Wi-Fi Protected Setup - a good idea badly implemented?

Jeff's picture

This post is a rant about what I think is a pretty decent idea gone pretty badly wrong. The idea is something called "Wi-Fi Protected Setup." I have not been able to find any other information on the web that talks about the particular problems I've seen (and what I believe to be a not-insignificant security hole), so why not rant about it here a bit? :) Wi-Fi Protected Setup (WPS), as I said, seems to me to be a pretty good idea for solving a valid problem: historically, setting up a secure wireless network is not easy for the average home user. The user has historically been expected to set up a number of security-critical settings when first installing the wireless access point ("AP", usually a wireless router), such as SSID, security/encryption type, and a passphrase. Once all that is set up, each wireless "client" device must select the correct wireless network (by SSID) and then be given the network's passphrase in order to connect. For those of us familiar with security and networking, this is pretty simple. For the average home user, it can be quite confusing. My understanding of the idea behind WPS is to help the average user bypass a lot of these steps and still end up with a secure network. In an example WPS setup (described by a whitepaper available from the Wi-Fi Alliance web site), the process might look like this:

  • power up the new AP
  • attempt to connect to the wireless network with a client device
  • verify that the client and AP really should be connecting by:
    • pressing buttons (could be either physical or virtual) on both ends, which starts a limited-time window for allowing the connection, or
    • entering a PIN number provided by the client into the AP

This process would automatically set up an SSID (hopefully unique) and passphrase (hopefully pseudorandom) on the AP and transfer that information to the client. For each new client, the process is simply repeated (with the difference that the SSID and passphrase are not reset for the subsequent added clients). The pushbuttons/PIN help verify that only known clients are added to the network, and the user is spared a lot of setup. I quite like the theory. In practice, of course, not all wireless APs and clients support WPS. In particular, the Wireless Zero Configuration utility in Windows XP does not support WPS. My web research also suggests that while Vista supports WPS, it does so in a way that requires a wired Ethernet connection for the initial AP setup. I'm not a Vista user, so I can't verify this personally. For any AP or client which does not support WPS, the standard "manual" method for connecting to the network must be used: the network's passphrase must be known and must be provided to the client. My particular rant in this post, however, has to do with the way that Intel chose to implement WPS in their Wi-Fi Configuration Utility (an optional component supplied with their driver which replaces the Windows built-in Wireless Zero Configuration utility) and how it interacts with the WPS implementation in a Linksys wireless router which I have personally used. Intel chose to implement a PIN-based method for authorizing clients on a network. My reading of the WPS descriptions that I've seen (including the aforementioned white paper) seems to imply that the PIN method is intended to work by taking a PIN provided by the client and providing it to the AP. That makes sense to me. In that model, the only time a client can join the network (using WPS) is if its PIN is provided to the AP. Access for doing that is presumably restricted to someone who controls the network. However, upon detecting a network which supports WPS, the Intel utility asks the user for a "device ownership password" associated with the AP. Once the user obtains this "password" (which is really a WPS PIN) from the AP and types it into the PC, the connection is established. The Linksys router I used humors this behavior by providing a WPS pin (in addition to having both a physical and a web-based virtual button and a place to type in a client's PIN). The router's PIN is provided in the web interface and is printed on a sticker attached to the bottom of the router. Here's the kicker, though: the Linksys router's PIN is chosen at the factory and cannot be changed by the end user. I see two security holes here. First, the PIN is a relatively short numeric value. Since all a WPS client needs is that PIN in order to gain access to the network, that effectively creates a very weak "password" (regardless of the size or complexity of the actual WPA/WPA2 passphrase). The bigger problem, however, is that once that PIN has been given out, it can be used again, potentially by a new unauthorized user. Since the PIN cannot be changed, the router's owner has no way of preventing this from happening. The web interface on the router supposedly gave a way to turn off WPS, but it did not appear to work. I was still able to use the PIN to gain access even after turning that option off. On Intel's side, there is yet another problem. Not all APs which support WPS provide a PIN. Some can only accept a client PIN (which seems to me to be what was intended in the design of WPS). The Intel utility does not provide a client PIN. It requires a PIN from a WPS-supporting AP. If the AP doesn't have a PIN, then you're pretty much stuck. I did not see a way to bypass that prompt and manually connect using the network's WPA/WPA2 passphrase. The only way I saw around it was to run the Intel setup utility and remove the Wi-Fi Protected Setup feature altogether (which, fortunately, can be removed separately while leaving the rest of the utility intact). At that point, the network can be added manually. This seems like an example of a good idea implemented very badly. I think the whole model of the AP providing the PIN to be used by the clients is backwards. It places control in the hands of the clients instead of the AP. It also reduces security by depending on a relatively short numeric value. I could almost live with that, though, if there was a way to change the PIN or disable WPS on the Linksys router. What really surprises me is that I have not seen anyone else on the net mention this. I may be missing something. The Intel-Linksys WPS interaction I've described above is from my own experience, but it's possible that I've done something incorrect. If anyone can see the hole in my description, please comment on this post and explain. If I'm right, though, then this looks like a pretty broken system.

