A week ago Stefan a researcher from .braindump blog released a white paper detailing how to brute force WPS (Wi-Fi Protected Setup). Pretty much rendering WPS completely broken. The really scary part is with a recovered WPS pin, the attacker can then use this to brute force the WPA / WPA2 key. The team at Tactical Network Solutions have been perfecting this. They have released a tool called ‘reaver’ which capable of recovering WPA / WPA2 keys using the WPS attack withing 4 to 10 hours.

The main issue with the WPS pin strucutre, is that EAP responses are broken into two halfs allowing an attacker to derive correctness from parts of the AP responses. In fact its around 11,000 attempts, which has been proven to take around 2-5 seconds to crack the WPS pin.

Time to disable WPS, if you haven’t already 🙂

Wi-Fi Protected Setup – When poor design meets poor implementation

TNS – Reaver tool