Security Now 337
Topic: WPS A Troubled Protocol
Recorded: January 25, 2012
Published: January 25, 2012
Duration: 74 mins.
Security Now 337: WPS A Troubled Protocol
News & Errata
- A judge from Peyton, Colorado, ruled that Fifth Amendment (Self-incrimination) U.S. Constitution protection does not apply to encrypted laptop passwords.
- The U.S. Supreme Court has just ruled that GPS tracking of a vehicle requires a warrant.
- Anonymous has taken credit for using DNS poisoning to change the main DNS of cbs.com and all of its subdomains to a blank page. The IP was changed for 20 minutes, however due to the caching of DNS, the problem could last much longer.
- Dreamhost detected unauthorized activity in one of their databases, and as a result have obsoleted all ftp and shell passwords.
- Megaupload has been taken down. U.S. federal law enforcement agents have shuttered the Megaupload.com website, seized 18 domains connected to the site, and indicted seven executives and two companies. Megaupload has reportedly earned more than $175 million U.S. The servers were in Virginia, but were based outside the U.S.
- FileSonic, FileServe, and Uploaded.to all restricting their services following the shutdown of Megaupload last week.
WPS A Troubled Protocol
45:50 - 1:18:32
- WPS is a protocol that was intended to make pairing with a wifi access point easier, similar to bluetooth.
- Instead of adding technology to generate the pins (a button, etc.) they just printed the pin on a label.
- However the pins are being validated 4 digits at a time causing it to drop significantly in security from an already not very secure 8 digits.
- Steve suggested always accepting the first four to make it unable to be guessed separately, however this does not allow mutual authentication.
- The protocol requires mutual authentication. i.e. the client needs to prove it knows the routers pin and the router needs to prove it knows the pin. To prevent a rouge access point from pretending to be your router.
- All data is being sent in the clear using radio waves, so attackers can easily listen to whats being sent and modify data being sent
- How does each end prove it knows the pin without revealing it?
- It uses a hash
- It uses a hash
- The client takes the pin it knows and it appends a random blob (a nonce) (128 bits) and hashes it (a salted hash)
- This prevents rainbow table attacks on the pin
- It then sends this to the access point
- The access point does the same things, adds a nonce to the pin and hashes it, then sends it to the client.
- Each end now has the result of the other ends hash of the pin and random nonces.
- The client sends its nonce to the access point
- The access point sends its nonce to the client
- What went by in the air was:
- A hash of the pin + randomness
- The randomness
- The access point can then concatenate the pin and nonce hash it and compare it to what the client sent and the client can do the same for what the access point has sent.
- They will only be the same if the access point and client have the same pin
- Someone listening will see the output from the hash and the nonce
- They can now perform an offline attack
- 8 digits gives us 10^8 possible pins or about 26 bits of security.
- This is not strong enough
- The protocol was cut in half to attempt to provide protection against a active attacker (talking to a bad guy, not our access point)
- The attacker can now brute force the protocol
- The first two messages give all the info you need to brute force the pin
- So they chopped the pin in half
- Hash first 4 digits and send that
- Verify the first half
- Then send the second half
- There is no way to make this protocol secure
- In the worst case in a day you can get the 1st 4 digits of the pin
- The problem is the pin is static
- All the original documentation says the pin can only be used once
- The wifi alliance decided this would be too expensive to implement though, so a compromise was made to use a static pin that could be printed on the router.
- If a successful pairing is observed a bad guy can get onto your network.
- WPS can never be secure as they never used a dynamic pin
- Apple products are secure as they use a dynamic pin
- You should turn off WPS
- However, with Linksys, it is not possible to turn WPS off. The checkbox does not function.
- Ford Technology
- Ad Times: 1:08-1:25 and 6:04-12:03
- Edited by:
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|