Threat Analysis of the Reaver-WPS Attack, Thompson-Gorelik, 2012

Threat Analysis of the

Reaver-WPS Attack

By: Andrew Thompson and Uri Gorelik

Professor: Dr. Christine Laurendeau

Course: COMP 4203

Date: April 17, 2012

This page has been intentionally left blank to make our report look larger.


1. Introduction

1.1 Background

1.1.1 WPS

1.1.2 Reaver

1.2 Definition of the Problem

1.3 Summary of Findings

2. Surveying the Threat

2.1 Methodology

2.1.1 Analyzing Networks

Figure 2.1.1.1: Example of Kismet running

Figure 2.1.1.2: Example of Wash

2.1.2 Analyzing Hardware

2.2 Routes and Areas

2.2.1 Urban Area

Figure 2.2.1.1 Downtown Ottawa

2.2.2 Suburban Areas

Figure 2.2.2.1 Kanata Suburbs

Figure 2.2.2.2 Merivale Suburbs

Figure 2.2.2.3 Meadowlands Suburb

2.2.3 Commercial Areas

Figure 2.2.3.1 Hazledean Road

Figure 2.2.3.2 Centrum Plaza

Figure 2.2.3.3 Kanata Tech Sector

2.3 Interpreting the Results

2.3.1 Suburban Area Results

Figure 2.3.1.1: The total number of manufactuerers found in a suburban area

Figure 2.3.1.2: Vulnerability of WPS attack vs. Manufacturer in a suburban area

2.3.2  Urban Area Results

Figure 2.3.2.1: The total number of manufactuerers found in a urban area

Figure 2.3.2.2: Vulnerability of WPS attack vs. Manufacturer in an urban area

Figure 2.3.2.3: Percentage of vulnerable networks in an urban area

2.3.3 Commercial Area Results

Figure 2.3.3.1 Router Saturation

Figure 2.3.3.2: Vulnerability of WPS attack vs. Manufacturer in an urban area

Figure 2.3.3.3: Percentage of vulnerable networks in a commercial area

2.4 Hardware Results

Table 2.4.1 Most Common Manufacturers

Table 2.4.2 Less Common Manufacturers

3. Analyzing the Threat

3.1 Methodology

Figure 3.1.1 Reaver attack in Progress

3.2 Reaver Attack Specifics

Table 3.2.1 Reaver Messages

3.3 Reaver Attack Results

3.3.1 Cracking Time

Figure 3.3.1.1 Successful Reaver Attack

3.3.2 Common Pins

Table 3.3.2.1: Common Pin Table

3.3.3 Deterring the Attack

4. Final Results

4.1 Overall Results

4.2 Further Research

4.3 Final Thoughts

5. References


1. Introduction

1.1 Background

Reaver is an attack designed to break into wireless networks by exploiting a security hole created by the Wi-Fi Protected Setup (WPS) protocol. While it is still very much an attack in its infancy and has yet to realize its full potential, it is still dangerous to those who have no knowledge of it. The purpose of this document is to shed light on the attack, and analyze the effectiveness and impact that it could have.

1.1.1 WPS

WPS is a protocol that was established by the Wi-Fi Alliance in 2007, it was designed to assist homeowners in establishing a secure wireless network. While WPS is an optional protocol that is not required to be implemented in any device, it has none-the-less become exceedingly popular and any new router purchased on today’s market will most likely support it. WPS bypasses the need for knowledge about the various forms of security available to homeowners, and allows them to connect a wireless device to their network using one of 4 different methods, PIN, Push Button Connect, Near Field Communication, and USB.

        PIN connection involves activating the router by providing a secret 8-digit pin which is usually located on the router itself. This is generally done through a web, or an operating system based interface (similar to entering a Wifi password), or the same way you would normally change settings and interact with the default gateway. Once the pin has been verified, any device or wireless card that supports WPS simply needs to be activated as well and the router will share the password with the device, allowing the device to connect at will. This connection type is mandatory if a product chooses to support WPS at all.

