Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New WiFi Setup Flaw Allows Easy Router PIN Guessing

Soulskill posted more than 2 years ago | from the orders-of-magnitude dept.

Networking 86

Trailrunner7 writes "There is a newly discovered vulnerability in the WiFi Protected Setup standard that reduces the number of attempts it would take an attacker to brute-force the PIN for a wireless router's setup process. The flaw results in too much information about the PIN being returned to an attacker and makes the PIN quite weak, affecting the security of millions of WiFi routers and access points. Security researcher Stefan Viehbock discovered the vulnerability (PDF) and reported it to US-CERT. The problem affects a number of vendors' products, including D-Link, Netgear, Linksys and Buffalo. 'I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide,' Viehbock said."

Sorry! There are no comments related to the filter you selected.

Frosty pist (-1)

Anonymous Coward | more than 2 years ago | (#38509150)

Haruhi Suzumiya is mai waifu!

WPS (3, Insightful)

Shadyman (939863) | more than 2 years ago | (#38509172)

As all of the of the more recent router models come with WPS enabled by default...

Don't you still have to physically push a button to (temporarily) enable WPS? If not, whose bright idea was *that*?

Re:WPS (2, Informative)

Anonymous Coward | more than 2 years ago | (#38509208)

There's push button mode, and there's a shared PIN mode.

Re:WPS (3, Insightful)

mkraft (200694) | more than 2 years ago | (#38509526)

I believe you still have to put the router into setup mode even when using shared PIN mode. That limits the times this attack could possibly work.

Re:WPS (1)

AmiMoJo (196126) | more than 2 years ago | (#38513602)

There are ways around that. You could just keep your computer on 24/7 until the unsuspecting victim pairs something with their router, but it is more efficient to use a trick similar to that used to force WPA authentication which is required for attacking WPA keys. In the case of WPA the attacker forces a client to re-connect, e.g. by sending de-auth packets appearing to come from said client.

For WPS you can use the same technique until the victim thinks their wifi is broken and tries to re-pair their device by pushing the WPS button. The button usually starts a timer so you get say 1 minute to hammer it.

Re:WPS (2)

jroysdon (201893) | more than 2 years ago | (#38518380)

This is incorrect. Look at the paper. It states WPS has three methods:
Push-button-connect
PIN - Internal Registrar (web interface)
PIN - External Registrar (PIN)

Default on the Buffalo WHR-HP-G300N I just reviewed is to have External Registrar (PIN) enabled.

The paper further states that if a device is WPS certified then it must have the External Registrar (PIN). To make it "user friendly" it will be enabled by default. Hopefully your devices have the ability to disable it.

Side note: trust no wireless. Best method is to put the wireless in a DMZ and VPN/encrypt all traffic, so even if the wireless is compromized you're still safe. If you restrict all traffic to just DNS and VPN to your device, then would-be freeloaders will just move on even if they found your PIN as they cannot get anywhere.

Re:WPS (1)

jroysdon (201893) | more than 2 years ago | (#38518484)

That is incorrect. With External Registrar (PIN) method nothing has to be done on the router and it is all done remote. Per the paper, External Registrar (PIN) is a required feature for all WPS-certified devices. (Note, it doesn't have to be enabled by default, but that wouldn't be user friendly, would it?).

Two flaws:
1. The WPS access point should not NACK the PIN before the entire PIN is transmitted. This cut the amount of guesses down from 100,000,000 (10^8) to 11,000 (10^4 + 10^3).
2. Most access points don't block further authentication after failures. Because of this you can test all 11,000 PINs in less than 4 hours on most models.

User fix:
Disable WPS External Registrar PIN. If that is not an option, demand your vendor release new firmware (see vendor fix below). If that is not an option, replace your wireless device.

Vendor fix:
Block further authentication for Z minutes after X attempts. The paper has a nice table showing the maximum attack time given different variables for Z and X.

Re:WPS (4, Funny)

b4dc0d3r (1268512) | more than 2 years ago | (#38510208)

HAHAHAHA I got a new Linksys. My WPS doesn't work at all. Joke's on them! HAHAHAHAWAit a minute.

Re:WPS (-1, Offtopic)

dvdwholesale3 (2432850) | more than 2 years ago | (#38510514)

Hong Kong Reeho Mannequin Co., Ltd company was founded in 1990, the head office in Shenzhen, Guangdong Province, China. At the same time, Reeho Mannequin factory was located in Shenzhen, Guangdong Province. Reeho Mannequin company have been engaging in mannequin, clothes hanger and store display products’ Research and Development, Production and Sales. We have more than 10 years work experience mannequin’s designers for corporate image building, and we also have recruited a top mannequin sculptor for the chief engineer,. http://mannequinmanufacturer.com/5-children-s-clothes-hangers [mannequinm...cturer.com]

WPS - maybe not that easy (2)

hcs_$reboot (1536101) | more than 2 years ago | (#38510934)

Most of routers implementations allow a few attempts and then black list the MAC address of the attacker for a while (according to TFA the program would have to try at most 11,000 times).
Thus the attacker program should be low-level enough to fake its own MAC address all the time.

Re:WPS - maybe not that easy (1)

X0563511 (793323) | more than 2 years ago | (#38513150)

Much fun to be had by de-authing an existing client and spamming WPS with their MAC, thus booting them off for whatever the cooldown period was.

Oops?

That's why WPS is disabled on all my routers... (0)

Anonymous Coward | more than 2 years ago | (#38509188)

Who didn't see this one coming?

ok... (2)

viperidaenz (2515578) | more than 2 years ago | (#38509194)

So I'm still safe-ish using plain old WPA2/PSK?

