Most people assume that the Pixie Dust threat, a vulnerability in the Wi-Fi Protected Setup (WPS) that allows attackers onto a wireless network, is long dead.
After all, cybersecurity pros have been aware of Pixie Dust since its creation in 2014, and taken active steps to prevent it. However, new research from software supply-chain security company NetRise suggests that, like the monster in the last reel of a horror movie, Pixie Dust refuses to stay down.
Craig Heffner, a senior staff engineer at NetRise, expected that everyone would have patched an ancient cybersecurity vulnerability within wi-fi products that allow bad actors onto a network. But after an email from a hobbyist who had found that five out of 11 routers were successfully compromised by a Pixie Dust attempt, Heffner’s team took a closer look.
In an email, Heffner told IT Brew that while his team is not ready to reveal the full list of vendors that are vulnerable to the Pixie Dust WPS exploit, they were able to share that TP-Link (a provider for networking equipment and smart home devices) accounted for almost half of the affected devices.
“I think everyone would have a patch by now, but we isolated the code that was responsible for the vulnerability and we wrote an analyzer,” Heffner said. “We have a very large data set of firmware that we’ve amassed, and we just let it run. What we found is, there’s still devices that are being manufactured and even supported today that still have this bug lingering in them.”
What’s that? Pixie Dust allows a bad actor within wi-fi range of a target router or other wi-fi-enabled hardware to initiate an attack, according to Heffner. If a device is using a weak random number generator, the attacker can “brute force the security pin for WPS and it takes one to two seconds.”
Once the attacker has the pin, the access point gives them a Wi-Fi Protected Access (WPA) key, no matter how complicated it is.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The Pixie Dust attack targets implementation-specific weaknesses. While the threat has not affected every device, Heffner said it has affected a “good number.”
“For something that’s over 10 years old, and for something that’s a very serious security flaw, that’s kind of a big deal,” Heffner said. “You go and you buy some new device from Amazon or Best Buy, or wherever you go, you expect it not to have a 10-year-old bug that allows anyone into your network.”
Getting rid of the vulnerability. For those who suspect that their enterprise or personal network could be affected by this vulnerability, Heffner suggests that users disable WPS.
“Usually when you disable it, it is disabled and then the threat’s gone,” Heffner said. “You’ve turned off that functionality. Then, whether your firmware is vulnerable or not, if WPS is disabled, you should be okay against this particular attack.”
For small businesses and enterprises, Heffner recommended purchasing products that don’t support WPS, which could mean buying higher-grade devices.
“It’s very difficult across every vendor and every product and every firmware to get that information,” Heffner said. “We have a huge repository of data, but even we don’t have everything. Unfortunately, a lot of times, even model names from vendors are very confusing.”
Two pieces of hardware could be completely different on the inside despite looking the exact same.
“They may even have the same model number,” Heffner said. “At some point, the vendor switched using completely different hardware, so it’s running completely different firmware. And it may not be vulnerable, or they may have introduced the vulnerability and the previous version wasn’t vulnerable.”
Even so, Heffner said that it’s hard to tell if someone has the affected model of the device. The best thing that someone can do to defend against this, in Heffner’s opinion, is to make sure that a wi-fi device doesn’t support WPS in the first place.