Threat Analysis of the Reaver-WPS Attack, Thompson-Gorelik, 2012
Threat Analysis of the
By: Andrew Thompson and Uri Gorelik
Professor: Dr. Christine Laurendeau
Course: COMP 4203
Date: April 17, 2012
This page has been intentionally left blank to make our report look larger.
Reaver is an attack designed to break into wireless networks by exploiting a security hole created by the Wi-Fi Protected Setup (WPS) protocol. While it is still very much an attack in its infancy and has yet to realize its full potential, it is still dangerous to those who have no knowledge of it. The purpose of this document is to shed light on the attack, and analyze the effectiveness and impact that it could have.
WPS is a protocol that was established by the Wi-Fi Alliance in 2007, it was designed to assist homeowners in establishing a secure wireless network. While WPS is an optional protocol that is not required to be implemented in any device, it has none-the-less become exceedingly popular and any new router purchased on today’s market will most likely support it. WPS bypasses the need for knowledge about the various forms of security available to homeowners, and allows them to connect a wireless device to their network using one of 4 different methods, PIN, Push Button Connect, Near Field Communication, and USB.
PIN connection involves activating the router by providing a secret 8-digit pin which is usually located on the router itself. This is generally done through a web, or an operating system based interface (similar to entering a Wifi password), or the same way you would normally change settings and interact with the default gateway. Once the pin has been verified, any device or wireless card that supports WPS simply needs to be activated as well and the router will share the password with the device, allowing the device to connect at will. This connection type is mandatory if a product chooses to support WPS at all.
Push Button Connect is very similar except instead of feeding the router a PIN, a physical button generally on the side of the router needs to be pressed. This once again activates the router and allows any other device to connect to it. NFC and USB connections also exist, but are not relevant to the attack in question.
Reaver works by exploiting the PIN-Connection method of WPS, as a number of flaws in the protocol have been revealed. Since the PIN-Connection method is mandatory in WPS devices, it stands to reason that any WPS device can be brute forced in 108 attempts. If a WPS device can stand being queried once every 2 seconds, as an example, this would take roughly 2315 days to brute force which doesn’t pose a reasonable threat. This can be reduced to 107 attempts as the last digit is a checksum of the previous seven digits, resulting in 231 days instead.
However the WPS protocol has a serious flaw: it provides feedback on the correctness of the pin, allowing an attack like Reaver to reduce the crack time significantly. The access point (router) reveals when the device performing the attack has guessed the first 4 digits of the pin by replying with a different message. This effectively reduces the attack from 107 to 104 + 103 ,or 11000, attempts. This makes the running time of this attack (given a single query is processed every 2 seconds) in the range of 6 hours, worst case, and 3 hours on average.
This is all based on a 2 seconds/pin ratio, however, in reality it will vary vastly from router to router. Some routers have a built in lock out period where after a set number of attempts the router locks down WPS completely (in some cases up to an hour).
We will determine the extent to which this threat is prevalent. This includes the number of actual networks that are vulnerable to this attack, including both homeowners and businesses, as well as the vulnerability of various manufacturers of routers.
We found that around 17% were vulnerable to a Reaver attack, and around 18% of those were proven to be vulnerable. We were able to discover 4 of 90 routers that use a default pin. It was found that almost all routers available to consumers have WPS enabled by default. Routers from manufacturer Cisco-Valet could not disable WPS.
In this section we focus on the broad range of the threat and the amount of networks that can be affected. We will analyze the amount of networks available, the amount vulnerable to a Reaver attack, and their corresponding manufacturers (i.e. D-Link, Cisco, TP-Link, Netgear, etc.).
To determine the saturation of networks that are vulnerable to Reaver attack, we use wardriving in combination with Kismet and a utility called Wash to determine the number of available networks and their respective manufacturers.
Kismet is a tool used to track wireless networks and to sniff packets, it reveals information such as the type of clients connected to that network, the manufacturer of the access point. It can be configured to work with GPS to track the location of the target signal.
Wash is a tool used hand in hand with the Reaver attack, it sends a probe out to all nearby networks requesting a WPS connection. Any network that responds is therefore vulnerable to the attack, though the exact extent of that vulnerability will not yet be known.
To analyze hardware we browsed every single wireless router sold at big box stores such as Future Shop, Best Buy, and Staples. We then compared each of the routers to their product specification document (provided by the manufacturer) to find out whether or not the router does indeed support WPS.
This section contains the routes corresponding to the presented data.
During our suburban wardriving, we were able to find 2629 networks ranging from different manufacturers. Figure 220.127.116.11 shows the density of particular manufactuerers in the area (manufacturers with less than ten sightings have been omitted). Of those 2629 networks it was found that 470 (17.9%) had some kind of verifiable vulnerability via the WPS exploit (Figure 18.104.22.168).
