Defending against WPS attacks

[ternarybit]

After some research and field testing, it's become pretty obvious that WPS is the most dangerous threat to Wi-Fi security, for APs with WPS enabled.

The most obvious solution is to simply disable WPS. But some routers, most notably Linksys models, don't allow someone to fully disable it.

Another obvious solution is for vendors to lock down WPS in the firmware. For example, locking WPS for 30 minutes after 10 incorrect PIN attempts, then 60 minutes after another 10, then locking it permanently after another 10. Even just locking WPS for 30 minute intervals after 10 attempts would render most bruteforces impractical. The Netgear WNDR3800 I just pentested does lock WPS ... for five minutes, after about 25 incorrect attempts. With tweaked Reaver settings, I cracked it in under 24 hours at about 16 seconds per PIN.

I just read that Kismet can now detect a flood of WPS traffic, indicating a WPS attack. That's great! But, what can someone do once they've detected an attack? Other than heatmapping the signal from the offending MAC address and attempting to locate the device, is there anything anyone can do to stop an attack in progress, other than take the vulnerable AP offline?

Any other thoughts on defending against this? Cheers!

-ternarybit

[strakar]

Well from my point of view, when you start a WPS Attack you usually associate with the AP, what if you use MAC Filtering? I know that its not a strong protection but you can give a lot more trouble to the attacker for him to wait for a legit MAC. Just an idea though

[ternarybit]

That would definitely make things harder for an attacker, but also very hard, if not impossible for legitimate users--especially on public or mostly-public hotspots. Thanks for the input!

[strakar]

Well im thinking about the fact that you already "programed" the AP with the MACs of the users you want to allow access to the network.

[ternarybit]

Sure, good point.

In the event that, say, I'm running Kismet and pick up a WPS attack coming from a spoofed MAC 00:11:22:33:44:55, what can I do to stop the attack? Is there a way to deny service to that MAC, or do anything else short of physically locating and disabling the attacker?

[strakar]

I guess the only thing you can do is Filter the address 00:11:22:33:44:55 and block its access. But it would change to another, again and again. So allowing only those computers that you want and block the rest would be more efficient

[comaX]

Uh well, to defend against WPS attacks... Why not deactivating the WPS service ? It can be done on most routers, and will get rid of that problem. As for the mac filtering, you block everything but the authorized ones, and that should do it if you want to keep the WPS active. Note that spoofing an authorized MAC is easy as pie though..

[ternarybit]

Uh well, to defend against WPS attacks... Why not deactivating the WPS service ? It can be done on most routers, and will get rid of that problem. As for the mac filtering, you block everything but the authorized ones, and that should do it if you want to keep the WPS active. Note that spoofing an authorized MAC is easy as pie though..

thanks for the input. I did mention disabling WPS is the obvious solution in my OP, I was just curious if there was anything else available to a defender, assuming their router cannot disable WPS (which is the case with a surprising number, sadly).

[thad0ctor]

you could always try flashing a router to DD-WRT firmware which could allow you to then toggle on and off WPS

[comaX]

thanks for the input. I did mention disabling WPS is the obvious solution in my OP, I was just curious if there was anything else available to a defender, assuming their router cannot disable WPS (which is the case with a surprising number, sadly).

Guess what ? I just jumped THE line saying that... Sorry