Comments

Matty's picture

At last!! someone else who is having

At last!! someone else who is having this problem. Its driving me mad. On the last 2-3 vista laptops I have sold to clients this problem has been really making me pull my hair out, I had one client follow the prompts and wipe out their exisiting WI-FI config, cutting everyone else off, and then yesterday I had a brand new machine that wanted to do the same, I found no way possible to disable it so I can just enter the pre-exisiting passphrase. when trying to connect to the internal Wi-Fi here at work a screen flashes up with an option "dont configure this connection just let me enter the passphrase" but it flashes for only 1.5-2 seconds before jumping straight for asking me for the WPS pin on the router (which will wipe out existing config)

Router in both cases has been WRT54g and WRT54g v2

Jeff's picture

Wow. Someone who was actually able to

Wow. Someone who was actually able to decipher my random ranting. :)

The router in my case was a WRT160N (v2), BTW.

I'm now using an AirPort Extreme base station, and I'm quite happy with it. For one thing, it does simultaneous dual-band, which is great in an environment with mixed n and g/b clients.

Matty's picture

Haha! What I can't believe is so few

Haha! What I can't believe is so few people have struck this issue. I spoke to linksys and got through to a support center in the phillipines or somewhere, but they didn't really want to know. Im considering installing some hack firmware onto our guest WRT54g v2. One thing is for certain though, I will not be selling any more linksys routers to my clients until i find a fix !

Paul's picture

Thanks for the article - I was looking

Thanks for the article - I was looking for a new router, and had looked at the recent Linksys offerings, but will avoid until they demonstrate better regard for their customer's security and privacy.

As you implied, the Linksys WPS implementation sucks. Hugely.

Anyone looking for an 802.11n/gigabit ethernet ADSL modem/router might consider the Billion BiPAC 7800N which is a sweet design and new.
Or the 7402NX (also 802.11n & gigabit ethernet) which uses a different (older) chipset but also offers a 3g dongle as fall-back if ADSL fails, so is an interesting product with the latest WiFi & ethernet performance.

Am avoiding Linksys for now - until they either remove WPS entirely, or re-implement it in a demonstrably safe manner.

Cheers!

lurch's picture

finally, after two weeks of

finally, after two weeks of searching,someone who has been having the same problem as me, and that person can make some sense of it. I have a linksys\cisco wr-110n router, and the wi-fi protected setup has caused me nothing but trouble. Another thing I have noticed is that the dhcp server does not turn off even when it says it is "off". This has become very problematic as I have my own server with SBS2008 and therefore have no need for the dhcp option in the router. Anyone else in a similar situation? any insight would be helpful

lurch's picture

BTW, my router is a

BTW, my router is a WRT-110n

wemilord's picture

Well... now I found something

Well... now I found something interesting... is INCREDIBLE the tiny quantity of info on the web about this crappy thing of wifi-protected setup...
I fought for a week now trying to configure two laptops with VISTA... and each time I manage to get the net working on one, at the time I try to connect the other... it simple wipe-out the configuration not letting the other to connect. Amazing... bravo cisco/linksys, bravo!
Still looking for an answer... if you found one I will be happy to hear about it.

