Forum Notes for Jan 28/12


Internet Hardware Forum Jan 28/12


SOPA (Stop Online Piracy Act) and PIPA (Protect IP Act) shelved for the time being in the US

ACTA (Anti-counterfeiting Trade Agreement) most European countries signed the agreement Thursday

WPS – Wi-Fi Protected Setup

  • Used on wireless routers to allow easy connection of wireless devices
  • NOTE: Do not confuse WPS with WPA or WPA2
    • WPA and WPA2 is Wifi Protected Access
    • Supporting wireless routers have a static 8 digit PIN printed on the label on the router




  • WPS can be initiated via several ways
    • Push button on router and wireless device
    • Wireless connection using a 8 digit static PIN
    • Last digit of the 8 digit PIN is a checksum of the other 7 digits of the PIN.
    • Wireless device could be another computer or device including a computer from the immediate area
    • Process involves each device treating the other device as an unknown/untrusted device
      • Process involves taking a random number created by the router along with the digits of the pin and creating a hash of the two
        • The process of creating the hash is known by both parties since it is part of  the WPS spec
  • Wireless authentication process via PIN involves router verifying the PIN in 2 groups of 4 digits.
    • It tells the new wireless device whether the current 4 digits are correct. Since the original 8 digit PIN is being done in 2 4 digit verification steps (last 4 digits contains 3digit + checksum) causes a reduction of  3 orders of  magnitude in security.
  • Problem is that the verification process involves a random number that is generated by the router but which is sent to the wireless device so that the wireless device can create a hash of  its answer to what it says is the 8 digit PIN printed on the router.
  • A hacker can capture the traffic between his computer and the router
    • The traffic coming from the router includes the random number plus the hash created by the router taking the random number along with the digits of the PIN and applying a known process to them.
  • Hacker can perform an offline attack  using the now known/captured random number and his  generated series of digits hashing them and comparing each result with the previously captured hash. When the two match the hacker knows the digits of the PIN.
  • Hacker can then later on connect to the router using the offline attack results
    • Once this connection is made the router’s WPA or WPA2 encryption key can be discovered allowing any devices to use this wireless key to connect to the router
  • Wi-fi alliance determined as a cost saving measure that the PIN would not be dynamic i.e. changeable by the router but rather a static one which could be printed on the router’s label.
  • Routers must have WPS if they want to be Wi-fi certified.
  • Most routers have an option in the wireless configuration page to turn off WPS.
    • With Linksys routers using Linksys firmware this does not turn off WPS in the router! Wireless connections can still use WPS to connect a device to the router.
      • Netgear routers disable option does indeed disable WPS
      • Apple Airport routers use dynamic PINS
      • Applying third party firmware like dd-wrt or Tomato to compatible routers does not support WPS at all



Michael Geist – The ACTA Fight Returns: What Is at Stake and What You Can Do

Waiting For The WPS Fix – SmallNetBuilder

WPS Vulnerability Testing – Google Docs

How to Crack a Wi-Fi Network’s WPA Password with Reaver


 Posted by at 10:20 pm

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>