67 replies to this topic

[AplusWebMaster]

How about just do the WPA2/AES thing and be done with it? .

[Doug]

I posted the question to Brian Krebs, to which he replies:

BrianKrebs
December 30, 2011 at 2:29 pm

@doug:
The important thing to keep in mind with this flaw is that devices with WPS built-in are vulnerable whether or not users take advantage of the WPS capability in setting up their router. Also, routers that include WPS functionality are likely to have this feature turned on by default.

Additionally, it appears that Belkin has issued a firmware update to address this vulnerability.
No word from other popular Router manufacturers.
______________________

For my own Network, I use Linksys WRT 400N by Cisco

In the name and password protected browser accessed Router Setup
Go to - Wireless - Basic Wireless Settings - Configuration View

The top item on that panel is "Manual" vs. "Wi-Fi Protected Setup"
Select - Manual - then press Save Settings

Continue with WPA2 Security Mode to set your Passphrase.

The above will have done all that can be done by the owner/user at this time to prevent the described vulnerability.

I'm hopeful that firmware updates will be published.

[AplusWebMaster]

'Just adding another, which is for the Linksys WRT54G (only a -million- or so in the field)... it doesn't seem to be named "WPS", but instead "Secure Easy Setup" and the -Default- is -Enable- that needs to be set to -Disable-

Can be found at http://192.168.1.1/WAdv.htm
> Wireless > Advanced Wireless Settings

... apparently called "Secure Easy Setup" on many routers instead of "WPS".
___

- https://isc.sans.edu...l?storyid=12292
Last Updated: 2011-12-30 03:19:11 UTC - "... Disable WPS..."

.

[appleoddity]

This is cute and all, but aren't there two critical components that we kind of overlooked here:

1) "Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN..."
2) "He said his tool took about four hours to test all possible combinations on TP-Link and D-Link routers he examined, and less than 24 hours against a Netgear router."


Frankly, if a "hacker" breaks into my house to push a button on my router and then sits there for up to 24 hours to connect to my wireless network (no doubt pushing the button again and again and again every time it times out), it must be one of my friends or I'm just plain on vacation. Its an interesting article but nothing more than a proof of concept requiring impossible circumstances.

Correct me if I'm wrong.

-----

I do stand corrected. I kept on searching and finally found this: http://sviehb.files....ehboeck_wps.pdf

An article that finally explains the attack, as the article linked to in this thread is misleading, as well as several other pieces of literature including a wikipedia article on wi-fi protected setup. Now I understand that push button connect is only one of three supported authentication methods, and this attack does not require pushing the button. Guess its a good thing I have always disabled WPS. Ofcourse, if I had ever used it I might've known how it works.

Edited by appleoddity, 01 January 2012 - 01:22 AM.

[AplusWebMaster]

"...his tool took about four hours to test... Correct me if I'm wrong..."

How long do you think it will take the billion dollar cybercrime industry to further that "research" and come up with an exploit that works remotely? Nothing "cute" about that - and when they do, you won't find it on the Web in a search - until it's after the fact.

- http://blog.eset.com...wireless-router
December 30, 2011 - "... it’s a game of cat-and-mouse. Exploits will always be a nuisance..."

.

Edited by AplusWebMaster, 01 January 2012 - 10:17 AM.

[appleoddity]

Well, my point was the article made it sound like the button had to be pushed and then a PIN entered on the remote device. His article is wrong, and it was even discussed in the comments, which I later read. If a button had to be pushed on the router, it made this attack impossible. Because that would never happen. But, turns out it does not need to be pushed. As the exploit is localized, time consuming, and little chance of any payoff I doubt the cybercrime industry will be spending too much effort on it in the near future. Especially considering the huge success of rootkits, fake anti-viruses, and password/CC# stealers. However, the kid in your neighborhood might enjoy disrupting your internet traffic or downloading illegal music and movies.

[Doug]

WPS appears to be a (local) vulnerability in millions of commonly used routers. That it is known to exist, calls for a remedy. Theoretically there are thousands of currently unidentified vulnerabilities in operating systems, website and browser protocols, and peripheral device software just waiting to be exploited. There are also plenty of known vulnerabilities which have not yet fallen to popular use by bad-guys due to a variety of reasons including complexity of attack use, low probability of gain, and the existance of other more convenient methods of large volume attack with higher gain potential. "Risk Managers" in the anti-malware industry allocate prevention and repair resources based on relative numbers of expoits in the wild plus estimate of cost of damage. Some vulnerabilities have been known and written about for over 10 years, but not addressed for repair. Citing "the kid down the street" who may enjoy commandeering a neighbor's home network for purposes of music and movies download trivializes the risk but should not lead us to dismissing its potential damaging effect. I can think of plenty of motivational instances that make WPS a vulnerability that should cause great concern. For instance in the private sector of social service providers. Psychologists, counselors, safe houses, and rehabilitation program providers are given extraordinary access to Court, Parole, and Probation and personally identifying documentation, and supposedly secured correspondence to add to and modify those documents. It is not at all uncommon to see a full parking lot outside of a program provider's office suite, with a half-dozen of the cars occupied by individuals and even entire families waiting for their family member to complete their 2-hour weekly session. Those cars and individuals can easily stay in place all day long, providing plenty of time for idle minds and hands to play with the locally available Wi-Fi networks. Social service providers are not well known for being well educated or even very much interested in internet security. The potential for exploit is high. Other private sector consultants and contractors have similar access to otherwise secure and high profile industry and government sites. Business area parking lots and street parking allow for a scenario similar to the above cited for social service providers. WPS may have been a silly idea to increas ease-of-use, any maybe should never have been implemented, but since it was it ought to be fixed.