        Push Button Connect is very similar except instead of feeding the router a PIN, a physical button generally on the side of the router needs to be pressed. This once again activates the router and allows any other device to connect to it. NFC and USB connections also exist, but are not relevant to the attack in question.

1.1.2 Reaver        

Reaver works by exploiting the PIN-Connection method of WPS, as a number of flaws in the protocol have been revealed. Since the PIN-Connection method is mandatory in WPS devices, it stands to reason that any WPS device can be brute forced in 108 attempts. If a WPS device can stand being queried once every 2 seconds, as an example, this would take roughly 2315 days to brute force which doesn’t pose a reasonable threat. This can be reduced to 107 attempts as the last digit is a checksum of the previous seven digits, resulting in 231 days instead.

        However the WPS protocol has a serious flaw: it provides feedback on the correctness of the pin, allowing an attack like Reaver to reduce the crack time significantly. The access point (router) reveals when the device performing the attack has guessed the first 4 digits of the pin by replying with a different message. This effectively reduces the attack from 107 to 104 + 103 ,or 11000, attempts. This makes the running time of this attack (given a single query is processed every 2 seconds) in the range of 6 hours, worst case, and 3 hours on average.

        This is all based on a 2 seconds/pin ratio, however, in reality it will vary vastly from router to router. Some routers have a built in lock out period where after a set number of attempts the router locks down WPS completely (in some cases up to an hour).

1.2 Definition of the Problem

We will determine the extent to which this threat is prevalent. This includes the number of actual networks that are vulnerable to this attack, including both homeowners and businesses, as well as the vulnerability of various manufacturers of routers.

1.3 Summary of Findings

We found that around 17%  were vulnerable to a Reaver attack, and around 18% of those were proven to be vulnerable. We were able to discover 4 of 90 routers that use a default pin. It was found that almost all routers available to consumers have WPS enabled by default. Routers from manufacturer Cisco-Valet could not disable WPS.

2. Surveying the Threat

In this section we focus on the broad range of the threat and the amount of networks that can be affected. We will analyze the amount of networks available, the amount vulnerable to a Reaver attack, and their corresponding manufacturers (i.e. D-Link, Cisco, TP-Link, Netgear, etc.).

2.1 Methodology

2.1.1 Analyzing Networks

To determine the saturation of networks that are vulnerable to Reaver attack, we use wardriving[1] in combination with Kismet and a utility called Wash to determine the number of available networks and their respective manufacturers.

Figure 2.1.1.1: Example of Kismet running

Kismet is a tool used to track wireless networks and to sniff packets, it reveals information such as the type of clients connected to that network, the manufacturer of the access point. It can be configured to work with GPS to track the location of the target signal.

Figure 2.1.1.2: Example of Wash

Wash is a tool used hand in hand with the Reaver attack, it sends a probe out to all nearby networks requesting a WPS connection. Any network that responds is therefore vulnerable to the attack, though the exact extent of that vulnerability will not yet be known.

2.1.2 Analyzing Hardware

To analyze hardware we browsed every single wireless router sold at big box stores such as Future Shop, Best Buy, and Staples. We then compared each of the routers to their product specification document (provided by the manufacturer) to find out whether or not the router does indeed support WPS.


2.2 Routes and Areas

This section contains the routes corresponding to the presented data.

2.2.1 Urban Area

Figure 2.2.1.1 Downtown Ottawa

2.2.2 Suburban Areas

Figure 2.2.2.1 Kanata Suburbs

Figure 2.2.2.2 Merivale Suburbs

Figure 2.2.2.3 Meadowlands Suburb

2.2.3 Commercial Areas

Figure 2.2.3.1 Hazledean Road

Figure 2.2.3.2 Centrum Plaza

Figure 2.2.3.3 Kanata Tech Sector

2.3 Interpreting the Results

2.3.1 Suburban Area Results

During our suburban wardriving, we were able to find 2629 networks ranging from different manufacturers. Figure 2.3.1.1 shows the density of particular manufactuerers in the area (manufacturers with less than ten sightings have been omitted). Of those 2629 networks it was found that 470 (17.9%) had some kind of verifiable vulnerability via the WPS exploit (Figure 2.3.1.3).

