During December 2011, a new attack against wireless access point devices was discovered, which exploits a weakness in the specification of the Wi-Fi Protected Setup (WPS) feature, implemented by many access point vendors, such as Cisco, D-Link, Netgear, and so on. Stefan Viehböck, the one who found the vulnerability, wrote a detailled paper about the threat. You can access his paper by visiting . His paper describes how the WPS implementation of a wireless access point can be bruteforced in order to gain access to sensitive configuration data such as a WPA2 key, for example. A successful attack can be conducted within 4 to 10 hours, depending on the wireless device. There is already a bunch of tools available to make such attackes easier. One of these tools is “Reaver” by Craig Heffner .
How To Check If You Are Vulnerable To The Attack
Look at the bottom side of your wireless access point. If you see something like “WPS PIN:<some 8-digit number here>” then you are probably vulnerable, since your access point implements that feature (see example image below). As a second step, login to your access point management tool and verify if the WPS feature is enabled or not. If it is enabled, you’re vulnerable.
How To Check If Your Neighbours Are Vulnerable
I did some tests in order to find out, if my nice neighbours are vulnerable to the attack too. The result was, that about 80% the access points around were vulnerable. Of course, this is not very representative, but things could be clearly better.
So, as a first step, you’ll need to put your wireless network adapter of your pc in monitoring mode (aka promiscious mode). On my linux box, I issue this command in order to get another virtual monitoring interface called “mon0”:
sudo airmon-ng start wlan0
Now, start Wireshark and listen on this newly created interface. Set the filter to this:
This ensures, that only ethernet frames containing a 802.11 wireless LAN management frame will be captured. Let this capture process do its work for some time. Then, have a look at the captures 802.11 wireless LAN management frames. You need to investigate the “Tagged parameters” section for a tag called “Vendor Specific: Microsoft: WPS” (see below)
Expand the tag and check for the “Wifi Protected Setup State” value. If it is 0x02, WPS is configured on the wireless access point and therefore, this device is vulnerable to the attack (see image below)
Another way would be to set the following filter in Wireshark directly:
wps.wifi_protected_setup_state == 2
This displays wireless LAN management frames which have WPS configured only.
I did some tests and it seems as this is the attribute to look for. If someone finds a better way to identify the vulnerability, I would be keen to know about that.
How To Protect Against This Attack
Disable WPS. Some devices do not allow disabling WPS, this is bad. If you’re really paranoid, I suggest buying another wireless access point device.