Your Secure WIFI May Not Be So Secure

Free PC Matic ScanWe all know that WEP (Wired Equivalent Privacy) encryption is long outdated and should not be considered adequate for your home network. This is due to how easy it is for an attacker to crack the key merely by collecting and analysing encrypted data being transferred between the AP (Access Point), also known as a router, and the client. Client meaning a device being served by the AP, your laptop or smart-phone for example.

‘Well none of that applies to me as I’m using WPA/WPA2.‘ I can hear you saying. WPA stands for WIFI Protected Access and it’s the current standard for wireless security. Indeed WPA encryption is extremely strong, to the point that the only feasible way to crack it involves capturing the 4 way handshake between AP and client, then trying every possible passkey. This process is known as brute forcing.

It’s worth noting that WPA passkeys can be between 8-64 characters long, as always the longer and more complex your password, the more secure it will be. Dictionary words should be avoided as they are easily cracked within minutes. Even a standard hexadecimal passkey of 10 digits, as used by most manufacturers, will take a powerful home PC over a year to crack. Add a few more random digits on the end and it won’t be getting cracked within your lifetime.

‘Great, so I’m I’m good to go then?‘ – Not so fast there my friend. You see, long hexadecimal passkeys can be a real pain to enter manually when you need to connect a new device to your network. Enter WPS or Wireless Protected Setup, a great function than means you only have to enter an 8 digit PIN number, or in some cases push a button on the router to connect your device.

Here lies the problem, anyone is able to download the free ‘Backtrack’ penetration testing suite, comprising hundreds of tools for the security professional …or hacker. One such tool is called Reaver, and it’s specially designed to brute force your WPS PIN. Lets  say Reaver is able to attempt 1 PIN per second, 99999999 possible attempts would take over 3 years right? Wrong, A major weakness is the way the PIN is verified – In two halves.


So now Reaver only has to try 9999 times to guarantee obtaining the first half of the PIN, and things are about to go from bad to worse. The second half of the PIN is actually a 3 digit number, the 4th digit is only a checksum. So that means the second half of the PIN will take a maximum or 999 attempts. Still assuming 1 second per PIN attempt, the time to crack the PIN has now dropped from over 3 years to around 3 hours!

Some router manufacturers have attempted to address this huge weakness by implementing a lockout period when the PIN is entered incorrectly a certain number of times, typically along the lines of a 5 minute lockout after 5 incorrect PIN attempts. Reaver doesn’t care, it will simply wait until the lock has been lifted and then continue it’s mission. The password in this case will take less than 8 days to crack. Even if the router gets switched off, Reaver automatically saves it’s progress, ready to start from the last attempted pin next time it’s switched on.

Unless you like the idea of sharing your connection with persons unknown, and possibly having to answer to law enforcement regarding criminal activity pertaining to your IP address, you should seriously consider ditching your WPS enabled router altogether. Lets not forget that as the PIN is a random number, there’s a 50% chance it will be cracked in half the time stated above. Some routers give you the option to disable WPS, this is definitely worth a try, but unfortunately sometimes it just disables the button on the router and not the service itself. Just when you thought it can’t get any worse, once your PIN has been cracked, you can change your password all you like and it will take Reaver seconds to crack it again. This is because the WPS PIN is hard coded within the router and can’t be changed.

Matt is a computer enthusiast who enjoys writing about all things security related.