Figure 2.3.1.2 depicts which manufacturers have some kind of WPS protocol in place. As is shown, manufacturers Cisco and D-Link, are the most susceptible to the Reaver attack. It is also interesting to note that SmcNetwo and 2wire (which are Rogers’ and Bell Canada’s respective modem-router combo) show no initial signs of WPS vulnerability. However a modem-router combo is usually coupled with a dedicated router.

Figure 2.3.1.1: The total number of manufactuerers found in a suburban area

Figure 2.3.1.2: Vulnerability of WPS attack vs. Manufacturer in a suburban area

Figure 2.3.1.3: Percentage of vulnerable networks in a suburban area.

2.3.2  Urban Area Results

During our urban wardriving, we were able to find 300 networks ranging from different manufacturers. Figure 2.3.2.1 shows the density of particular manufactuerers in the area (manufacturers with less than ten sightings have been omitted). Of those 300 networks it was found that 50 (16.7%) had some kind of verifiable vulnerability via the WPS exploit (Figure 2.3.2.3).

Figure 2.3.2.2 depicts which manufacturers have some kind of WPS protocol in place. Similar to an suburban area, manufacturers Cisco and D-Link, are the most susceptible to the Reaver attack.

Figure 2.3.2.1: The total number of manufactuerers found in a urban area

Figure 2.3.2.2: Vulnerability of WPS attack vs. Manufacturer in an urban area

Figure 2.3.2.3: Percentage of vulnerable networks in an urban area

2.3.3 Commercial Area Results

During our commercial area wardriving, we were able to find 1528 networks ranging from different manufacturers. Figure 2.3.3.1 shows the density of particular manufactuerers in the area (manufacturers with less than ten sightings have been omitted). Of those 1528 networks it was found that 128 (8.4%) had some kind of verifiable vulnerability via the WPS exploit (Figure 2.3.3.3).

Figure 2.3.3.2 depicts which manufacturers have some kind of WPS protocol in place. Note the the amount of WPS vulnerable routers is significantly less than in the suburban and urban areas. This implies that most businesses should not have to worry about a Reaver threat.

Figure 2.3.3.1 Router Saturation

Figure 2.3.3.2: Vulnerability of WPS attack vs. Manufacturer in an urban area

Figure 2.3.3.3: Percentage of vulnerable networks in a commercial area

2.4 Hardware Results

The number of routers that were determined to have WPS enabled was exceedingly high. Essentially every single home router offered today, regardless of price, was determined to have WPS enabled by default. The only routers that were determined to not have WPS enabled were specifically business class routers, of which there are few available at these kinds of stores. The other notable find in terms of hardware was that every older modem/router combo from 2Wire, which is provided by Bell Canada, does not support WPS. As there are a number of networks located in Ottawa that are established by Bell Canada, this accounts for a large number of networks that are not even remotely vulnerable.

In the following tables we have categorized the routers sold from Best Buy and Futureshop. Routers highlighted in light green are guaranteed to be secure against WPS exploit with no additional configuration.

D-Link

Netgear

Linksys

TP-Link

D-Link DIR-835

Netgear N450/450 Wireless N Router WNDR4500        

Linksys Wireless N Router (E1200-CA)

TP-Link Wireless N 300 Router        

D-Link Amplifi Dual Band Wireless N900 HD Media Router 3000 (DIR-857)

Netgear N750 Wireless Dual Band Gigabit Router

Linksys Wireless N Dual-Band N900 Router

TP Link Wireless N Router (TL-WR841ND)        

D-Link 3G Mobile Wireless Router        

Netgear N600 Wireless Dual Band Gigabit Router

Linksys Wireless N Router (E1500-CA)

TP Link Wireless N Router (TD-W8960N)        

D-Link Wireless N Pocket Router        

Netgear Rangemax Wireless Router WNR1000

Linksys Wireless 802.11n Router (E2500-CA)

