Okay, maybe not kill you exactly. But I had to get your attention somehow. Sorry. Please don’t stop reading. I promise1 I won’t do it again.
Here’s the thing: Your router may not be as secure as you think it is, which could mean nothing… or it could mean that people steal your Internet access, documents, and identity.
Yeah. I know.
In the tight-knit community of white-, black-, and grayhat hackers, security professionals, cryptographic experts, and intelligence officials, a cryptographic “break” means something somewhat different than the colloquial use of the term. See, a security thingy (might be a standard, might be an algorithm, might be a combination lock) is either secure or it isn’t. Anything that degrades the security of the thingy such that it becomes more vulnerable than it would be otherwise is considered a “break,” and the thing itself is now considered “broken” — the assumption being, it’s only a matter of time before it affords no real security at all as the break is advanced upon and improved.
In the world of WiFi, we’ve got open networks and closed networks, the latter of which can be further subdivided into, broadly, ones secured with WEP, WPA, and WPA2 (ignoring the more technical subdivisions of those, too). The reason you care about your WiFi network’s security is that if you’re going to check your work email at the airport or look at, uh, secret engagement rings in private browsing mode at home, you don’t want some weirdo with a laptop and bad facial hair laughing manically while he rips off your information.
If you were looking at places safely to store a hundred dollar bill, an open network would be like the sidewalk outside a bank, WEP would be like the floor just inside the bank’s public foyer, WPA would be like the outside of the teller’s counter, and WPA22 would be like the bank vault.
Or so we thought.
You see, there’s a niggling detail: Generally speaking, “good security” and “easy to use” are concepts at odds. Sure, it’s possible to make something safe and easy to use, but it’s usually hard… really hard. That’s why bank vault doors are so damn heavy and good passwords are long and hard to remember. Because people — with good intentions, mind you! — wanted to make it easy for home users to set up secure WiFi networks, a little protocol called WPS, or WiFi Protected Setup, was developed. With WPS, all you have to do is push a button or type in a short PIN, and your network kinda “sets itself up.” It’s brainless, you never need to know a password, and it’s secure.
Oh yeah, I’ve got a bridge in Brooklyn for you. Honest. Cash only. Prepay. Come alone. Unmarked, non-sequential, small-denomination bills.
It turns out that WPS is a gaping hole in the security of an otherwise good, WPA2-secured network. See, if the only entry point to your house is a door, WPA2 is like the lock (and it’s a really good one), but WPS is like putting that lock on a glass door. It just kinda makes the lock irrelevant. Just like the only fix for your security conundrum is to pick a less translucent entryway, the only fix for WPS is never using it and disabling it from being used in the future.
The takeaway is this: WPS bad, evil; make panda sad. Disable it or you’re at risk. EOF.
Technical note for the curious on how this all works: The PIN for WPS is 8 digits, the last of which is a checksum, leaving 107 (10,000,000) combinations. Turns out when the wireless router is communicating during the PIN process, it tells the client about the validity of the first and second half of the PIN separately. The first half of the PIN has 4 digits (104 = 10,000 combinations), and the second half has 3 active digits (1,000 combinations), which means that keyspace is reduced to 10,000 + 1,000 = 11,000 combinations. PLUS, not times. Because it’s not really an 8-digit PIN, but more like two separate 4- and 3-digit ones. That’s a security reduction of 99.89%! Ouch. Brute forcing the PIN for entry can therefore be done in just an hour or two. Sure, access points could be modified to slow down or lock out too many bad attempts, but right now they’re sitting ducks. And the tools to do it are live and in the wild right now:
1: No I don’t.
2: In non-compatibility mode, i.e., CCMP, not TKIP. Hey, acronyms are fun!
Filed under: Technology | 2 Comments »