A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn't necessary for some Arcadyan based routers anymore.
Last year it was exposed that the WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct.
The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on many wireless routers makes this brute force attack that much more feasible.
Some 100,000 routers of type Speedport W921V, W504V and W723V are affected in Germany alone. What makes things worse is the fact that in order to exploit the backdoor, no button has to be pushed on the device itself and on some of the affected routers, the backdoor PIN ("12345670") is still working even after WPS has been disabled by the user. The only currently known remedy for those models is to disable Wi-Fi altogether. Since all Arcadyan routers share the same software platform, more models might be affected.
Last year, Tactical Network Solutions develop and released Reaver , which is a WPA attack tool that exploits a protocol design flaw in WiFi Protected Setup (WPS). Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP.
About the author