Figure 22.214.171.124 depicts which manufacturers have some kind of WPS protocol in place. As is shown, manufacturers Cisco and D-Link, are the most susceptible to the Reaver attack. It is also interesting to note that SmcNetwo and 2wire (which are Rogers’ and Bell Canada’s respective modem-router combo) show no initial signs of WPS vulnerability. However a modem-router combo is usually coupled with a dedicated router.
Figure 126.96.36.199: Percentage of vulnerable networks in a suburban area.
During our urban wardriving, we were able to find 300 networks ranging from different manufacturers. Figure 188.8.131.52 shows the density of particular manufactuerers in the area (manufacturers with less than ten sightings have been omitted). Of those 300 networks it was found that 50 (16.7%) had some kind of verifiable vulnerability via the WPS exploit (Figure 184.108.40.206).
Figure 220.127.116.11 depicts which manufacturers have some kind of WPS protocol in place. Similar to an suburban area, manufacturers Cisco and D-Link, are the most susceptible to the Reaver attack.
During our commercial area wardriving, we were able to find 1528 networks ranging from different manufacturers. Figure 18.104.22.168 shows the density of particular manufactuerers in the area (manufacturers with less than ten sightings have been omitted). Of those 1528 networks it was found that 128 (8.4%) had some kind of verifiable vulnerability via the WPS exploit (Figure 22.214.171.124).
Figure 126.96.36.199 depicts which manufacturers have some kind of WPS protocol in place. Note the the amount of WPS vulnerable routers is significantly less than in the suburban and urban areas. This implies that most businesses should not have to worry about a Reaver threat.
The number of routers that were determined to have WPS enabled was exceedingly high. Essentially every single home router offered today, regardless of price, was determined to have WPS enabled by default. The only routers that were determined to not have WPS enabled were specifically business class routers, of which there are few available at these kinds of stores. The other notable find in terms of hardware was that every older modem/router combo from 2Wire, which is provided by Bell Canada, does not support WPS. As there are a number of networks located in Ottawa that are established by Bell Canada, this accounts for a large number of networks that are not even remotely vulnerable.
In the following tables we have categorized the routers sold from Best Buy and Futureshop. Routers highlighted in light green are guaranteed to be secure against WPS exploit with no additional configuration.
Netgear N450/450 Wireless N Router WNDR4500
Linksys Wireless N Router (E1200-CA)
TP-Link Wireless N 300 Router
D-Link Amplifi Dual Band Wireless N900 HD Media Router 3000 (DIR-857)
Netgear N750 Wireless Dual Band Gigabit Router
Linksys Wireless N Dual-Band N900 Router
TP Link Wireless N Router (TL-WR841ND)
D-Link 3G Mobile Wireless Router
Netgear N600 Wireless Dual Band Gigabit Router
Linksys Wireless N Router (E1500-CA)
TP Link Wireless N Router (TD-W8960N)
D-Link Wireless N Pocket Router
Netgear Rangemax Wireless Router WNR1000
Linksys Wireless 802.11n Router (E2500-CA)
TP Link Wireless N Router (TL-WR741ND)
D-Link Amplifi Dual Band Wireless N600
Netgear Wireless Router (WNDR3700-100NAS)
Cisco Valet Plus Wireless N Router (M20-CA)
TP Link Wireless N Router (TL-WR1043ND)
D-Link Amplifi Wireless N300 Whole Home Router 1000 (DIR-645)
Netgear Wireless-N Router (WNR2000-100NAS)
Linksys Dual-Band Wireless N Router (EA3500-CA)
TP Link Wireless N Router (TL-WR941ND)
D-Link Dual Band Wireless N600 Router (DIR-815)
Netgear N600 Wireless Gigabit Router (WNDR3800-100NAS)
Linksys Wireless N Dual-Band N900 Router (E4200V2-CA)
TP-Link Wireless N 300 Router (TL-WR841N)
D-Link Wireless 802.11n 8-Port Router (DIR-632)
NETGEAR RangeMax Dual Band Wireless N Router (WNDR3700-100PAS)\
Linksys Wireless 802.11n Router (E2500-CA)
TP Link Wireless N Router (TL-WR740N)
D-Link Xtreme Dual Band Wireless N600 Gigabit Router (DIR-825)
Netgear Wireless-N Gigabit Router (WNR3500L-100PAS)
D-Link Xtreme Wireless N300 Gigabit Router (DIR-655)
Netgear Wireless N Router (WNR2000-200PAS)
D-Link Wireless N300 Router (DIR-615)
D-Link Wireless N150 Router (DIR-601)
D-Link Amplifi Dual Band Wireless N600 HD Media Router 2000 (DIR-827)
Asus Dual-Band Wireless-N Router (RT-N56U)
TRENDnet Wireless N 300 Router Travel Kit
Retail Plus Wireless N Router (RP-NPWL-NRTR)
Belkin Basic Wireless N Router (F7D1301TT)
Apple AirPort Extreme Base Station
Buffalo Wireless Router (WZR-HP-AG300H)
Asus Wireless-N Router / All-in-1 Print Server (RT-N13U/B1)
Belkin N300 Wireless N Router (F9K1002TT)
Apple AirPort Express (MB321AM-A)
Belkin Dual Band Wireless N Router (N750)
It is interesting to note that the NETGEAR WNDAP350 router is secure because it is listed as a business class router, where WPS was determined to be unnecessary. Also, the Apple AirPort Express uses a different, Apple proprietary version of WPS on that specific router. It is also worth noting that, recently, Netgear has developed a firmware patch that allows users to disable the WPS PIN method specifically, and leaves the WPS Push-Button-Connect method intact. Since the only vulnerability to WPS has been found in the pin method, this currently leaves the router secure against the Reaver attack.
