Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability
igb at batten.eu.org
Fri Dec 30 20:11:42 GMT 2011
On 30 Dec 2011, at 1158, Chris Salter wrote:
> Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability.
> Internet Storm Center (ISC) Diary.
From a note I wrote to the departmental list yesterday:
> The tl;dr summary: WPS uses an eight digit pin, but divides the pin in half and exchanges distinct messages, with distinct error codes, for each half. The eighth digit is also a checksum rather than random. Therefore, rather than needing 10^8 attempts, you need worst-case 10^4 attempts to brute-force the first half, then 10^3 to brute force the second half. Each attempt takes of the order of a second, depending on the size of the shared key negotiated using Diffie-Hellman, limited mostly by the processing power available in the access point (ie, as processors become faster, the attack becomes faster). Therefore, the whole system is brute-forceable in a few hours.
More information about the ukcrypto