Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability

Ian Batten igb at batten.eu.org
Fri Dec 30 20:11:42 GMT 2011

On 30 Dec 2011, at 1158, Chris Salter wrote:

> Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability.
> Internet Storm Center (ISC) Diary.

From a note I wrote to the departmental list yesterday:

> The tl;dr summary: WPS uses an eight digit pin, but divides the pin in half and exchanges distinct messages, with distinct error codes, for each half. The eighth digit is also a checksum rather than random.  Therefore, rather than needing 10^8 attempts, you need worst-case 10^4 attempts to brute-force the first half, then 10^3 to brute force the second half.  Each attempt takes of the order of a second, depending on the size of the shared key negotiated using Diffie-Hellman, limited mostly by the processing power available in the access point (ie, as processors become faster, the attack becomes faster).  Therefore, the whole system is brute-forceable in a few hours.


More information about the ukcrypto mailing list