Robert Robert last edited by
Why is the highly insecure WPS method available on these mesh routers?.. even in push button mode, the WPS is shown in the wifi frames. This can be seen if you use a wifi analyzer.
@robert-robert Please note that the WPS network is a closed network and does not present a security threat.
James Ford last edited by
@ui-jt Found the following on Wikipedia that seems to contradict your reply.
Online brute-force attack
In December 2011, researcher Stefan Viehböck reported a design and implementation flaw that makes brute-force attacks against PIN-based WPS feasible to be performed on WPS-enabled Wi-Fi networks. A successful attack on WPS allows unauthorized parties to gain access to the network, and the only effective workaround is to disable WPS. The vulnerability centers around the acknowledgement messages sent between the registrar and enrollee when attempting to validate a PIN, which is an eight-digit number used to add new WPA enrollees to the network. Since the last digit is a checksum of the previous digits, there are seven unknown digits in each PIN, yielding 107 = 10,000,000 possible combinations.
When an enrollee attempts to gain access using a PIN, the registrar reports the validity of the first and second halves of the PIN separately. Since the first half of the pin consists of four digits (10,000 possibilities) and the second half has only three active digits (1000 possibilities), at most 11,000 guesses are needed before the PIN is recovered. This is a reduction by three orders of magnitude from the number of PINs that would be required to be tested. As a result, an attack can be completed in under four hours. The ease or difficulty of exploiting this flaw is implementation-dependent, as Wi-Fi router manufacturers could defend against such attacks by slowing or disabling the WPS feature after several failed PIN validation attempts.
A young developer based out of a small town in eastern New Mexico created a tool that exploits this vulnerability to prove that the attack is feasible. The tool was then purchased by Tactical Network Solutions in Maryland for 1.5 million dollars. They state that they have known about the vulnerability since early 2011 and had been using it.
In some devices, disabling WPS in the user interface does not result in the feature actually being disabled, and the device remains vulnerable to this attack. Firmware updates have been released for some of these devices allowing WPS to be disabled completely. Vendors could also patch the vulnerability by adding a lock-down period if the Wi-Fi access point detects a brute-force attack in progress, which disables the PIN method for long enough to make the attack impractical.
Offline brute-force attack
In the summer of 2014, Dominique Bongard discovered what he called the Pixie Dust attack. This attack works only for the default WPS implementation of several wireless chip makers, including Ralink, MediaTek, Realtek and Broadcom. The attack focuses on a lack of randomization when generating the E-S1 and E-S2 "secret" nonces. Knowing these two nonces, the PIN can be recovered within a couple of minutes. A tool called pixiewps has been developed and a new version of Reaver has been developed to automate the process.
Since both the access point and client (enrollee and registrar, respectively) need to prove they know the PIN to make sure the client is not connecting to a rogue AP, the attacker already has two hashes that contain each half of the PIN, and all they need is to brute-force the actual PIN. The access point sends two hashes, E-Hash1 and E-Hash2, to the client, proving that it also knows the PIN. E-Hash1 and E-Hash2 are hashes of (E-S1 | PSK1 | PKe | PKr) and (E-S2 | PSK2 | PKe | PKr), respectively. The hashing function is HMAC-SHA-256 and uses the "authkey" that is the key used to hash the data.
Physical security issues
All WPS methods are vulnerable to usage by an unauthorized user if the wireless access point is not kept in a secure area. Many wireless access points have security information (if it is factory-secured) and the WPS PIN printed on them; this PIN is also often found in the configuration menus of the wireless access point. If this PIN cannot be changed or disabled, the only remedy is to get a firmware update to enable the PIN to be changed, or to replace the wireless access point.
It is possible to extract a wireless passphrase with the following methods using no special tools:
A wireless passphrase can be extracted using WPS under Windows Vista and newer versions of Windows, under administrative privileges by connecting with this method then bringing up the properties for this wireless network and clicking on "show characters".
A simple exploit in the Intel PROset wireless client utility can reveal the wireless passphrase when WPS is used, after a simple move of the dialog box which asks if you want to reconfigure this access point.
@james-ford AmpliFi does not use the the PIN method. I do not understand why you are referencing a vulnerability to a different method of using WPS. AmpliFi uses push button WPS method, different than the article you referenced. Please read the following from the same article. There is not a PIN to brute force push button WPS.
"In which the user has to push a button, either an actual or virtual one, on both the access point and the new wireless client device. On most devices, this discovery mode turns itself off as soon as a connection is established or after a delay (typically 2 minutes or less), whichever comes first, thereby minimizing its vulnerability. Support of this mode is mandatory for access points and optional for connecting devices. The Wi-Fi Direct specification supersedes this requirement by stating that all devices must support the push button method."
James Earl Ford last edited by
@ui-jt I referenced it because your previous reply did not clearly specify what you meant by a closed network. I think both our responses make it clear exactly what Amplifi uses for this security. Thanks for providing the clarification.
Robert Robert last edited by
@ui-jt Why can WPS not be completely disabled if we want it to be?. it is still visible in the wifi frames by using a wifi analyzer.
@robert-robert The WPS feature was designed to work this way. As far as completely disabling the WPS broadcast it is not possible at this time, I can add this to our list of suggestions for future consideration.