Wi-Fi Protected Setup[WPS] security hole discovered

[beer]

Wi-Fi Protected Setup (WPS) has become popular among router manufacturers as a way to make adding new devices to your wireless network simpler, meaning you don't have to remember your wireless key every time. However, security researcher Stefan Viehbock has uncovered a major security hole which allows him to use brute force to access a WPS PIN-protected network in an average of two hours.

An inherent design flaw means that the 8-digit PIN's security falls dramatically as more attempts are made — a message sent by the router when the PIN fails informs the hacker if the first four digits are correct, while the last digit of the key is used as a checksum and is given out by the router in negotiation. This means that instead of the 10⁸ (100,000,000) possibilities that WPS should represent, the actual level of security is closer to 10⁴ + 10³ (or 11,000 — over 9,000 times less).

Advice from the US Computer Emergency Readiness Team (US-CERT) suggests that the safest option for users is to disable WPS on your router, though as Viehbock says, "good luck telling users to turn off functionality that has 'protect' in its name." He also claims to have attempted to discuss the issue with hardware vendors — with routers from Buffalo, D-Link, Linksys, and Netgear all vulnerable to the attacks — but has been ignored. None of the manufacturers have yet released statements or updated firmware, though with Viehbock promising to release the brute force tool soon, it seems likely that they'll be forced to respond.

(

source)

"good luck telling users to turn off functionality that has 'protect' in its name."

Let the confusion start in 3..2.....

[beer]

From a little googling, it seems there are two common ways to turn off WPS:

1. Pressing a physical button outside of your router to turn on/off WPS(sometimes WPS is printed next to the button)
   
2. Log into your router > wireless settings > disable/uncheck WPS (you can try googling your specific router or brand for instructions).
   

I just checked my dsl router(2Wire 2701HG-B ) and seems like it does not support WPS. No physical buttons, and no WPS options in wireless settings and advance settings. Also, the only way to connect to the router is using SSID and encryption key so i guess WPS is either off or not supported.

edit:

fixed router model #.

[Snowdrop]

Interesting stuff... Turned off WPS immediately. Didn't even know my router supported it >.>

[DKT27]

WiFi WPS exploit found; no solution yet

If you have a WiFi router at home and are using the WiFi Protected Setup (WPS) to secure your network, you might want to think about switching to another protocol. The US Computer Emergency Readiness Team sent out an alert this week that describes an exploit in WPS that could lead to cyber attackers figuring out your WiFi password.

The WPS protocol is supposed to make setting up a wireless network easier for people who are not as tech savvy as others. However, US-CERT now says:

A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible.

At the moment there is no solution to fixing this issue. US-CERT recommends that people who are using WPS for their WiFi routers disable it and use another method to secure the router, including "using WPA2 encryption with a strong password." Several WiFi router makers such as Netgear, D-Link, Belkin and others sell products with WPS but so far none of them have commented on this newly discovered exploit.

:view: View: Original Article

[beer]

Hopefully a firmware update can fix this issue. :think:

[Catoja]

With the new WPA2 exploit + this, Wireless networks are really unsecured.

[Frosticles]

To be honest i think that those companies are dicks for ignoring a HUGE security threat, i should hope that if there is a sudden rise in wifi hackers that the companies are blamed for already knowing about the flaw. :angry:

[shought]

A lot of routers (over here at least) employ WPS only for x seconds (10, 30, 60, 300) after you pressed a button. The security implications for setups like these are minor.

[DKT27]

Two New Tools Exploit Router Security Setup Problem

Researchers have released two tools that can take advantage of a weakness in a system designed to let people easily secure their wireless routers.

One of the tools comes from security researcher Stefan Viehbock, who publicly released information this week on the vulnerability in the Wi-Fi Protected Setup (WPS) wireless standard.

The standard is intended to make it easier for non-technical people to password protect their routers to prevent unauthorized use and encrypt wireless traffic.

Most major router manufacturers use WPS, including products from Belkin, D-Link Systems, Cisco's Linksys, Netgear and others. It allows a user to enter an eight-digit random number often printed on the router by a device manufacturer to enable security. Another method supported by WPS involves pushing a physical button in the router.

The vulnerability, which was also uncovered by Craig Heffner of Tactical Network Solutions, involves how the router responds to incorrect PINs. When a PIN is entered, the router using WPS will indicate whether the first or second halves of the PIN are correct or not.

The problem means it is easier for attackers to try lots of combinations of PINs in order to find the right one, known as a brute-force attack. While determining an eight-digit PIN would normally take some 100 million tries, the vulnerability reduces the needed attempts to 11,000, according to Viehbock's research paper.

If an attacker has the PIN, it can then be used to figure out the router's password. Viehbock wrote on Thursday that his proof-of-concept tool is a bit faster than Reaver, a tool released by Heffner and Tactical Network Solutions. Both of the tools enable brute-force attacks.

Reaver is hosted on Google Code. Its authors say that it can recover a router's plain-text WPA or WPA2 password in four to 10 hours, depending on the access point. "In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase," according to a release note.

Many routers also do not limit the number of guesses for a PIN, which makes brute-force attack feasible, according to an advisory from the U.S. Computer Emergency Readiness Team (CERT). The organization wrote that it was unaware of a practical solution to the issue.

Heffner wrote that his company has been perfecting Reaver for nearly a year. Tactical Network Solutions decided to release the tool after the vulnerability was made public. It is also selling a commercial version with more features.

Users can disable WPS to prevent an attack, but Heffner wrote that most people do not turn it off.

"In our experience even security experts with otherwise secure configurations neglect to disable WPS," he wrote. "Further, some access points don't provide an option to disable WPS or don't actually disable WPS when the owner tells it to."

:view: View: Original Article

[beer]

A lot of routers (over here at least) employ WPS only for x seconds (10, 30, 60, 300) after you pressed a button. The security implications for setups like these are minor.

Thanks for pointing that out. +1