[appleoddity]

Hi Doug. I always appreciate your level headed contribution to a discussion. Believe it or not, I am a security expert. I've taken part in cyber defense competitions, have formal in-class network and server security training, and have trained in West Point Academy's cyber defense facility. Suffice it to say, I know a little bit about network security. I'm certainly not dismissing that there is a level of risk posed by the WPS vulnerability. Rather than go into all the various boring details why this vulnerability is fairly limited and low risk, lets just say that the only direct risk posed by cracking a WPS code is that someone might use your internet connection. There are many other mitigating factors, and without exploiting or executing other successful attacks there would be no "pay-off." And, that would be assuming those attacks or exploits actually resulted in useful information that could be used. This isn't much different than leaving your wireless network completely insecure, or connecting to the starbucks network and browsing the internet while you sip on coffee. The most likely thing to happen is that someone will connect to your internet and use it. But, a security risk it is, as are the thousands of other risks you mentioned, some known, some not, some ignored. It should not be ignored, because fines from the RIAA and lawsuits from software companies for the neighbor kid's internet usage suck.

Edited by appleoddity, 01 January 2012 - 03:54 PM.

[Doug]

Appleoddity, You'll get no argument from me related to your experience, skill, and credentialing. I readily admit that one of my best contributions to WTT has been to help populate Tech Team with people who are smarter and have better technical skill, experience and knowledge than myself. It is the social service user-group with whom I have concern in my example. Retired from social services myself, I've been in and out of many service provider agencies and offices and am familiar with hundreds of those "licensed" professional providers. Unhappily, my experience and knowledge does not inspire confidence when it comes to that industry's use of gadgets. Heck, there are licensed people who believe that HIPPA is a service by which their internet communication is magically "protected" once they become licensed, instead of a set of standards and implementation guides to which they must adhere. Many of those folks happily correspond with clients via unencrypted email and via their counseling website, even charging fees for their internet enabled service delivery. As to the likelihood of social service patients being capable and motivated enough to pursue such system intrusion... no obstacles there. Capable and even brilliant people have social service and rehabilitation needs too. And while they are entitled to receive information about their diagnosis, treatment plan and objectives, many also wonder what their therapist "really" thinks and what has been communicated to courts and other third-paties. Add to that, the legal and financial incentives held by spouse, dependents, employers, and other interested parties, and you have strong motivation to hack. OK. So the problem I allude to above might be better addressed to the licensing authority in the separate states. But such minutia as WPS only makes it easier for those ill-informed users to merrily pursue their professional activities.

[terry1966]

this seems to be the same topic so thought you might find it interesting, there's already open source proof of concept programs out that can brute force the vulnerability. http://www.h-online....te-1401822.html

[Doug]

Members at arstechnica test drive Reaver.
Results demonstrate router vulnerability, whether or not WPS is disabled.

http://arstechnica.c...with-reaver.ars

[appleoddity]

Just reinforces that while I used to highly praise and recommend Linksys products, since Cisco took them over both names are carp**. Cisco managed not only to turn Linksys into junk, they turned their own products into junk. Netgear is my new up and coming star - producing highly functional and reliable pieces of equipment now.

[AplusWebMaster]

FYI...

WPS vulnerable to Brute-Force Attack
- https://www.us-cert..../TA12-006A.html
January 06, 2012 - "... Solution: Update Firmware: Check your access point vendor's support website for updated firmware that addresses this vulnerability. Further information -may- be available in the Vendor Information section of VU#723755* and in a Google spreadsheet called WPS Vulnerability Testing**.
Disable WPS: Depending on the access point, it may be possible to disable WPS. Note that some access points may -not- actually disable WPS when the web management interface indicates that WPS is disabled..."

* http://www.kb.cert.o.../723755#vendors

** https://docs.google....NSSHZEN3c#gid=0
___

Cisco WPS vuln Response
- http://tools.cisco.c...onalInformation
2012-January-18 - Rev 2.0 - Updated information for the WRP400.

Edited by AplusWebMaster, 19 January 2012 - 04:50 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...ecurityResponse

Cisco WPS vuln - status updated ...
- http://tools.cisco.c...sr-20120111-wps
2012-January-27 - Revision 3.0... Updated the Cisco UC320W WPS Disable status to Yes due to release of DisableWPS.pmf**. Added Cable and DSL access products currently under investigation. Added a link to Linksys product documentation*...

WPS vulnerability status update for Linksys devices
* http://www6.nohold.n...articleid=25154
"... Cisco will be releasing firmware that allows customers to disable Wi-Fi Protected Setup to eliminate exposure to this issue... table lists affected products and will be updated with dates and firmware version numbers that include the ability to disable WPS..."

** https://supportforum.../docs/DOC-16301
Last Modified: Jan 26, 2012 - Rev. 10
___

- http://www.kb.cert.o.../723755#vendors
Last Updated: 2012-01-28

Edited by AplusWebMaster, 29 January 2012 - 06:59 AM.

[AplusWebMaster]

FYI...

WPS PIN brute force vulnerability
- http://www.kb.cert.o.../723755#vendors
Last revised: 10 May 2012
Overview: The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on many wireless routers makes this brute force attack that much more feasible...
Impact: An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service...
Please consider the following workarounds:
> Disable WPS
Within the wireless router's configuration menu, disable the external registrar feature of WiFi Protected Setup (WPS). Depending on the vendor, this may be labeled as external registrar, router PIN, or WiFi Protected Setup...
References:
- http://sviehb.wordpr...-vulnerability/
- http://en.wikipedia....Protected_Setup
- http://download.micr...WCN-Netspec.doc
- http://www.wi-fi.org...rotected-setup/
- https://docs.google....dFpEUDNSSHZEN3c
- http://en-us-support...s-on-the-router