A brief history of WPS hacking
A brief history of WPS hacking...
The Wifi Alliance announces the birth of WPS:
AUSTIN, TEXAS – August 16, 2006 – The Wi-Fi Alliance today announced Wi-Fi Protected Setup™ as the name for its upcoming consumer ease-of-use program, formerly code named “Wi-Fi Simple Config.” Slated for launch in Q4 of this year, the program is planned as an optional certification based on a standardized method for security setup in home Wi-Fi networks.
Wi-Fi Alliance® Announces Wi-Fi Protected Setup™
The specification for WPS version 1.0 is released (Wi-Fi Protected Setup Specification)
Notice that in 2004 WEP is officially declared insecure and WPA2 is launched. The WiFi alliance presented WPS as the perfect solution to make a sweet transition to WPA and did actively promoted it.
The WiFi Alliance announces proudly that more than 200 devices have integrated the new protocol. See Wi-Fi Alliance® Certifies 200 Products for Wi-Fi Protected Setup™ Enabling Easy Setup of Consumer Wi-Fi Networks . We are speaking about manufacturers such as Tp-link, Huawei... The leaders of the market adopted the WPS and this is a real success history until...
26 December 2011
The PDF document published by Stefan Viehböck exposes a major flow in the conception of the WPS PIN mode. The protocol is vulnerable to a brute force attack! The most complex and secure WPA passphrase can be cracked in a few hour thanks to a brute force attack over WPS PIN mode. A "must to read": Brute forcing Wi-Fi Protected Setup : When poor design meets poor implementation.
27 December 2011
The vulnerability is officially recognized by the security community: Vulnerability Note VU#723755 WiFi Protected Setup (WPS) PIN brute force vulnerability
28 December 2011
Craig Heffner releases reaver 1.0; the first public tool that exploits the new vulnerability.
Reaver was already a complete code but it was secretly developed and lacked of "beta testing". You had to be a believer: stdout was minimal, sessions weren't saved so it was a one shoot try and it had issues to associate with a lot of Access Point. You can find the first original version of the mythical tool in Packet Storm: reaver-1.0.tar.gz
29 December 2011
Stefan Viehböck releases wpscrack: A python code that was more conceived as a Proof Of Concept than as a "final tool". It was developed under Backtrack with an ar9170 USB chip and it does not work well with many devices. The original download link is broken but can be found here: .braindump – RE and stuff / Wi-Fi Protected Setup PIN brute force vulnerability
You can find a copy of the original code here
wpscrack in action:
30 December 2011
What seems to be the first video with a WPA crack through WPS brute force breach: Cracking WPS with Reaver
30 January 2012
The WiFi Alliance releases a WPS version to mitigate the vulnerability.
A "permanent" locking state (reboot/reset of the device or reactivate WPS are required) should be effective after a maximum of 10 wrong attempts.
However, if a static PIN is used, the AP must track multiple failed attempts to authenticate an external Registrar and then enter a lock-down state (This state is signified by setting the attribute AP Setup Locked to TRUE). After at most 10 failed, consecutive attempts, with no time limitation, from any number of external Registrars, the AP shall revert to a locked down state, and the AP shall remain in the locked down state indefinitely (i.e., until the user intervenes to unlock AP’s PIN for use by external Registrars).. In this state, the AP MUST refuse to run the Registration Protocol in initial AP setup mode with any external Registrars. This technique protects the AP’s PIN against brute force attack by an attacker posing as new external Registrar(s). During the AP Setup Locked state, it is still possible to add new Enrollee devices to the WLAN, but it is not possible to add new external Registrars using the AP’s PIN. The AP may include additional means to enter the locked state., For example, an AP may implement an incremental and/or temporary lockout process that extends the lockout time between failed PIN attempts. However, even if these additional methods are implemented, an AP still must enter an indefinite locked down state as described above.