WPS is secure. Or is it?

My Twitter friends Lee Badman and Keith Parsons need to be thanked for getting this blog published.  Lee tweeted the other day that there is a new home Wi-Fi product that can control lights, fans and other electrical devices (D-Link Wi-Fi Smart Plug DSP-W215).  Sweet!  I looked at some of the specs on this device and saw that the only secure setup was over WPS.  So, I tweeted a reply and mentioned this and here’s a retweet of Keith’s response:  “WPS?  Yech!”

WPS is a security feature developed by the Wi-Fi Alliance as a convenience to allow home users an easy way to connect Wi-Fi devices with their SOHO routers.  The Reaver attack on devices to get the eight digit WPS PIN to obtain the WPA PSK is well documented.  Wi-Fi professionals rarely, if ever, use it and WPS is not found on enterprise-class APs.

I recently heard that the WPS feature that can be hacked by Reaver had been ‘fixed’.  So, this got me to be thinking:  Is WPS OK to use now for home devices?   Since IoT (Internet of Things) is growing by exponential metrics and there is no standard security set up yet, can WPS be trusted today?

(Begin aside #1.  Home networks.  Look, I know that as WLAN professionals, we are all about complex networks with multiple VLANs, RADIUS servers, etc.  But we are also asked occasionally to help with home networks, so I think our education breadth needs to include home devices and setup.  I just read a cruel report that hackers recently took over an IP baby camera and were using it to spy on and shout obscenities at this baby and parents.  Hackers attack home networks too and as WLAN professionals, we are asked how to secure them.  We need to have answers.  End aside #1.)

So, is WPS secure?  WPS routers supposedly enforce a 60 second lock out after three consecutive bad attempts in trying to use a brute force attack.  Originally, WPS routers did not enforce this lock out, but newer WPS routers do.  Some manufacturers use an exponential lock out.  But, from my reading, this is all proprietary and no standard exists. (e.g.  if the MAC is exchanged/spoofed after each attempt, how does that affect the WPS lockout?)   It still may take a few hours to a few days up to a month to successfully crack the WPS to get the WPA password.  But most hackers love a challenge and they will get your PIN!  The Wi-Fi Alliance webpage describing WPS does not even mention Reaver attacks (how surprising!) and although there is a reported WPS 2.0 coming out to fix this condition, there are still no definitive reports that I can find on the web that the flaw that allows the WPS Reaver attack has been fixed.  http://www.smallnetbuilder.com/wireless/wireless-features/31664-waiting-for-the-wps-fix

If any readers of my blog know of some recent fixes to WPS that I have overlooked, please reply to this blog in the comment section below.

(Begin aside #2.  Did you know that WPS cannot be disabled on some routers, even though the GUI interface says it is and the WPS LED light is off (Linksys WRT54G2)?  The only ways to know for sure that WPS is disabled is to try to run a WPS PIN session, do a Reaver attack or flash the router with a third party software that does not use WPS, such as DD-WRT (my favorite), Tomato or OpenWRT.  Also, make sure the SOHO router has the latest firmware.  Some vendors know this attack is critical and have tried to write code to at least let you turn it off and are instructing SOHO users to disable WPS!  Unless you test it, you do not know for certain WPS is disabled.  End aside #2.)

Do you remember when the first WEP attacks came out, and some IT professionals said, “well, some security is better than no security”?  Well, that is not my IT philosophy at all!  Here’s what I believe: “if there is a hack out there, there is a hacker that will find it and use it!”  (yes, you are permitted to quote me on that!!).

As more and more IoT devices are rolled out, security is rising to the top as a huge concern.  And this D-Link Smart Plug device can certainly be classified as an IoT device.  But it is not secure with WPS!  Even if a ten character ASCII key had been manually entered, it would take a brute force attacker 19+ years to get the PSK (assuming 100 billon guesses per second, per http://www.grc.com).

So, until I find out any more information, my bottom line is this:  WPS is still insecure–do not use it!  Neither do I want any device in my home that is insecure!