In my previous post about WPA authentication, I left off describing how a wireless router locks out new authentication attempts.

An attack system can perform 3 guesses in a fraction of a second, then waits 60 seconds before trying three more. If every possible option must be tried before finding the actual PIN in use it would take a maximum of 61.1 hours.

However, on average brute force attacks take less than 1/2 of the maximum possible time, so around 30.5 hours or less in most cases. Thus, most attacks can break into a WPA encrypted environment in about 1 day.

YIKES!

Thus, WPA authentication does have a flaw in its design. In order to avoid this issue, you can go into your wireless router’s configuration and turn off the WPS (WiFi Protected Setup) or WSC (WiFi Simple Configuration) feature.

Wireless router vendors or firmware authors could implement a partial fix by disabling the notification of whether or not the first 4 digits are correct or not and only respond based on all 8 digits.

This would push the brute force attack to guess 7 digits at once which would take upwards of 6.34 years to be exhaustive (or on average about 3.17 years to be successful).

If you would like to read more on this topic, I recommend listening to the audio podcast of Security Now with Steve Gibson #335 from Jan 9, 2012 (grc.com/sn).