Hackers and penetration testers across the globe spend a lot of time finding vulnerable wireless routers or access points enabling them to freely use open networks or those with weak encryption. Though these vulnerabilities get fixed with each new iteration of routers and firmware upgrades, fresh opportunities keep appearing for hackers to look into.
Security researchers have revealed a vulnerability in WPS protocol of routers. WPS (WiFi Protected Setup) uses a hard-coded PIN number that is pre-stored in routers allowing for easy wireless connections with various devices. A discrete flaw in the protocol’s implementation of request-response model makes it relatively easier to crack as compared to WPA or WPA2 (WiFi Protected Access) password.
The following screenshot shows the back of a WPS-enabled router with the 8-digit PIN:
An open-source version of an attack tool called Reaver has been developed by Craig Heffner of Tactical Network Solutions to tap into this specific security hole in WPS-enabled routers. In WPS mode, this PIN can be used by a connecting device to retrieve the router’s configuration settings directly without any user intervention. There is neither a need to remember a password nor to reach for admin settings in the router’s interface.
To be able to hack, a WiFi scanning application like Linux utility “airodump-ng” helps the user to know the MAC address of any router while a few routers like the one shown above have them printed on the physical device itself.
sudo airodump-ng -i wlan0
Here sudo grants root access to the user. This command will show you all the routers in the vicinity, their MAC addresses along with loads of other useful information. Next, be sure to disconnect from all other WiFi networks. Before mounting any attack, the wireless adapter of the attacking device (a computer running Linux) also needs to be put into monitor mode with the use of the following commands:
sudo ifconfig wlan0 down
sudo ifconfig wlan0 mode monitor
sudo ifconfig wlan0 up
The commands ifconfig and iwconfig control network configuration and wireless configuration respectively.
Now, the reaver command can be used to launch the attack directly. The only two requirements for reaver command are the wireless interface and MAC address, both of which we have collected above. So now the command that needs to be run is:
sudo reaver -i wlan0 -b 00:0a:0b:0c:0d:0e
A number of other options or settings are available as well for reaver command which can be seen in its help page. Some of these can be used to tweak the command to wait for response signals for slow routers or to clear out failed attempts. But the above two (-i and -b) are enough to do the trick for majority of routers. The router might lock up in between requests but the command is intuitive enough to pick up right from the place where it gets stuck through continuous polling of the access point.
In a few minutes or hours, the command would cough up the SSID and Password (WPA PSK) of the attacked router as shown in following screenshot:
MAC filtering does not help preventing the attack since a network scanner can gulp the MAC addresses of devices already connected to the victim router. These stolen MAC addresses can be spoofed on the attacking device’s network device so as to trick the router into considering it as a valid device. This attack has the potential to cause wide-scale damage since the attacking device can just be left in vicinity of the target network and controlled remotely.
Hence, it can be deduced that WPS protocol which was actually designed to make routers more secure has in fact left them even more vulnerable to hacking attacks. As they say, prevention is better than cure, the only way out to be thoroughly ascertained that your wireless network is not compromised is to buy a router that has no WPS provision, either through a physical switch or through its admin interface. Any router supporting WPS protocol can be easily hacked through this utility called reaver.