Matty's picture

I have since found out that WPS is

I have since found out that WPS is called WCN (Windows Connect Now) 2.0 in vista. If you search for how to disable that, then it might shed some light, the last one of these I setup I let the retarded WPS reconfig the router for the vista machine, fortunately the other was XP and let me enter the SSID and PSK that WPS had so retardedly setup for me.

lowdownjoe's picture

I guess misery loves company

 

I guess misery loves company, so at least I have found some company here Laughing out loud

I just pulled the last of my hair out messing with a WRT110 and a Dell D620 laptop with the Intel utility. The WPS setup simply does not work correctly. Also as mentioned above you cannot seem to turn it off on the router. The router says it’s is using manual mode but the Intel utility ALWAYS sees it as WPS. Interesting that I my Ipod touch didn’t care about WPS and simply connected without a hitch.

Here is another observation: I originally attempted to set it up using 64 bit WEP (I know it’s not the most secure but this is a rural farm with no neighbors), so I enter the PIN into the Intel Utility and guess what, there are no WEP options at all. The router after being configured for WEP, only provided WPA and higher encryption options as part of the WPS handshake/dialogue.

I honestly don’t see how the average home user deals with this stuff. I have much experience in this and most all things wireless, and this was shocking how poorly this works.

Actually the whole mess of what devices will work with WEP, WPA, WPA2, and all of the various combination’s is maddening…….but that is another story.

I feel better now. Laughing out loud

 

matty's picture

have you tried

have you tried upgrading the firmware in the router, I had one of these the other week again and this time I was ready to throw out the router, Once I upgraded the firmware the WPS seemed to turn off and the router worked…….wait for it……. HOW IT SHOULD OF IN THE FIRST PLACE lol!

xzistance's picture

FINALLY got it after about an

FINALLY got it after about an hour of frustration and searching.

So, by default, my Linksys WRT54G2 V1 router has Wi-Fi Protected Setup enabled. There is a bug with Wi-Fi Protected Setup, at least with this router and Vista computers, that only really allows for 1 wireless connection to be connected at a time. If I tried connecting with a different Vista laptop with Wi-Fi Protected Setup enabled, it asks me for the PIN, and if I follow through with it, it "hijacks" the router and changes the SSID, which then disables the other laptop from connecting, without going through the exact same process.

So, then the other bug is that I logged in to the router, changed Wireless Configuration to 'Manual' (which should disable Wi-Fi Protected Setup), but it did not. It was still asking for the router PIN and doing that whole annoyance.

Sooo, finally, after more searching and thinking, I found a firmware update for my router, upgraded it, and now it works like it should. When I have it set to 'Manual' Wireless Configuration, it no longer asks for the router's PIN, and I was able to successfully connect multiple wireless connections at the same time (which should have been super easy in the first place).

Hope this helps people.

Anonymous's picture

I've had the same problem

I've had the same problem too, on both a Linksys and a DLink setups. In fact, one of my Vista machines changed the SSID of the Linksys router right in the setup menu! What baffles me is that WIFI Protected Setup was disabled on both routers, so why can't the Intel Drivers (or Windows) see that? My Blackberry and Android devices connect just fine without the PIN or even asking for it. 

Demetrius's picture

Workaround

I found that instead of using the SSID that the wireless device discovers create a profile, or add the SSID manually, configure, and then try.  It will bypass the PIN at that point.

FrustratedUser's picture

WPS Defeats the Purpose

I appreciated your article, not because I'm having the same problem, but because I'm having a similar problem that makes me question the point of WPS altogether.

My PC is wired to my N wireless router (when it comes to downloading from the internet, I still prefer a wired connection), but my TiVo DVR is connected to a wireless adapter so that it can take advantage of the wireless feature (the DVR is further away from my router than the PC, and I would need a 12 ft. ethernet cable to wire it).

At any rate, I have to enable SSID broadcasting in order for the TiVo adapter to locate the network via the WPS buttons on the router and the adapter; the adapter cannot make the initial connection unless it is enabled. Once I make the initial connection, of course, I can then disable SSID broadcasting. But therein lies my problem: During the few minutes that it takes to enable SSID broadcasting, push the WPS button on the router, push the WPS button on the adapter, wait for the adapter to connect with the router, then go back to the pc to disable SSID broadcasting, someone (a neighbor, perhaps) has tapped into my wireless network and is piggybacking on my internet connection! I've tried resetting the router so that the culprit is kicked off my network but, again, by the time I follow the procedure above, they are back on my network; I can tell that someone is piggybacking because the router's wireless indicator light starts blinking rapidly, though I am not connected (and my TiVo is not communicating with the internet).

