Researcher finds flaws in Wi-Fi security

Security flaws heighten risks to enterprise data as employees increasingly work remotely

A security researcher has found flaws in Wi-Fi security that represent a risk to enterprises where employees work remotely, using Wi-Fi services at home or in public locations such as coffee shops.

Security expert Stefan Viehböck released his findings in a paper titled Brute-forcing Wi-Fi Protected Setup.

In the paper, he described the flaws he discovered in WPS (Wi-Fi Protected Setup), a programme designed to help with the set-up and configuration of security on wireless local area networks.

"Although WPS is marketed as being a secure way of configuring a wireless device, there are design and implementation flaws which enable an attacker to gain access to an otherwise sufficiently secured wireless network," wrote Viehböck in the paper.

One of the vulnerabilities of the system is that it is not protected from so-called brute-force attacks. In order to access a computer on a WPS-protected Wi-Fi network, it is only necessary to enter the PIN found on the router.

There are simple tools available on the internet that can crack these PINs in a matter of hours, simply by running through every possible alphanumeric combination, he added.

"As the [system] does not require any kind of authentication apart from providing the PIN, it is potentially vulnerable to brute force attacks," he wrote.

This problem is compounded by the way the system responds to incorrect PINs: it informs attackers which part of the PIN is wrong once they have correctly guessed at least half of it.

"This form of authentication dramatically decreases the maximum possible authentication attempts needed from 100,000,000 to 20,000," wrote Viehböck.

Anders Hansson, CTO of security firm Cryptzone, said that the insecurity of wireless networks demands that enterprises look to VPN technologies in order to guarantee the security of their remote workers.

"Corporates should note that staff who access office resources from a home network should presume that their home wireless network can be cracked in relatively short order," he said.

"For this reason, if staff really must access the company systems via Wi-Fi, then the use of VPN technology is a must-have."