A design flaw in WiFi Protected Setup has been discovered and made public by Austrian information security student and researcher Stefan Viehböck. The vulnerability can allow attackers to easily brute-force wireless network devices, providing remote access.
The WiFi Protected Setup is a computing standard for the setup, configuring and securing of a wireless router making it a much easier task for the average user to get online quickly without knowing all the technical ins and outs that IT folks need. It is “standard fare” in many current wireless devices, including those made by Belkin, Buffalo, D-Link, Cisco/Linksys, Netgear, Technicolor, TP-Link, and ZyXEL.
This security flaw has to do with the PIN. The PIN for WPS is supposed to be an eight-digit random number predefined by the manufacturer. There are 100 million variations of that PIN, making a brute force attack just take too long. The flaw works based on the fact that when an incorrect 8-digit PIN is rejected, additional information is returned, making it easier to generate further requests in such a way as to make the brute-forcing faster. To prove this, Stefan wrote a proof-of-concept brute forcing tool, and used it against routers made by different vendors. It took him an average of two hours to access a WPS PIN-protected network.
Users are advised to deactivate WPS in order to mitigate the flaw, but a better solution would be for vendors to provide longer “lock-down periods” when password attempts fail, in order to make an attack impractical. I am not certain so far whether there was proper defense in depth, using other controls, such as configuring the router to only allow access to devices with specific MAC addresses (yes, they can be spoofed, but you still need to know one that has access!), disabling remote management over wireless, and other configuration settings.