WiFi Protected Setup vulnerable to Reaver tool attack

Pierluigi Paganini December 30, 2011

Wi-Fi Protected Setup (WPS; originally Wi-Fi Simple Config) is a computing standard used to allow easy establishment of a secure wireless home network. It has been introduced by the Wi-Fi Alliance on January 8, 2007, with tha main purpose to allow home users to set up the encryption method WPA2, as well as making it easy to add new devices to an existing network without entering long passphrases.

It has been recently discovered that WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase. The process is not so time consuming, consider that generally in few hours it is possible to retrieve the passphrase.  The tool available to perform the attack is Reaver, developed by Tactical Network Solutions it is able to exploit a protocol design flaw in WiFi Protected Setup (WPS).

This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. With a well-chosen PSK, the WPA and WPA2 security protocols are assumed to be secure by a majority of the 802.11 security community.

Usage is simple just specify the target BSSID and the monitor mode interface to use:
# reaver -i mon0 -b 00:01:02:03:04:05

How does it work? Let start considering on how WPS works. The protocol allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase.  Suppling the the correct PIN the access point gives back to the user the WPA/WPA2 PSK to use for network connection.

Resuming Reaver tool first determine an access point’s PIN with a brute force attack and after it extract the PSK.

The open code Reaver is available at Google Code

Moral of the story, even at home we will be safer. The vulnerability opens it to worryingscenarios, it will be easy to spy on us.

Pierluigi Paganini


Allar, Jared (December 27, 2011). “Vulnerability Note VU#723755 – WiFi Protected Setup PIN brute force vulnerability”Vulnerability Notes DatabaseUnited States Computer Emergency Readiness Team. Retrieved December 28, 2011.


you might also like

leave a comment