Secure Wi-Fi? Not so Much --Gaping Hole Found in WPS Pin System

I found the following article online today at DailyTech.com. It relates to a security flaw found in the handy WPS buttons on wireless routers. If when you setup your router you used the "one-touch" button on the front of the router to set up your wireless network, then this article is definitely for you. If you own a router and aren't sure how you set up your WiFi at home, then I'd recommend you also read this article from DailyTech.com. If you are a TechHead PC client and I set up your wireless at home, you are NOT impacted by this article. I do not use the WPS method when I setup the article because, honestly, I never trusted it. Rest assured, if I set up your WiFI for you then I used a manual method of assigning the SSID (network name), choosing the encryption type, and choosing my unique complex password for both the router and the WiFi. If after reading this article you have concerns about how your network is set up, please Contact Us.

The article reads:

"The Department of Homeland Security suggests the only solution is to disable WPS.

NETGEAR, Inc. (NTGR), Cisco System, Inc.'s (CSCO) Linksys, D-Link Corp (TPE:2332), and Belkin, Inc. are some of the biggest makers of routers. If you own a router, there's a good chance you own a router from one of these manufacturers. And if you own a router from them, there's a good chance you used Wi-Fi Protected Setup (WPS) -- a PIN protected method -- to easily set up your home network. And that means that there's a good chance your security is now at serious risk.
WPS was dreamed up by the Wi-Fi Alliance as a means of easing the pain of home networking. But by including a flag in the EAP-NACK message, the standard unwittingly left a gaping hole that can be exploited by hackers to subvert your router.
The message tells the user if the first half of the pin they typed was right. Thus it drastically reduces the time needed to crack the PIN using a brute force attack. Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster.
The flaw reduces the time it takes to crack your average PIN from 108 attempts to 104+103 attempts (11,000 attempts total). Assuming you can fire off ten requests or more a second, you should be able to crack routers in minutes.
The U.S. Department of Homeland Security (DHS) has issued a warning to the public about the flaw. It advises disabling WPS. This may be a painful option for less savvy operators, though, as setting up a network with more sophisticated protections can require a bit of learning.
Stefan Viehbock discovered the vulnerability and reported it to the DHS. He claims that none of the major manufacturers stepped up to the plate with a patch. He is going to release a C-coded exploitation tool shortly -- perhaps that will help prompt the business into action."


SOURCES: Mick, J. (December 29, 2011). Secure Wi-Fi? Not so Much --Gaping Hole Found in WPS Pin System. Retrieved from: http://www.dailytech.com/Secure+WiFi++Not+so+Much++Gaping+Hole+Found+in+WPS+Pin+System/article23626.htm