One of the key tools in the protection of home Wi-Fi networks is a technique called Wi-Fi Protected Setup (WPS), which enables users to access their networks and the security tools they use - which could be Wi-Fi Protected Access, Wi-Fi Protected Access 2 (WPA or WPA2) or Wi-Fi Equivalent Privacy (WEP) - in an easy and, presumably, secure manner. IT and security departments that oversee telecommuters should take note that the WPS is now considered to be vulnerable.
At ZDNet, Stephan Vaughan-Nichols quotes Stefan Viehbck, a security researcher for the U.S. Computer Emergency Readiness Team (CERT), who developed a tool to exploit the vulnerability. He sounded alarmed about the situation:
According to Viehbck, he took a look at WPS and found "a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide." CERT agrees.
Without going into too much detail, the flaw Viehbck developed the tool for focuses on a brute force attack - trying all combinations of PIN numbers until the right one is found. The system is designed to demand eight numbers in the correct order. The flaw, however, can reduce this to a far more manageable three.
Business Insider gets into the nuts and bolts-or, more accurately, the bits and bytes - of the situation. The piece, which is rather technical, starts by noting that the flaw has been known for more than a year. Now that a proof of concept has been performed and tools developed, the situation rises to another level of seriousness. While it is fair to note that not everyone thinks this is a big deal - Brian Tinham at the UK site Works Management suggests that it isn't simply because, in essence, these networks have long ago been rendered insecure. IT departments would not be doing their due diligence if they ignored the situation.
One element of modern telecommunications, as compared to the more locked-down days of yesteryear, is that there are as many paths into the back office of the corporate network - the servers and databases where the crown jewels are kept - as there are mobile end points. Attention must be paid to anything that threatens to open one of these paths, and the vulnerability identified by Viehbck certainly qualifies.