dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5792
share rss forum feed


DevilFrank

join:2003-07-13
Reviews:
·T-Com

WiFi Protected Setup PIN brute force vulnerability

quote:
Overview
The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible.
full story
--
Regards from Germany. Please excuse my stumbling English


FF4me

@rr.com
Researchers publish open-source tool for hacking WiFi Protected Setup:

According to a blog post by Tactical Network Solutions' Craig Heffner, this type of attack is one that researchers at the Columbia, Maryland based security firm have been "testing, perfecting, and using for nearly a year." Now the company has released an open-source version of its tool, Reaver, which Heffner says is capable of cracking the PIN codes of routers and gaining access to their WPA2 passwords "in approximately 4 [to] 10 hours." The company also is offering a commercial version of the tool that offers features like a web interface for remote command and control, the ability to pause and resume attacks, optimized attacks for different models of wireless access points, and additional support.

The routers most vulnerable to these attacks—the ones without PIN lockout features—include products from Cisco's Linksys division, Belkin, Buffalo, Netgear, TP-Link, ZyXEL, and Technicolor. None of the vendors has issued a statement on the vulnerability, or replied to inquiries from Veihbock.



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11
Perhaps these vendors could address these affected routers with a firmware update?


sbconslt

join:2009-07-28
Los Angeles, CA
The vulnerability is in the WPS protocol. It's not really "patchable", in the sense that a device that implements WPS compliantly is vulnerable and will continue to be vulnerable.

All vendors can do in firmware is (a) disable WPS from being enabled by default, which is unfortunately broadly the case, and (b) increase "lockout" durations when a cracking attempt is detected, which might prolong the time to brute force the pin but not prevent its disclosure ultimately. (The demo code already anticipates such lockouts.)
--
Scott Brown Consulting

ElJay

join:2004-03-17

1 recommendation

reply to DevilFrank
I've never figured out the point of WPS... Is it really that hard to copy and paste a long WPA2 password into a setup dialog? I have the PIN mode disabled on my router, but unfortunately I can't turn the WPS feature off entirely.


owlyn
Premium,MVM
join:2004-06-05
Newtown, PA
Reviews:
·Comcast
said by ElJay:

I've never figured out the point of WPS... Is it really that hard to copy and paste a long WPA2 password into a setup dialog? I have the PIN mode disabled on my router, but unfortunately I can't turn the WPS feature off entirely.

Same for me. Although of limited use, I also have MAC filtering enabled, and, although of almost no use, I have SSID broadcast disabled. At least I've done everything I can do. All but the most determined should be thwarted, and there are many, many other wireless routers in my immediate neighborhood that are likely not as well set up, so are easier targets.


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to DevilFrank
Sorry I started a duplicate thread with the CERT notification for this »WiFi Protected Setup PIN brute force vulnerability so I'll have my duplicate thread locked.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool


planet

join:2001-11-05
Oz
kudos:1

1 edit
So, I'm trying to wrap my head around this; is there any solid workaround other than disabling wireless and plugging all devices in?

edit: If you disable WPS or the PIN option in your router, does this mitigate vulnerability?


antdude
A Matrix Ant
Premium,VIP
join:2001-03-25
United State
kudos:5
reply to DevilFrank
Do I assume one has to use wireless devices to brute force this like old WEP?


FF4me

@newsouth.net
Hands-on: hacking WiFi Protected Setup with Reaver:

The only way to block the attack was to turn on Media Access Control (MAC) address filtering to block unwanted hardware.

While turning on MAC address filtering will prevent Reaver from associating with the router, that's "easily circumvented,".... All an attacker has to do is use a network monitoring tool to detect the MAC address of a system that has an existing connection to the router, and set that as the address of their attack platform.

And the attack could be carried out unattended, using a device left near the target network and controlled remotely.

The bottom line is that, while WPS was designed for simple security, there is no such thing as simple security. The only way to be absolutely sure that someone can't gain access to your wireless network with the WPS hack is to make sure you use a router that doesn't support the protocol.



sbconslt

join:2009-07-28
Los Angeles, CA
reply to planet
said by planet:

If you disable WPS or the PIN option in your router, does this mitigate vulnerability?

Nope, not necessarily. In the Ars Technica article that they ran today (linked and quoted in the post immediately above) they cracked a WRT54G2 with reaver, then proceeded to their astonishment to crack it a second time with WPS set to off.

unoriginal
Premium
join:2000-07-12
San Diego, CA
reply to DevilFrank
I guess this is a good reason to run alternate firmware on your router if its available. I've got Tomato on my Netgear and can't even find WPS as an option anywhere in the config menus.