This section focuses on an attack made on an individual network as opposed to sweeping an area to scan for vulnerabilities. We will look at the kinds of pins that are most common and go into the specifics behind the attack and how it works.
Tests were run using a 32-bit distribution of Backtrack 5 R2. Tests were run directly off of the disc. The hardware we employed was an Asus G73Jh with an Atheros AR9285 802.11n wireless card and a MacBook Pro from mid 2010 with an Airport Extreme 802.11n wireless card. We ran various tests on nearby networks using our modified version of Reaver. The tests were run from inside of a car, inside of the house which the network is broadcast from, or inside of a nearby home.
Beacon broadcasted by access point (AP)
Request message sent from a new client to the access point to initiate communication.
Recognition message sent from AP to client.
The WPS pin, most importantly the first half of the pin
Recognition of First half of PIN
Entire WPS pin
Acknowledgement of PIN and full password in clear text.
To understand how Reaver works at a low level, first you must understand how a client and router communicate with and see each other. Before any communication is established, the router is broadcasting M1 which contains a description of the network and the networks public key. A client that wishes to communicate with the router can then send M2 which contains various information about the client as well as their own public key. This results in a diffie-hellman key exchange and the router replies with M3 to say that the client is recognized.
The client may then submit M4, which will contain the first 4 digits of the pin. If the first 4 digits are incorrect then the access point will reply with a NACK message or No Acknowledgement. This results in the client incrementing the first half of the pin and repeating the process from the beginning. If the first 4 digits are correct however, then the access point replies with M5 clearing the client to continue. The client then sends M6 which contains the first and second half of the pin.
If the pin is incorrect then the AP replies with another NACK and the client repeats the process, using the first half of the pin over again. If the pin is correct however, the access point replies with the password itself. For the purpose of this report, we have modified the original Reaver code to not display the password but to simply tell us that it did indeed find it after it receives an M7 message.
After sampling 494 networks in a suburban area, we created a pool of approximately 90 networks that were flagged by Wash as having a vulnerability. Of those 90 networks we found that 17 of them were actually vulnerable and should our goal have been to break into their networks, we would have been able to.
This was surprising compared to our initial predictions, where any network that is flagged by Wash to be vulnerable should be prone to an attack. Also, of the networks highlighted by Wash, no business networks that we found were vulnerable to the attack. We are unsure to the specific cause of why these networks were not vulnerable in practice, though it could be attributed to the hardware we were using or the effectiveness of the attack. Based on the theory behind the attack, these networks should be vulnerable, and given time and the right hardware it is likely this attack will become more efficient and some of these networks will become vulnerable in practice as well.
Cracking a network using the Reaver attack takes a much longer than one would imagine. Distance plays a huge part, and if the client and router are not relatively close, at least in our hardware attempts, it can take upwards of 60 seconds per pin. During our best attempts, we reached a pin-check-time of 1.3 seconds, and the network was cracked in close to 4 hours. Figure 188.8.131.52 depicts a successful Reaver attack, using the basic Reaver code-base with no modifications (this network was a network we created for purposes of this report).
It is also worth noting that many routers use a lockout period after a certain amount of failed attempts. In some cases we found this lockout period could last up to an hour, making any attempt to brute force the network via the Reaver practically impossible. In a specific case we found that the network locked down for up to an hour after making ten pin attempts.
Of the 17 networks we were able to narrow down, four networks were using common pins and the network was broken in under ten seconds. Another seven had no lockout period and would have broken within a day. Three other networks had a short lockout period of approximately 2-5 minutes and three more had a longer lock out period of over 30 minutes which would have taken upwards of a year to complete.