TP Link Wireless N Router (TL-WR741ND)        

D-Link Amplifi Dual Band Wireless N600

Netgear Wireless Router (WNDR3700-100NAS)

Cisco Valet Plus Wireless N Router (M20-CA)

TP Link Wireless N Router (TL-WR1043ND)

D-Link Amplifi Wireless N300 Whole Home Router 1000 (DIR-645)        

Netgear Wireless-N Router (WNR2000-100NAS)

Linksys Dual-Band Wireless N Router (EA3500-CA)        

TP Link Wireless N Router (TL-WR941ND)

D-Link Dual Band Wireless N600 Router (DIR-815)        

Netgear N600 Wireless Gigabit Router (WNDR3800-100NAS)

Linksys Wireless N Dual-Band N900 Router (E4200V2-CA)

TP-Link Wireless N 300 Router (TL-WR841N)

D-Link Wireless 802.11n 8-Port Router (DIR-632)

NETGEAR RangeMax Dual Band Wireless N Router (WNDR3700-100PAS)\

Linksys Wireless 802.11n Router (E2500-CA)

TP Link Wireless N Router (TL-WR740N)

D-Link Xtreme Dual Band Wireless N600 Gigabit Router (DIR-825)        

Netgear Wireless-N Gigabit Router (WNR3500L-100PAS)

D-Link Xtreme Wireless N300 Gigabit Router (DIR-655)

Netgear Wireless N Router (WNR2000-200PAS)

D-Link Wireless N300 Router (DIR-615)

NETGEAR WNDAP350        

D-Link Wireless N150 Router (DIR-601)

D-Link Amplifi Dual Band Wireless N600 HD Media Router 2000 (DIR-827)

Table 2.4.1 Most Common Manufacturers

Asus

Trendnet

Retail Plus

Belkin

Apple

Buffalo

Asus Dual-Band Wireless-N Router (RT-N56U)

TRENDnet Wireless N 300 Router Travel Kit        

Retail Plus Wireless N Router (RP-NPWL-NRTR)        

Belkin Basic Wireless N Router (F7D1301TT)        

Apple AirPort Extreme Base Station        

Buffalo Wireless Router (WZR-HP-AG300H)        

Asus Wireless-N Router / All-in-1 Print Server (RT-N13U/B1)

Belkin N300 Wireless N Router (F9K1002TT)        

Apple AirPort Express (MB321AM-A)        

Belkin Dual Band Wireless N Router (N750)        

Table 2.4.2 Less Common Manufacturers

It is interesting to note that the NETGEAR WNDAP350 router is secure because it is listed as a business class router, where WPS was determined to be unnecessary. Also, the Apple AirPort Express uses a different, Apple proprietary version of WPS on that specific router. It is also worth noting that, recently, Netgear has developed a firmware patch that allows users to disable the WPS PIN method specifically, and leaves the WPS Push-Button-Connect method intact. Since the only vulnerability to WPS has been found in the pin method, this currently leaves the router secure against the Reaver attack.

3. Analyzing the Threat

This section focuses on an attack made on an individual network as opposed to sweeping an area to scan for vulnerabilities. We will look at the kinds of pins that are most common and go into the specifics behind the attack and how it works.

3.1 Methodology

Tests were run using a 32-bit distribution of Backtrack 5 R2. Tests were run directly off of the disc. The hardware we employed was an Asus G73Jh with an Atheros AR9285 802.11n wireless card and a MacBook Pro from mid 2010 with an Airport Extreme 802.11n wireless card. We ran various tests on nearby networks using our modified version of Reaver. The tests were run from inside of a car, inside of the house which the network is broadcast from, or inside of a nearby home.

Figure 3.1.1 Reaver attack in Progress

3.2 Reaver Attack Specifics

Message

Description

M1

Beacon broadcasted by access point (AP)

M2

Request message sent from a new client to the access point to initiate communication.

M3

Recognition message sent from AP to client.