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to planet
said by planet:

So, I'm trying to wrap my head around this; is there any solid workaround other than disabling wireless and plugging all devices in?

edit: If you disable WPS or the PIN option in your router, does this mitigate vulnerability?

That will depend on the router.

Netgear implies that disabling the WPS PIN on their routers will protect you, but I have not had a chance to compile the POC code yet to test that claim on my own Netgear router (but it has had the WPS PIN mode disabled on it since I first applied power to it).
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower


heelyeah
Premium
join:2004-02-11
Raleigh, NC
reply to unoriginal
DD-WRT is not at risk either

ElJay

join:2004-03-17
Reviews:
·Time Warner Cable
reply to NetFixer
said by NetFixer:

Netgear implies that disabling the WPS PIN on their routers will protect you, but I have not had a chance to compile the POC code yet to test that claim on my own Netgear router (but it has had the WPS PIN mode disabled on it since I first applied power to it).

Thanks for this. My router is a Netgear as well... I'm running fairly old firmware because it's very stable (a rare thing for SoHo-class routers) and I hope it has the described WPS implementation which throttles these brute-force attempts (assuming PIN = off doesn't really turn it off).


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by ElJay:

Thanks for this. My router is a Netgear as well... I'm running fairly old firmware because it's very stable (a rare thing for SoHo-class routers) and I hope it has the described WPS implementation which throttles these brute-force attempts (assuming PIN = off doesn't really turn it off).

That is probably because most (if not all) of the Netgear firmware for their resi/soho routers is Openwrt with a custom Netgear html interface.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..
reply to FF4me

Don't miss this important fact...

sbconslt See Profile mentions it above to the FF4me link.

THIS is NASTY...

said by »arstechnica.com/business/news/20 ··· aver.ars :
Having demonstrated the insecurity of WPS, I went into the Linksys' administrative interface and turned WPS off. Then, I relaunched Reaver, figuring that surely setting the router to manual configuration would block the attacks at the door. But apparently Reaver didn't get the memo, and the Linksys' WPS interface still responded to its queries—once again coughing up the password and SSID.
Can't turn it off on some routers!!!


planet

join:2001-11-05
Oz
kudos:1
Reviews:
·Cox HSI

1 edit
On my Linksys E1500, I am now running fully wired, disabled wireless, since WPS can't be successfully turned off. Linksys needs to respond to this within a responsible amount of time or likely lose some of their market share.

edit: Here's a link to a spreadsheet that has data of routers that Reaver brute forced PIN/PSK, interesting data:
»docs.google.com/spreadsheet/ccc? ··· 3c#gid=0

urbanracer34

join:2010-01-06
Saskatoon, SK
reply to FF4me

Re: WiFi Protected Setup PIN brute force vulnerability

delete please - posted above already


heelyeah
Premium
join:2004-02-11
Raleigh, NC

1 recommendation

reply to DevilFrank
I don't understand why this company released this hacking tool to the public. There should be a law against that. Now someone has released step by step instructions for even novice users.

»lifehacker.com/5873407/how-to-cr ··· h-reaver

I flashed both of my routers to DD-WRT


Reno7
Premium
join:2008-10-26
Keller, TX

I have a Linksys E4200 and after doing a lot of reading on Tomato and DD-WRT today, I don't see it being worth it. Going either way you're going to loose functionality (the usb port, SSH, one of the Antennas).

What really pisses me off now is Linksys was notified of the issue by the US-CERT over a month ago now and they have yet to do one damn thing about no one being able to disable WPS on their routers. We're talking about every router they make (last what 5+ years?) being hackable in 4-6 hours with a single easy to use tool and they cannot fix an existing disable feature that's broken.

franch

join:1999-11-03
Canada
reply to DevilFrank
MAC address filtering will protect against Reaver for now. Though it's trivial to change the MAC address in linux, doing so will prevent Reaver from properly functioning. This is apparently being worked on so it isn't a permanent solution. Also, it possible that other tools might not be affected by this "bug".


planet

join:2001-11-05
Oz
kudos:1
Reviews:
·Cox HSI
said by franch:

MAC address filtering will protect against Reaver for now. Though it's trivial to change the MAC address in linux, doing so will prevent Reaver from properly functioning. This is apparently being worked on so it isn't a permanent solution. Also, it possible that other tools might not be affected by this "bug".

Not so sure:
»code.google.com/p/reaver-wps/iss ··· il?id=99