[SECURITY ISSUE!] WPS security widespread vulnerability

In case you haven't already heard the news: Hands-on: hacking WiFi Protected Setup with Reaver

The article above is a must read for anyone with a mainstream router as you are likely vulnerable to this security black hole. Almost any router with Wi-Fi Protected Setup enabled by default and even some with it disabled but still present are able to be attacked.

If your router doesn't have WPS or you aren't using a wireless network at all, you have nothing to worry about.

Please note that the above article does not describe the actual process of attacking a router and it would be against forum rules to discuss the process here if I remember correctly. Please refrain from using the "h" word

 

No worries- it's not gonna get closed

I agree this is a disturbing news- especially the part about WPS working even when it's disabled (that happens only in some cases but still)

 

I use wps on a number of my wifi devices, but i have to physical press an wps button on my talktalk d-link router to initiate it, can this be bypassed?

John.

 

I think when it comes to that it just depends from device to device. The problem is that the WPS pin is hardcoded into the firmware and in a lot of cases with no way to remove it or turn it off so that it isn't functioning.

But here is a link to a public spreadsheet someone is working on that has a list of vulnerable routers. You can use it to find your model in the list, but the list is by no means complete. https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c

 

I can change the code on my d-link router.

 

Changing the code doesn't help, unless you are committed to manually changing the code yourself every 4 hours or less. I think from your screenshot there the best option you have is to try clicking the "Reset to Unconfigured" button. Hopefully that will turn it off for you.

Of course the guy in the article was still able to find the WPS pin despite turning WPS off manually in his router, but his was a Linksys. What model router do you have? I've been reading around a few places and in comments for articles so I might have heard whether your specific model is exposed.

I do know for a fact that the third party firmware DD-WRT is completely safe against this method of attack because it has no support for WPS. If you can install DD-WRT that would be the best way to patch up the hole.

Another thought I had is you could try to monitor traffic through your router's interface or monitor login attempts if there is a feature built in. My Asus RT-N56U router just died, but if it hadn't I was going to see if I could set up a way for the admin interface to show me login attempts or just monitor traffic. It does have a traffic monitor but I doubt there's any way to utilize it to send notifications. It would be nice if there was. That seems like the only way someone could prevent an attack aside from just turning off the wireless radios altogether.

 

You can change it all you want.
The point is the client device receives a conformation when first half of PIN is correct (4 numbers) and the last is known as it's a checksum.
So it can be cracked in 11.000 attempts according to CERT which can be done in 6 hours (practical experiment has been conducted).

First thing to do is disable WPS- in some cases it would still work but "some" is not that bad in this situation.
WPS being disabled on a 3rd party firmware is almost certainly disabled so DD-WRT, OpenWRT and similar firmwares should be safe (with WPS disabled)

 

The one i am using, I got free from my broadband provider it`s an d-link DSL-2780, a special model you can only get from TalkTalk.

I have a couple of other wifi routers Netgear, ZyXEL but i get the best download speeds with the d-link one.

John.

 

WPS is such a handy feature as well

They can crack WPA2 encryption as well?

John.

 

It doesn't matter what encryption you use, once the WPS pin gets cracked it coughs up your passphrase no matter how complex or secure it may have been. That's why this vulnerability is such a big deal and why the major wireless device makers need to upgrade firmware for affected devices.

Can't find anything on your router specifically, but the fact that it has WPS built in and a lot of other D-Link's are on the list of epic failure routers means you should definitely try to turn WPS off. Maybe contact TalkTalk and see if they can work on a revision firmware for that model. They should at least know about the bug by now but they might need some pushing to get working on it.

 

Nope- WPA2 is basically AES so it can't be cracked (within a reasonable time-frame). In case of most encryption systems it's not the cypher that is cracked but the implementation that's being targeted- WPS is a perfect example.

BTW- we've contradicted ourselves a bit with micman by him saying WPS is not supported on DD-WRT and me saying it's safe. We're both right since standard DD-WRT doesn't support WPS but Buffalo version does.

 

Interesting video, covers a lot of subjects including the replacement for flash memory in ssd`s and alike.

Also i have turned my routes transmit power to it`s lowest 12.5% , as the WPS hack needs a strong signal, and it`s fine for reception all over my house, my whole street does not need to be able to receive my signal.

Security Now 335 | TWiT.TV

 

That's a good idea. Additional benefit is that you've just stopped being interference for your neighbors so you are safer and their connections are faster.

 

That video, mentions that any wireless n device has to support wps and it has to be enabled by default. , it`s required by the standard or something.

John.

 

No, it is not required but it is a feature for convenience and ease of use.