M4

The WPS pin, most importantly the first half of the pin

M5

Recognition of First half of PIN

M6

Entire WPS pin

M7

Acknowledgement of PIN and full password in clear text.

Table 3.2.1 Reaver Messages

To understand how Reaver works at a low level, first you must understand how a client and router communicate with and see each other. Before any communication is established, the router is broadcasting M1 which contains a description of the network and the networks public key. A client that wishes to communicate with the router can then send M2 which contains various information about the client as well as their own public key. This results in a diffie-hellman key exchange and the router replies with M3 to say that the client is recognized.

The client may then submit M4, which will contain the first 4 digits of the pin. If the first 4 digits are incorrect then the access point will reply with a NACK message or No Acknowledgement. This results in the client incrementing the first half of the pin and repeating the process from the beginning. If the first 4 digits are correct however, then the access point replies with M5 clearing the client to continue. The client then sends M6 which contains the first and second half of the pin.

If the pin is incorrect then the AP replies with another NACK and the client repeats the process, using the first half of the pin over again. If the pin is correct however, the access point replies with the password itself. For the purpose of this report, we have modified the original Reaver code to not display the password but to simply tell us that it did indeed find it after it receives an M7 message.

3.3 Reaver Attack Results

After sampling 494 networks in a suburban area, we created a pool of approximately 90 networks that were flagged by Wash as having a vulnerability. Of those 90 networks we found that 17 of them were actually vulnerable and should our goal have been to break into their networks, we would have been able to.

        This was surprising compared to our initial predictions, where any network that is flagged by Wash to be vulnerable should be prone to an attack. Also, of the networks highlighted by Wash, no business networks that we found were vulnerable to the attack. We are unsure to the specific cause of why these networks were not vulnerable in practice, though it could be attributed to the hardware we were using or the effectiveness of the attack. Based on the theory behind the attack, these networks should be vulnerable, and given time and the right hardware it is likely this attack will become more efficient and some of these networks will become vulnerable in practice as well.

3.3.1 Cracking Time

Figure 3.3.1.1 Successful Reaver Attack

Cracking a network using the Reaver attack takes a much longer than one would imagine. Distance plays a huge part, and if the client and router are not relatively close, at least in our hardware attempts, it can take upwards of 60 seconds per pin. During our best attempts, we reached a pin-check-time of 1.3 seconds, and the network was cracked in close to 4 hours. Figure 3.3.1.1 depicts a successful Reaver attack, using the basic Reaver code-base with no modifications (this network was a network we created for purposes of this report).

        It is also worth noting that many routers use a lockout period after a certain amount of failed attempts. In some cases we found this lockout period could last up to an hour, making any attempt to brute force the network via the Reaver practically impossible. In a specific case we found that the network locked down for up to an hour after making ten pin attempts.

        Of the 17 networks we were able to narrow down, four networks were using common pins and the network was broken in under ten seconds. Another seven had no lockout period and would have broken within a day.  Three other networks had a short lockout period of approximately 2-5 minutes and three more had a longer lock out period of over 30 minutes which would have taken upwards of a year to complete.

3.3.2 Common Pins

In our sample size, 12345670 was the most common pin, and as this is the pin that is tried first it only takes approximately five seconds to break into the network. Iterating through the list of default pins would take around three minutes, given that the router had no lockout period. If a router uses a default pin its crack time is reduced from O(n) to O(1).

Table 3.3.2.1 is an example of some of the common pins that Reaver attempts before resorting to brute-force. (X is the calculated checksum).

12345670

00000000

0123222X

1111333X

2222444X

3333555X

4444666X

5555777X

6666888X

7777999X

Table 3.3.2.1: Common Pin Table


3.3.3 Deterring the Attack

The best solution would be to disable WPS when it is not needed, and only activate it when it is required to connect a WPS device to your network. A less effective but still viable solution would be to change the router’s default PIN and repeat this process on a regular basis. Changing the access-point’s password will not deter penetration due to the WPS protocol revealing the network’s PSK in plain text. Once the PSK is known the PIN can be reused to attain the password repeatedly and instantly.

