My Blog List

Why WPS is Insecure And How To Disable It ?

Your router most likely supports Wi-Fi Protected Setup (WPS) and probably it is enabled too. You would be amazed by knowing the fact that you are allowing a big hole in your security by enabling this. Most of the ordinary home users use WPA2-Personal, which is also called as WPA2-PSK. The ‘PSK’ means ‘pre-shared key.’ In this process, you have to set a passphrase which will be used as the password for connecting to your Wi-Fi network. The router obtains an encryption key from the phrase, which is used to encrypt your network traffic. Without that key, it is not possible to get access to your network. As people had to enter the phrase on each new device they connect to the network, the feature soon turned out to be an annoyance. WPS was developed as a remedy to the issue. If you enable this feature in your router, you can connect to your network without providing the passphrase.

Securing With Pin

It is possible to set up an 8 digit pin for the WPS too. Before allowing access to the network, the router checks this pin first. While it seems perfectly secure, there is a loophole in the system. Instead of checking the whole pin, most routers check the first 4 digits initially and then the last 4 digits. Therefore, anyone with the right tools can easily make brute force attacks on your network and gain access eventually. As the possible combinations of a 4 digit code are no more than 11,000, intruders can easily crack the first part, move forward to the second part and crack it too. Lots of popular routers do not limit the number of attempts after a certain number of failed attempts. This faulty system allows the eavesdroppers to attack for an indefinite period. By using common software like ‘Reaver,’ it is possible to crack a WPS pin within a single day.

Using the Button

There is another way of gaining access to a WPS-enabled network without typing any passphrase or pin whatsoever. In this method, you have to push a button on your router after making a connection request from your new device. In some routers, the button could be located in its virtual interface. As this allows only a few minutes for connecting or allows only one device to connect with a push, this method is comparably more secure than setting up a pin. Like the pin, it is not available for an indefinite period of time. Nonetheless, it is not a full-proof system too. This method allows anyone with access to the router connect their devices on your network. What’s more, they don’t even have to know or guess the pin anymore.

Though the push method seems more reliable than the pin method, the option of pin authentication is one of the basic and mandatory aspects of a certified WPS device. That means the official mandates of the devices require them to include the most unsafe method of protection. There is nothing the router manufacturers can do. In order to get certification, they have to include the pin system in WPS. Therefore, any device which has WPS enabled is by definition, is in danger and could be exploited anytime.

Is It Possible to Disable WPS?

Whether you can disable the feature or not depends on the manufacturer and the model. Some routers simply do not provide any option for disabling it. There are no such methods in the configuration of these routers. On the other hand, some other routers do allow the users to disable the feature, but does the opposite in reality. While they inform that WPS is off, it is actually turned on. This flaw was found in some Cisco Valet and Linksys wireless access points in 2012. There are some routers which allow you to either turn off or on the feature, without letting you choose the authentication method. Finally, some routers really allow you to disable the pin method and use the push method to use the feature.

How to Disable It

If you have a router which allows disabling the feature, consider yourself a lucky one. You will find the related options under WPS or Wi-Fi Protected Setup sections in your router’s online configuration interface. If turning off is not possible or you don’t want to, at least try to disable the pin method and make sure that your router is kept safe. Having said that, disabling the feature altogether will still be the best option for you. As router manufacturers have terrible records of allowing insecure methods and dangerous loopholes in their systems, you shouldn’t allow anyone to take advantage of these. There is no point in taking unnecessary risks. All WPS does is to make your connection process a bit easier. It is not impossible to connect without it. You can always choose a phrase which is easy for you to remember, but strong enough for anyone to guess. Once you have connected your device, you don’t have to type the phrase anymore. You should accept this tiny inconvenience for the sake of ensuring your safety.

Shrey Kapoor is a Tech-Enthusiast, Harvard certified Cyber Security and Cyber Forensics Expert. He Founder, which is one of the India's Top Tech News Website. Even Forbes and many other renowned publishers took his articles reference. Shrey is a Technology analyst, strategic thinker and creative writer who is passionate to deliver the best, latest possible Tech-News to his followers and subscribers. He completed his masters in Artificial Intelligence & Robotics, certified in IPR, T.Q.M. & ISO 9001:2008 In Quality Management Systems.

Theme images by merrymoonmary. Powered by Blogger.