Of course, these conveniences and ease of use would one day bite you when it comes to security.

Luckily, I don't get affected much by the WPS flaw since mine requires a physical button to activate.
I don't use it either since very few of my devices can use it.

 

Well, while i'm here, my E3000 has a button for WPS, i set everything to manual so WPS is disabled in the firmware, anything else i should do or i'm completely safe?

 

I am going to piggyback on your question (hope you don't mind) since I have the same question about my E4200 set up the same way.

 

Well, you could try to test if you able to connect WPS via your computers.

Just use the client instructions given by your ap vendor to see if you can at least see or able to enter a pin number.

If you managed to connect via WPS without messing your current ap config or touching it, something went wrong there.

 

Pretty sure all linksys routers can't have wps disabled no matter what on stock firmware.

Even if it isn't selected it's still enabled.

 

I think this link will answer some of your E3000 and E4200 questions: Waiting For The WPS Fix - SmallNetBuilder

Sounds like so far there is no way to fix any of the Linksys line of routers.

 

I have booted into Reaver and hacked into my own router. Took less than 2 hours. It works !

 

OMG, this is scary. I'm almost glad now that my wireless N router is a few years old and does not support WPS

 

<strike>Damn. Turns out that Gargoyle suffers from this vulnerability too.
There's no option in GUI to disable WPS so it has to be done OpenWRT-style through console.</strike>

Having tested it I see my notebook displays WPS configuration window but the PIN doesn't work.
Apparently it's a leftover from factory firmware (Windows remembers the old router name) but Gargoyle doesn't support WPS at all (conformed by their site-admin)

 

I've always turned off WPS so no worries here for me

 

That's not enough. A lot of routers have WPS still active even if it's disabled in firmware. Check the list of routers and verify that yours is safe.

 

Well, E3000 users using the latest firmware are safe according to the chart:

I'll have to try and hack mine though as i'm on a previous firmware since the latest one wasn't liking one of my devices.

 

For those who care.


Here is the Cisco Linksys statement for this issue. I'm not sure if you have to be registered at their site to view.

Title: WPS Vulnerability status update for Linksys devices
Article ID: 25154

Guide Me

Also, here is the US-CERT Vulnerability Note, VU#723755:

US-CERT Vulnerability Note VU#723755 - WiFi Protected Setup (WPS) PIN brute force vulnerability

DragonRider

 

i have a d-link 655 router attached to my desktop (i got it about two or three years ago, and i'm not sure whether i'm up to date on drivers or firmware), and decided to disable (unselect) the wps option two nights ago. i tried accessing the internet on my laptop immediately afterwards, and nothing seemed out of the ordinary. last night, i thought my laptop internet access was rather sluggish, and found that i was getting a whopping 1 Mbps when i was usually getting a solid 300 Mbps before. is it a total coincidence, or do i get a large hit on wireless speeds if i disable wps?

i noticed that if i rebooted my laptop, the speed would go up to something like the usual speed, but then would come down again. does this indicate anything or am i imagining things?

update: well, after rebooting the router a couple of times, it looks like i'm back to my usual speeds with wps disabled, so the router might have needed to be rebooted.

 

If rebooting your laptop (but not the router) fixes it- that may mean it's not router related.
That said- DIR-655 has a rubbish firmware so it's actually better not to upgrade it if it works. Things tend to get worse and worse with this router so you shouldn't even try messing with it.
Reboot the router and see if it helps. If it doesn't- enable WPS again and verify that.
WPS does not have any relation to the throughput whatsoever but we're talking a "special" router here and nobody really knows...

 

Great info friends, I have a Westell 7500 VErizon DSL (s for slow), the only options are WEP (recommended) and WPA. Does anyone know what is more secure? I use wireless only. TIA

 

WPA is by far more secure compared to WEP.

 

Thanks a lot Downloads, I should have known that the recommended setting was inferior, by default the firewall on the router is off also LOL

 

Linksys has updated firmware, for this problem, on the following routers:

E1200 v2 Available Now
E1500 Available Now
E3200 Available Now
E4200 v1 Available Now

Article

DragonRider

 

Wonder if an intrusion detection app (WIDS/IDS) could add
some level of security for these wifi router hack events?

 

bringing this thread back up as I just found it :|

- so I've got WPA2-PSK with AES encryption on my D-link 625, with firmware above than what they said they hacked in 4 hours in that list of routers that was posted.

if I set my pin to get regenerated with new one below the 4 hours interval, would that mean that my network would be secure again ??

 

Not really. One time it will take 4hourks and the other time it will take one.
Set it to some really safe interval if you want to be reasonably safe.