Attacks against Wi-Fi Protected Setup
WPS is a security mechanism for access points introduced by the Wi-Fi Alliance in 2006 to allow clients to connect more easily to a wireless network, supplying an eight digit PIN instead of the preshared key. If the PIN is correct, the AP supplies the client with the WPA PSK to authenticate to the network.
The WPS specification also supports a Push-Button-Connect (PBC) method, where a button is pushed on both the AP and on the client device to start the connection.
In 2011, two researchers, Stefan Viehböck and Craig Heffner, independently discovered a vulnerability in WPS that could allow an attacker to recover the PIN in a few hours through a brute-force attack and gain access to the network. Heffner also developed and released a tool that implements this attack, Reaver.
The flaw resides in the way the PIN is checked by the AP. Indeed, the eight digit PIN is not sent in its entirety to the AP, but only the first half is sent and checked and after, if...
