WPA2 with a strong password is secure as long as you disable WPS. You’ll find this advice in guides to securing your Wi-Fi all over the web. Wi-Fi Protected Setup was a nice idea, but using it is a mistake.
Your router probably supports WPS and it’s likely enabled by default. Like UPnP, this is an insecure feature that makes your wireless network more vulnerable to attack.
What is Wi-Fi Protected Setup?
Most home users should be using WPA2-Personal, also known as WPA2-PSK. The “PSK” stands for “pre-shared key.” You set up a wireless passphrase on your router and then provide that same passphrase on each device you connect to your WI-Fi network. This essentially gives you a password that protects your Wi-FI network from unauthorized access. The router derives an encryption key from your passphrase, which it uses to encrypt your wireless network traffic to ensure people without the key can’t eavesdrop on it.
This can be a bit inconvenient, as you have to enter your passphrase on each new device you connect. Wi-FI Protected Setup (WPS), was created to solve this problem. When you connect to a router with WPS enabled, you’ll see a message saying you can use an easier way to connect rather than entering your Wi-Fi passphrase.
Why Wi-Fi Protected Setup Is Insecure
There are several different ways to implement Wi-Fi protected setup:
PIN: The router has a eight-digit PIN that you need to enter on your devices to connect. Rather than check the entire eight-digit PIN at once, the router checks the first four digits separately from the last four digits. This makes WPS PINs very easy to “brute force” by guessing different combinations. There are only 11,000 possible four-digit codes, and once the brute force software gets the first four digits right, the attacker can move on to the rest of the digits. Many consumer routers don’t time out after a wrong WPS PIN is provided, allowing attackers to guess over and over again. A WPS PIN can be brute-forced in about a day. [Source] Anyone can use software named “Reaver” to crack a WPS PIN.
Push-Button-Connect: Instead of entering a PIN or passphrase, you can simply push a physical button on the router after trying to connect. (The button may also be a software button on a setup screen.) This is more secure, as devices can only connect with this method for a few minutes after the button is pressed or after a single devices connects. It won’t be active and available to exploit all the time, as a WPS PIN is. Push-button-connect seems largely secure, with the only vulnerability being that anyone with physical access to the router could push the button and connect, even if they didn’t know the Wi-Fi passphrase.
PIN is Mandatory
While push-button-connect is arguably secure, the PIN authentication method is the mandatory, baseline method that all certified WPS devices must support. That’s right — the WPS specification mandates that devices must implement the most insecure method of authentication.
Router manufacturers can’t fix this security problem because the WPS specification calls for the insecure method of checking PINs. Any device implementing Wi-FI Protected Setup in compliance with the specification will be vulnerable. The specification itself is no good.
Can You Disable WPS?
There are several different types of routers out there.
- Some routers don’t allow you to disable WPS, providing no option in their configuration interfaces to do so.
- Some routers provide an option to disable WPS, but this option does nothing and WPS is still enabled without your knowledge. In 2012, this flaw was found on “every Linksys and Cisco Valet wireless access point… tested.” [Source]
- Some routers will allow you to either disable or enable WPS, offering no choice of authentication methods.
- Some routers will allow you to disable PIN-based WPS authentication while still using push-button authentication.
- Some routers don’t support WPS at all. These are probably the most secure.
How to Disable WPS
If your router allows you to disable WPS, you’ll likely find this option under Wi-FI Protected Setup or WPS in its web-based configuration interface.
You should at least disable the PIN-based authentication option. On many devices, you’ll only be able to choose whether to enable or disable WPS. Choose to disable WPS if that’s the only choice you can make.
We’d be a bit worried about leaving WPS enabled, even if the PIN option appears to be disabled. Given the terrible record of router manufacturers when it comes to WPS and other insecure features like UPnP, isn’t it possible that some WPS implementations would continue to make PIN-based authentication available even when it appeared to be disabled?
Sure, you could theoretically be secure with WPS enabled as long as PIN-based authentication was disabled, but why take the risk? All WPS really does is allow you to connect to Wi-Fi more easily. If you create a passphrase you can easily remember, you should be able to connect just as fast. And this is only an issue the first time — once you’ve connected a device once, you shouldn’t have to do it again. WPS is awfully risky for a feature that offers such a small benefit.
Image Credit: Jeff Keyzer on Flickr