From what I researched before I purchased my router and wireless adapter, I understood that the point of WPS was to be able to make the secure connections between router and client WITHOUT fear of anyone connecting to your network while you're in the process of setting it up. Now, I realize I was wrong; WPS is merely intended as a user-friendly convenience for people who don't want to bother with configuring their network settings.

Anonymous's picture

WPS on Echolife HG532 stop HTC Magic connecting

For many months my HTC Magic (with Android 2.2.1) has been working fine, connecting to my TalkTalk Echolife HG532.

About a week ago (mid April) it stopped working.

There was something significant that happened around then - in that TalkTalk at our local exchange went down - and all phones there too - and along the way I restarted the router.

But there is nothing there that should have affected anything, and no settings were changed afaik.

However around then the phone stopped connecting to wifi. It can not even see the SSID.

The phone can see other wifi networks fine. Everything else can see the wifi router fine.

In the end I went into the settings for the router and started changing them one by one. SSID change - no difference. Enable / disable broadcast etc - no change. But the last option there is to enable / disable WPS.

Bingo - as soon as I turned off WPS it worked fine. Turn it back on, the Magic can no longer see the wifi. When on, it was in PBC mode.

I guess its something that has been updated in the router, by talktalk, that only took effect recently (maybe the reboot), and WPS is either broken in the router now, or the HTC Magic doesn't support it properly, all of a sudden.

Anonymous's picture

Looks like the security hole

Looks like the security hole just got a whole lot bigger:

http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password...

Jeff's picture

my latest post on WPS

So, the previous commenter had the right idea. When I originally wrote this post something like two and a half years ago, I didn't know about all the flaws inherent to WPS. I knew it had problems, but I didn't know how many. Anyway, I felt the need to post a big "I told you so" in response. Smile http://slidingconstant.net/content/wi-fi-protected-setup-confirmed-flawe...

Mike's picture

Congrats on your "I told you so"

Yep, you get big kudos for being some 30 months ahead of the news. I was just looking for information on upgrading the WRT54G2 before trading it out on a D-Link a/b/g/n model that can turn off the WPS operation. I found your post and was startled at the date. While I never thought this WPS was secure, I had not idea it was such a hole and that even when I turned it off it continued to operate.

Nice work and thanks for the *very* early warning!

nina's picture

lynksys

so just tell me how to (simply) make my wireless work so i can stream my netflix thru walls as my router is in the office with the main computer.  Everything else picks up the wifi just fine--the laptop, the iPhone etc., but the netflix just buffers and drives me crazy.  I tried to go into the setup for wireless to change some numbers that were recommended, but couldn't get past the WPS --you know--pushing the button on the back of the device.  I'm an amateur and I'm not willing to pay that  Cisco

customer support guy that is online.  I already just paid for a new blu-ray player with wifi in it, a new computer, a new router etc.....I'm tired of it all.  I don't have my sons around to do this stuff for me anymore.  

nina's picture

thank you juff for your very

thank you juff for your very complete answer, although i still have no idea how to do what i want to do.  where do i get the pin, since i cannot call the company....they seem to have no customer support number.  what is the "white paper"?  you realize you're dealing with a real amateur here.  sorry for that.--Nina

Jeff's picture

a (non)answer

Nina,

I'm not sure how to help you. If your Netflix device can get to the Internet over wi-fi at all, then WPS isn't your problem. If you were having issues with WPS, then the device wouldn't be able to get to the network at all. WPS doesn't create problems only with streaming content. Actually, the main problem created by WPS is to make your network available to people who shouldn't have access, not to deny access to authorized users in some cases.

To answer your specific questions:

The device's PIN is unique to that device, and I don't have any way of knowing (or finding out) what it is. In general, it's usually printed on a sticker which is attached to the device itself. If you need help figuring out the PIN, then I'm afraid your only option is to talk to the company that made the device.

