Most WiFi Routers Susceptible to Brute Force

According to Stefan Viehböck, an independent security researcher, the configuration of most consumer WiFi routers are susceptible to hacking. This vulnerability only impacted for those users who are using the default simplified method by the manufacturers. This simplified method called WiFi Protected Setup (WPS) which was enabled on nearly all consumer WiFi access points, including those sold by Cisco/Linksys, Netgear, Belkin, Buffalo, and D-Link.

There are 3 methods of connection of wireless devices to WPA2 protected access points:

1. Push Button Connect (PBC) requires the user to push a button on the router which allows it to communicate with a client needing configuration. The client attempts to connect and the router simply sends it the security configuration required to communicate.
2. Client PIN mode is where the client device supports WPS and has a PIN assigned by the manufacturer. You then login to the router's management interface and enter the PIN to authorize that client to obtain the encryption configuration.
3. Router PIN mode allows a client to connect by entering a secret PIN from a label on the router, or from its management interface which authorizes the client to obtain the security configuration details.

 The first two methods required physical access to the router in order to compromise it. The 3rd method can be penetrated via WiFi radio using the brute force method. Another researcher independently discovered the same issue and has published a tool called Reaver that implements this attack.