With the onslaught of data breaches happening lately, both online and in-store, it almost feels like nothing is safe anymore. You might be feeling a bit skeptical about even stepping foot outside or on the Web, and you might have good reason for feeling that way. This week, a report has come out that could make your palms sweat a little more. Even if you have a secure Wi-Fi password or PIN code for your one-touch WPS option, hackers can still crack the code in under a second.
Swiss researcher 0xcite released a new way to gain entry to those routers with pesky passwords. By simply going around the Wi-Fi Protected Setup button and using offline algorithms and calculations, instead of guessing for a PIN code for hours on end, you can now just take one guess to get in. And usually, you're into the router in the blink of an eye.
How does it work? Well, the presentation in the source link below has the finer details, but the gist of it is that there is an exploit that is found within some similar chipsets used in a lot of routers. The good news is that all routers aren't affected, but those using Broadcom chipsets and ones from another unnamed company can be at risk. The undisclosed company is currently working rapidly on a fix, which is part of the reason it's not being identified.
The Wi-Fi Alliance, the organization responsible for standards and practices in the world of wireless, has said that the vulnerability is probably due more on how a company sets up its wireless networking features and less on Wi-Fi itself. The Alliance has added that users should immediately turn off their WPS setup option and accept that dealing with a secure password might be a better option for now. Wi-Fi Alliance spokeswoman Carol Carrubba explained,
A vendor implementation that improperly generates random numbers is more susceptible to attack, and it appears as though this is the case with at least two devices. It is likely that the issue lies in the specific vendor implementations rather than the technology itself. As the published research does not identify specific products, we do not know whether any Wi-Fi certified devices are affected, and we are unable to confirm the findings.
Broadcom has not commented on the matter yet but 0xcite said they've reached out to both Broadcom and the other company to immediately fix the flaw. Nothing has been stated on a turnaround time for a patch to the problem as of yet, so it's on the user to protect themselves for now.