VOLUME 6

   ISSUE 6

19 JANUARY 2012

Wi-Fi Protected Access (WPA) is a security protocol used by many wireless devices like routers, laptops, access points and so on. Stefan Viehb�ck released a paper titled �Brute forcing Wi-Fi Protected Setup� on 26th Dec 2011 detailing vulnerabilities associated with Wi-Fi Protected Setup (WPS) � which is a feature of WPA which could allow an attacker to recover the Pre-Shared Key (PSK) associated with WPA protocol in a few hours very easily.

WPS was launched somewhere in 2006, but the actual appliances/ devices came into the market during 2007. In one of  FAQ�s of Wi-Fi Alliance, they mention �Wi-Fi Protected Setup is an optional certification program developed by Wi-Fi Alliance designed to ease set up of security-enabled Wi-Fi networks in the home and small office environment.�  Simply, WPS allows a user to enter a 8 digit PIN without having to worry about navigating through number of cumbersome configuration pages.

On 28th December 2011, Tactical Network Solutions open sourced a tool code named Reaver. They claim that with Reaver, WPS enabled router passphrase can be recovered in 4-10 hours. So far no versions of Reaver is supported in Windows platform. I�ve tested the tool on Back Track 5 with following easy steps.

wget http://reaver-wps.googlecode.com/files/reaver-1.1.tar.gz

(reaver-1.1 is the latest version at the time of writing this article, which addresses some known bugs)

Now extract gzip file

tar zxvf reaver-1.1.tar.gz

Now go to the directory and configure

 cd /reaver-1.1/src

 ./configure

 make

 make install

Before launching Reaver, let�s check the help section.

Bottom line, WPA is not directly broken via Reaver. However, Reaver exposes a side channel attack against WPA1 / WPA2 enabled wireless access points by exploiting a protocol design flow in WPS. Reaver exploits a primitive vulnerability on the PIN, it brute-forces the PIN until the correct one is recovered. With the PIN, Reaver extracts the PSK.

The issue here is that most wireless routers are affected and no vendor has announced a patch so far. But as a workaround, you can disable WPS (if it�s possible on your device). US CERT/CC has assigned VU#723755 for this vulnerability. You can also check vulnerable vendors from the above URL.

So what�s important here? Does it mean not to use wireless access points? Well, don�t - if you can afford to. Generally, it�s recommended to conduct a proper risk assessment for all information that will travel over the WLAN and restrict sensitive information.

Let�s summarize the major types of access points here.

Parakum Pathirana

CISM Coordinator - ISACA Sri Lanka Chapter

'....Just how much cybercrime happens on Facebook? About 4 million Facebook users experience spam on a daily basis, 20% of Facebook users have been exposed to malware, and Facebook sees about 600,000 cases of hijacked log-ins every day.'ses of hijacked log-ins every day. 

Sophos has recently spotted two distinct phishing campaigns - one targeting the customers of the Australian ANZ Bank and the other the users of a web portal of a North American school - where the phishing forms are hosted this Google service......'