In our sample size, 12345670 was the most common pin, and as this is the pin that is tried first it only takes approximately five seconds to break into the network. Iterating through the list of default pins would take around three minutes, given that the router had no lockout period. If a router uses a default pin its crack time is reduced from O(n) to O(1).
Table 184.108.40.206 is an example of some of the common pins that Reaver attempts before resorting to brute-force. (X is the calculated checksum).
The best solution would be to disable WPS when it is not needed, and only activate it when it is required to connect a WPS device to your network. A less effective but still viable solution would be to change the router’s default PIN and repeat this process on a regular basis. Changing the access-point’s password will not deter penetration due to the WPS protocol revealing the network’s PSK in plain text. Once the PSK is known the PIN can be reused to attain the password repeatedly and instantly.
On Cisco-Valet routers it is impossible to disable WPS and in these situations the latter solution of regularly changing pins is recommended. If a user finds themselves in possession of one of these routers, it is recommended to regularly check with Cisco for status updates on a potential firmware update.
In addition to disabling WPS, or if one is unable to, then it is recommended to check for a firmware update from manufacturer. In the case of netgear routers, they have provided a firmware update that allows users to disable the WPS Pin portion of the WPS protocol, while keeping the PBC method active.
It is also possible to know when you are being attacked by someone using the Reaver attack as the network will begin to slow down fairly significantly. Users on said network will most likely experience drops, and poor latency. It is very similar to a minor denial of service attack. While there are many problems that cause these symptoms, this is one thing to look out for.
Given the amount of routers that are supposedly sold with WPS enabled, the approximately 18% saturation rate of vulnerable networks was surprising. What was more surprising is the lower still percentage of networks that were vulnerable in practice. While this may be attributable to other causes such as poor hardware choices and an infantile attack, the results we can take away from this is strictly a lower bound. It may be possible that given time, 100% of networks registered by Wash will be vulnerable to the attack. If this became true, then 18% of all networks based on our sample size would essentially be unsecure.
The Reaver attack is currently an attack in its infancy and has not realized its full potential yet. Currently there are routers with WPS enabled that are also uncrackable with current technology. The Reaver code-base is being spearheaded by Tactical Network Solutions who were kind enough to release their source code, is still hard at work correcting issues and bugs that their community is reporting to them. It is therefore reasonable to believe that this attack will atleast be able to affect more people given time. As such, this issue should be watched and re-evaluated as trends change and technology behind the attack improves.
Except in rare occurrences, this attack is easily preventable by simply changing a single setting located in any router supporting WPS. If WPS is disabled on the router / access point, the attack is not possible. With this in mind, the best defense against this attack is knowledge, and the attack’s greatest asset is ignorance. The more individuals that are informed about this attack, the weaker it becomes. The more publicity it receives, the less prevalent it will be.
While the attack in its current state isn’t as effective as it could be, the more people that become aware of it, the weaker it will be when it reaches maturity. And even without knowledge of the attack, as time goes on and manufacturers correct the issue by omitting the WPS Pin method or having WPS disabled by default when the router is shipped. It is likely a WPS “version 2.0” could also be released which would correct for the flaws in the current design. If knowledge of this attack spreads, this exploit will should eventually cease to exist. However, if this attack goes unnoticed and manufacturers pay no attention to it, then this attack could become a dangerous threat. How people end up treating this attack will ultimately determine how much of an impact it will eventually have.
Osborne, Nicholas, and Michael Nemat. Real-World WiFi Security Inadequacies. Dr. Michel Barbeau, 6 Apr. 2010. Web. 16 Apr. 2012. http://people.scs.carleton.ca/~barbeau/Honours/Nemat_Osborne.pdf
Viehböck, Stefan. "Brute Forcing Wi-Fi Protected Setup." 26 Dec. 2011. Web. 16 Apr. 2012. http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
Gallagher, Sean. "Hands-on: Hacking WiFi Protected Setup with Reaver." Ars Technica. 13 Jan. 2012. Web. 16 Apr. 2012. http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-Reaver.ars
Intel. "Understanding IEEE* 802.11 Authentication and Association." Intel® Centrino® Wi-Fi Products. 27 Dec. 2006. Web. 16 Apr. 2012. http://www.intel.com/support/wireless/wlan/sb/CS-025325.htm
Netgear. "How Do NETGEAR Home Routers Defend WPS PIN against Brute Force Vulnerability?" Netgear Support. 3 Jan. 2012. Web. 16 Apr. 2012. http://support.netgear.com/app/answers/detail/a_id/19824
 A technique used to collect information on wireless access points. An antenna is usually kept in some kind of vehicle and nearby access points are monitored or logged.