        On Cisco-Valet routers it is impossible to disable WPS and in these situations the latter solution of regularly changing pins is recommended. If a user finds themselves in possession of one of these routers, it is recommended to regularly check with Cisco for status updates on a potential firmware update.

        In addition to disabling WPS, or if one is unable to, then it is recommended to check for a firmware update from manufacturer. In the case of netgear routers, they have provided a firmware update that allows users to disable the WPS Pin portion of the WPS protocol, while keeping the PBC method active.

        It is also possible to know when you are being attacked by someone using the Reaver attack as the network will begin to slow down fairly significantly. Users on said network will most likely experience drops, and poor latency. It is very similar to a minor denial of service attack. While there are many problems that cause these symptoms, this is one thing to look out for.

4. Final Results

4.1 Overall Results

Given the amount of routers that are supposedly sold with WPS enabled, the approximately 18% saturation rate of vulnerable networks was surprising. What was more surprising is the lower still percentage of networks that were vulnerable in practice. While this may be attributable to other causes such as poor hardware choices and an infantile attack, the results we can take away from this is strictly a lower bound. It may be possible that given time, 100% of networks registered by Wash will be vulnerable to the attack. If this became true, then 18% of all networks based on our sample size would essentially be unsecure.

4.2 Further Research

The Reaver attack is currently an attack in its infancy and has not realized its full potential yet. Currently there are routers with WPS enabled that are also uncrackable with current technology. The Reaver code-base is being spearheaded by Tactical Network Solutions who were kind enough to release their source code, is still hard at work correcting issues and bugs that their community is reporting to them. It is therefore reasonable to believe that this attack will atleast be able to affect more people given time. As such, this issue should be watched and re-evaluated as trends change and technology behind the attack improves.

        

4.3 Final Thoughts

Except in rare occurrences, this attack is easily preventable by simply changing a single setting located in any router supporting WPS. If WPS is disabled on the router / access point, the attack is not possible. With this in mind, the best defense against this attack is knowledge, and the attack’s greatest asset is ignorance. The more individuals that are informed about this attack, the weaker it becomes. The more publicity it receives, the less prevalent it will be.

        While the attack in its current state isn’t as effective as it could be, the more people that become aware of it, the weaker it will be when it reaches maturity. And even without knowledge of the attack, as time goes on and manufacturers correct the issue by omitting the WPS Pin method or having WPS disabled by default when the router is shipped. It is likely a WPS “version 2.0” could also be released which would correct for the flaws in the current design. If knowledge of this attack spreads, this exploit will should eventually cease to exist. However, if this attack goes unnoticed and manufacturers pay no attention to it, then this attack could become a dangerous threat. How people end up treating this attack will ultimately determine how much of an impact it will eventually have.

5. References

Osborne, Nicholas, and Michael Nemat. Real-World WiFi Security Inadequacies. Dr. Michel Barbeau, 6 Apr. 2010. Web. 16 Apr. 2012. http://people.scs.carleton.ca/~barbeau/Honours/Nemat_Osborne.pdf

Viehböck, Stefan. "Brute Forcing Wi-Fi Protected Setup." 26 Dec. 2011. Web. 16 Apr. 2012. http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

Gallagher, Sean. "Hands-on: Hacking WiFi Protected Setup with Reaver." Ars Technica. 13 Jan. 2012. Web. 16 Apr. 2012. http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-Reaver.ars

Intel. "Understanding IEEE* 802.11 Authentication and Association." Intel® Centrino® Wi-Fi Products. 27 Dec. 2006. Web. 16 Apr. 2012. http://www.intel.com/support/wireless/wlan/sb/CS-025325.htm

Netgear. "How Do NETGEAR Home Routers Defend WPS PIN against Brute Force Vulnerability?" Netgear Support. 3 Jan. 2012. Web. 16 Apr. 2012. http://support.netgear.com/app/answers/detail/a_id/19824

Page  of


[1] A technique used to collect information on wireless access points. An antenna is usually kept in some kind of vehicle and nearby access points are monitored or logged.