The whitepaper I mentioned is available by clicking on the link in my post (for example, you can get to it by clicking on the word "whitepaper"). I don't think it contains anything that will help with your problem, though. Your best bet is to get in touch with tech support and talk to them.

I'm sorry, but I don't have any way of helping you with your problem, and I doubt it has anything to do with the problem I talked about in the post.

--Jeff

Pete's picture

Would you like to disable WPS on the Cisco?

1st log into the Web interface and enable SSH access.

2nd SSH into the appliance

3rd  Type:  set wps disable

4th Type:  apply

5th Type:  reboot

Now you can use your device without WPS as a factor.  This has been verified on serveral Cisco WAP devices including the 4410

Steve's picture

glad I found you too... vista WPS foolishness

Hi... we have some visitors at the house... one with a Vista laptop.  She got the router PIN# prompt, and my wife gladly read it off to her off the bottom of the flat black Linksys router.  Bam..  our wireless network name got changed, everyone was locked out, and the passphrase was scrambled and nobody knew what the &(@ was going on..   I hadn't logged into the router in years and had to dig up the access info and spend a couple hours getting it back.   Total waste of time, WPS sucks.

Jeff's picture

new post

Steve,

You might be interested in taking a look at a followup post I did on WPS ( http://slidingconstant.net/content/wi-fi-protected-setup-confirmed-flawed-concept ). I didn't realize just how much of a security hole WPS was when I wrote this post.

--Jeff

Steve's picture

Re: glad I found you too... vista WPS foolishness

I have taped a card onto the bottom of my router.  It covers up the PIN# , and says:

CAUTION: disclosing this PIN allows the recipient device to immediately alter important router settings.   Do not disclose PIN if network is working normally... a lock-out could occur.

Maybe the manufacturers should do likewise.

Seems insane to put the security and configuration of one's network into the hands of any random requesting device which may or may not have a correct, safe implementation.  

It's hard to find info on this lock-out issue because apparently it occurs only with certain routers / firmware versions, along with only certain badly implemented devices (Vista laptops).  Thanks for providing this forum/resource. 

Jeff's picture

Re: glad I found you too... vista WPS foolishness

Steve,

So, the issue you mentioned (and MANY other people have encountered) isn't supposed to happen. The only time WPS on the access point is supposed to change the SSID and passphrase is when a wireless network is originally being set up. Any subsequent devices which are added are supposed to use the existing parameters. It just occurred to me, though, that there may not be a well-defined method for knowing when a network is already in operation (versus when WPS is supposed to overwrite the SSID and passphrase and start from scratch)... espcially when the "standard" method is used to set up the original working clients, and then much later WPS is used to add another client. I admit I haven't reviewed the WPS spec to know what it says about this. I do remember that the old Linksys AP with WPS that I was using when I first wrote this post was able to successfully register multiple devices with WPS, so the AP obviously has to have some method of distinguishing between the first device and subsequent devices. My fear is that detail is left up to the manufacturer to "figure out", and so the behvior is done differently by different access ponts.

This goes back to my original problem that in WPS the client has control.

Jeff's picture

Yet _another_ hole

In looking online for info related to what I wrote in my last comment, I found yet another security hole in some implementations. Critically, this hole results in a working connection (so the problem isn't apparent to the user), but it results in a network that uses no encryption. See this web page for details: http://www.smallnetbuilder.com/wireless/wireless-features/30345-how-is-wps-supposed-to-work

Robert Willcox's picture

wi-fi protected setup -Thank you!

I've been going nuts here thinking I must be missing something. Almost everyhting I read sings the praises of this smplified "security" setup, but it's had me baffled. I've been reconfiguring a Linksys WRT310 and using some Dell E series laptops with Intel ProSet Wireless in them and I keep think "Gee, this just give the world an 8 numeric character password to guess!". Pretty much defeats the whole purpose of all the WPA2-PSK stuff entirely, just guess a few numbers and you're in.

Anyway, I wanted to say thanks for bolstering my confidence - I was begining to think there must be something wrong with me. But your clear analysis confirms my exact concerns. Good job.

Bob

Syndicate content