WiFi hacking has long been a favorite pastime of hackers, penetration testers, and people too cheap to pay for their own Internet connection. And there are plenty of targets out there for would-be hackers and war drivers to go after—just launch a WiFi scanner app in any residential neighborhood or office complex, and you’re bound to find an access point that’s either wide open or protected by weak encryption. Fortunately (or unfortunately, if you’re the one looking for free WiFi), those more blatant security holes are going away through attrition as people upgrade to newer routers or network administrators hunt down vulnerabilities and stomp them out. But as one door closes, another opens.
Last week, security researchers revealed a vulnerability in WiFi Protected Setup, an optional device configuration protocol for wireless access points. WPS lets users enter a personal identification number that is hard-coded into the access point in order to quickly connect a computer or other wireless device to the network. The structure of the WPS PIN number and a flaw in the protocol’s response to invalid requests make attacking WPS relatively simple compared to cracking a WiFi Protected Access (WPA or WPA2) password. On December 28, Craig Heffner of Tactical Network Solutions released an open-source version of an attack tool, named Reaver, that exploits the vulnerability.
To find out just how big the hole was, I downloaded and compiled Reaver for a bit of New Years geek fun. As it turns out, it’s a pretty big one—even with WPS allegedly turned off on a target router, I was able to get it to cough up the SSID and password. The only way to block the attack was to turn on Media Access Control (MAC) address filtering to block unwanted hardware.
Hands-on: hacking WiFi Protected Setup with Reaver