – rather than a more complicated WPA2-string of characters. It has also become the perfect way for networked printers and other peripherals without keyboard to connect to your home network.
But in December, security researcher Stefan Viehbock (Twitter link) found a problem with the way WPS works. Using some simple software, WPS can easily allow hackers to access your home network – and therefore your files and internet connection.
In short, he discovered that eight-digit WPS PINs are actually being treated as two sets of numbers: a four-digit and a three-digit number, with the extra digit being mostly redundant. This makes it much, much less secure.
If WPS PINs were treated as true eight-digit PINs, the number of password possibilities would be around 100 million. Due to the way WPS uses the PIN, however, the number of possibilities is around 11,000 – a number ripe for brute-force hacking.
To highlight the problem, Stefan created a program (available to download from his website) that detects the WPS PIN by trying all 11,000 variables. Anyone with the software can do the same thing to your WPS-enabled router.
The threat is so inherent in the technology that the US Computer Emergency Readiness Team (CERT) issued an advisory which suggested disabling WPS as a workaround for the problem.
If you’re worried, check out your router’s settings to turn off the feature. Be aware that some companies have their own name for the technology, such as QSS (Quick Security Service) on TP-Link hardware.
What do you think? Will you be abandoning the easy-to-use WPS in the name on increased security?
Made up of various contributors' opinions and insights - the power of the collective.
Norman Safeground Blogs Archive