Hands-on: hacking WiFi Protected Setup with Reaver

Jouni Malinen j
Sat Jan 7 09:56:22 PST 2012

On Fri, Jan 06, 2012 at 01:21:15AM +0100, Cristian Ionescu-Idbohrn wrote:
> Would be really interesting to read some qualified comments to this
> article:
> http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars

Any particular detail you would be interested in? The possibility of
brute force attack against a static AP PIN was already described in the
WPS 1.0h specification with a mechanism for mitigating the attack.
Unfortunately, some WPS implementations do not follow that guidance.

As far as hostapd is concerned, commit
3b2cf800afaaf4eec53a237541ec08bebc4c1a0c from early 2009 added lock-down
mechanism to limit brute force attacks on AP PIN. To avoid the issue
completely, static AP PIN should not be enabled by default as described
in hostapd.conf:

# Static access point PIN for initial configuration and adding Registrars
# If not set, hostapd will not allow external WPS Registrars to control the
# access point. The AP PIN can also be set at runtime with hostapd_cli
# wps_ap_pin command. Use of temporary (enabled by user action) and random
# AP PIN is much more secure than configuring a static AP PIN here. As such,
# use of the ap_pin parameter is not recommended if the AP device has means for
# displaying a random PIN.

README-WPS has more details on how to use the wps_ap_pin command.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list