Security researchers Stefan Viehböck and Craig Heffner recently identified a significant flaw in the Wi-Fi Protected Setup (WPS) functionality that can be used to bypass the encryption method configured on wireless networks.
Many consumers never update their WAP firmware or even know how to manage their WAP, so expecting them to update their firmware or disable WPS may be unreasonable.
At first glance, the effect on enterprise wireless security seems minor because few enterprise-class wireless access points (WAPs) support WPS, but consumer-grade WAPs, which do support WPS, do show up on enterprise and SMB networks. This means the WPS flaw could represent a way attackers could penetrate an otherwise secure enterprise network.
This tip examines the exposed WPS flaw and the devices that are affected. I will also discuss how it can be used to bypass an otherwise secure enterprise network and what mitigations enterprises can implement to secure their networks.
The WPS flaw and enterprise security
WPS is an easy way to setup security-enabled Wi-Fi networks. The protocol was designed to allow consumers to buy a device like a Wi-Fi router and easily enable security features by pushing a button or entering a PIN into an accessible application. WPS was introduced to the consumer market in 2007, and since then has become fairly common. When Viehböck analyzed WPS, however, he noticed some bad design decisions. In his white paper (.pdf), he discussed the design flaws and how WPS is vulnerable to brute-force attacks on PINs. An attacker only needs to try 20,000 PINs, which can be done in as little as four hours with the help of freely available tools, to gain access to a secure network. He released a tool called WPSCrack to demonstrate the seriousness of this vulnerability. Craig Heffner also released a similar tool called Reaver.
Listen to this tip
as an MP3
Listen to How to prevent a WPS flaw from damaging enterprise wireless security as an MP3 here!
How will this vulnerability affect enterprises? There are several ways to use the WPS flaw to bypass an otherwise secure enterprise network. An attacker could war drive, or even locate vulnerable WAPs in public registries to identify targets. Vulnerable WAPs can be identified by trying the attack or checking if a default SSID for a consumer-grade WAP is being used on an enterprise network. Once a target has been identified, the tools can be used to bypass the security key to access the wireless network. Bypassing the security key does not allow an attacker to bypass encryption, only to connect to the wireless network. If the WAP is rogue, this potentially allows an attacker to access an unsecure client network in an enterprise.
Mitigations enterprises can implement
Most enterprise-class wireless networks do not support WPS and do not use WPS-capable WAPs. Instead, it's the rogue, temporary or even home office users' WAPs that support WPS and pose potential issues for enterprise networks, with rogue WAPs posing the largest risk.
To mitigate the WPS flaw and the many other problems rogue access points can cause, enterprises should make it a priority to put tools in place to detect rogue WAPs. Enterprises can use tools like Cain and Abel, Wireless Analyzer for Android, wireless intrusion detection systems, or potentially even Nmap with some scripting to identify rogue WAPs. Using a dedicated tool that is optimized for looking for rogues may save time because the scanning and remediation can be time consuming. These tools can help identify various data about the WAPs, and then enterprises can prioritize these vulnerable WAPs for remediation. Enterprises should also be aware of embedded systems like phones, printers and scanners that rely on WPS and might be in use on their network. Enterprises can use wireless intrusion detection systems to detect any malicious connections to WAPs. These wireless networks can also be configured to only allow access to required networks.
Explore more enterprise wireless security issues
Get all the needed info to tackle wireless attacks aimed at enterprises.
Ensure your enterprise Wi-Fi network is prepared for PCI compliance.
Enterprises may also want to notify users of this vulnerability via standard security awareness communications and explain how it could affect them, and in turn affect the organization. This communication will ideally be seen as a win-win, helping the users deal with vulnerable WAPs at home by either upgrading the firmware of their WAP or disabling WPS, and showing them that with just a few steps they are making themselves and the organization more secure. Many consumers never update their WAP firmware or even know how to manage their WAP, so expecting them to update their firmware or disable WPS may be unreasonable. Go so far as to provide step-by-step instructions for the most common manufacturers' consumer devices. Not all vendors have released patches or updated firmware for this vulnerability, so users might need to check more than once for updates to their WAP firmware, or the security awareness message should be released when updated firmware is available.
With convenience comes risk
From the security weaknesses in WEP to these recently publicized flaws in WPS, a number of security vulnerabilities have been found in 802.11x wireless networking protocols since the introduction of 802.11. The mobility of wireless networks, along with other benefits, likely outweighs the significant security risks. WPS was designed to make securing consumer wireless networks easy, but this vulnerability reduces the effectiveness of wireless security. Enterprises can identify vulnerable WAPs, but consumers may have a tougher task in dealing with this vulnerability without some hand-holding. The trade-offs in wireless security for convenience have led to more consumer-grade secure wireless networks being implemented, but this convenience comes with higher risk. For enterprises, diligent efforts to scan networks regularly for rogue WAPs and good security education efforts can ensure the WPS flaw is a non-issue.
About the author:
Nick Lewis (CISSP) is an information security architect at Saint Louis University. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and previous at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.
This was first published in May 2012