Majesty Security

We all know that WPA2 AES encryption is old news, it has been around for approximately eight years and is proven to be very effective at keeping those pesky leechers from stealing our bandwidth or infiltrating our systems. What has changed since then? Are we now vulnerable even with the latest wireless encryption?

AES was considered secure and was approved for top secret information by the NSA. Used alongside a high security network key that isn’t susceptible to brute-force attacks, our networks should be safe right?… WRONG.

For those that are unsure, a brute-force attack is where a hacker attempts to gain access to something by trying different combinations until they find the correct one. As you can imagine, this technique is very limited by the amount of passwords that can be tried per second, which varies greatly depending on the protocol they are attempting to compromise. For arguments sake, lets say a malicious user is trying to gain access to your wireless network. Assume they’re using a modern GPU to crunch the numbers, meaning they will be able to try roughly 100,000 passwords per second. So if your password is 6 characters long and consists of only lowercase letters, it will take just under 52 minutes to crack.

In this example, there are 26^6 (26 x 26 x 26 x 26 x 26 x 26 = 308,915,776) possible permutations, divided by 100,000 passwords a second is 3089 seconds or 51 minutes. However, if you were to use
uppercase letters, you would be increasing the amount of possible permutations to 52^6 (19,770,609,664). As you can see, this increases the maximum cracking time to 55 hours, which is a huge improvement over 51 minutes. Add a few more characters and some punctuation to your password and your WPA2 key becomes impossible to brute-force. So what is the problem??

In 2007 the Wi-Fi Alliance introduced WPS (Wi-Fi Protected Setup) which was designed to simplify wireless networks for average users who know little about wireless and security. The idea was to make it easy to add new devices to the network while maintaining security. Typically, devices that shipped with WPS arrived with a sticker on the back with an 8 digit pin number. The user would simply enter this number on the wireless device and it will connect to the network. So you could now have a 63bit WPA2 password that is impossible to crack and only have to type an 8 digit pin to connect, sounds great right?

Well.. no. Something that was apparently overlooked by the Wi-Fi Alliance, is why an attacker would attempt to crack a 63bit key that could consist of numbers, uppercase, lowercase and special symbols when they can simply crack an 8 digit number that consists of just that.. numbers.

so lets do the math on this.. We have an 8 digit number meaning there are 100,000,000 possible permutations and your typical router can only handle 1 or 2 password attempts per second. Sounds
relatively secure.. right? It would have been if it was implemented properly. The problem, is that you transmit the pin in two halfs. When you transmit the first four digits, if they are incorrect, the
device will respond with a NACK. And this is the same for the second 4 digits. So in other words, all an attacker has to do, is crack a 4 digit pin, which is only 10,000 possible combinations. At 2 passwords a second this will take upto 83 minutes, and suddenly an attacker has your super secure 63bit WPA2 AES key.

You’re probably thinking that this has nothing to do with WPA2, it’s a problem with WPS. You would be absoloutly correct, but the problem is that the majority of routers today come with WPS enabled by default which makes your secure WPA2 AES network worthless, and what’s worse, is that you can’t even fully disable WPS on some routers making them permenantly vulnerable. *Cough* Linksys *Cough*