Re:ok... (5, Informative)

stevel (64802) | more than 2 years ago | (#38509356)

No. If your router supports the "external" authentication mode using only a PIN, it is vulnerable no matter which encryption type you use or how good your password is. I did not realize that there was such a mode - I too thought it required the pushbutton.

The easiest mitigation is to disable the WPS PIN on your router, re-enabling it when you want to add a device. Some routers may not have such an option, but at least mine does.

Scary.

Re:ok... (2)

93 Escort Wagon (326346) | more than 2 years ago | (#38509810)

No. If your router supports the "external" authentication mode using only a PIN, it is vulnerable no matter which encryption type you use or how good your password is.

I didn't see Apple mentioned anywhere. Apparently the recent Airport Extremes do support WPS mode, but (when I checked my router's preferences) it appears there's no set PIN enabled by default. When I go to see how it works, it asks me to enter a PIN that's been chosen by the client. If true, that shouldn't be problematic - although I haven't ever used that "feature" since I never found WPA2 to be particularly difficult to set up in the first place.

Re:ok... (0)

Anonymous Coward | more than 2 years ago | (#38510682)

> "Apparently the recent Airport Extremes DO support WPS mode"

I have a 4th gen AE at home.. and recently setup a 5th Gen at work... but I'm not seeing these options on either one. (both are running firmware 7.6.0)

Re:ok... (2)

93 Escort Wagon (326346) | more than 2 years ago | (#38511570)

Launch "Airport Utility" and select either an Extreme or an Express. Click on "Manual Setup". Then go to the "Base Station" pulldown menu. The WPS setup is the very last item in that menu - "Add Wireless Clients".

Re:ok... (1)

realityimpaired (1668397) | more than 2 years ago | (#38513576)

In can be difficult when you use a sufficiently long WPA2 passkey, but that's largely due to how well you can type a password that could be 60+ characters.

That being said, I have never had a problem typing my passkey, and have never had a need to use WPS to set up my router. Mine does support the pushbutton authentication mode, as well as the pre-generated PIN mode, but the PIN is disabled by default, which is exactly how it should be... and I think (I'd have to check the documentation) that if you enable the pre-generated PIN mode, it only works for 5 minutes before it disables itself.

Re:ok... (1)

viperidaenz (2515578) | more than 2 years ago | (#38512372)

I have no WPS since I bought a $20 TP link router when a power surge fried my asus wl-500

Bad Security = Bad Security big surprise (1, Interesting)

Anonymous Coward | more than 2 years ago | (#38509206)

I've never trusted the WiFi protected setup scheme because if it seems too easy to be secure, well then it probably is. If you don't use Tomato or DD-WRT on your router you obviously don't really care about security anyway so who cares? The OOB ROMs on most consumer routers are full of more holes than a breadboard.

Re:Bad Security = Bad Security big surprise (1, Informative)

LordLimecat (1103839) | more than 2 years ago | (#38511984)

If you don't use Tomato or DD-WRT on your router you obviously don't really care about security anyway so who cares? The OOB ROMs on most consumer routers are full of more holes than a breadboard.

A) Citation needed.
B) Apparently youre not aware of the issues that historically plagued DD-WRT, what with their broken HTTPS daemon which would either spike your cpu to 100% or require you to use HTTP only. Thats some mighty good security there.
C) Apparently youre also not aware that the old WRT-54Gs were the starting point for DD-WRT, and were linux based. What makes you think theres more security in DD-WRT?
D) Security has never been a chief concern of either Tomato or DD-WRT.

Re:Bad Security = Bad Security big surprise (2)

realityimpaired (1668397) | more than 2 years ago | (#38513626)

If you don't use Tomato or DD-WRT on your router you obviously don't really care about security anyway so who cares? The OOB ROMs on most consumer routers are full of more holes than a breadboard.

BS. I can't speak to some brands, but the main reason to install Tomato or DD-WRT is *not* security, it's features. If you're not using one of those firmwares, then it's because you don't need the added features that they offer (or perhaps, you have a router which came with every single one of those features out of the box, and see no point in installing them). There is absolutely nothing that Tomato can do which can't be done with the default firmware on my TP-Link router, because the default firmware is that good. It literally does everything that Tomato does, and even provides a well-documented way to replace the firmware with Tomato if you still think it's better. (Tomato is mentionned specifically in the manual, as an example of why you'd use that feature in the firmware).

Tomato/DD-WRT are great for adding features like advanced QoS rules to an older router, or a router from a company that doesn't think that consumers need stuff like that, but they really don't improve the *security* at all. And that's largely because the *security* is all relying on the same protocols, and need to comply with standards like WPA2/PSK in order to play friendly with the computers you're trying to connect to it. If you're seriously worried about exploits to gain admin access to the firmware (assuming they even exist...), then you've already lost the battle, because it means that somebody you don't trust has already gotten access to your internal network.

Re:Bad Security = Bad Security big surprise (1)

yuhong (1378501) | more than 2 years ago | (#38522230)

I think they designed the protocol to use Diffie-Hellman to prevent offline attacks.

Does it matter? (3, Interesting)

wbr1 (2538558) | more than 2 years ago | (#38509218)

Since most people (home consumers) can't be bothered to change a default name/password/ssid on damn things anyway about 80% or more are unsecure as it it. If you want a secure connection, don't use the air, use a wire, and better yet, make sure you own and monitor its entire length.

Re:Does it matter? (5, Funny)

davester666 (731373) | more than 2 years ago | (#38509418)

Rubbish. That's just half-assed security.

If you want real security, you need to personally design the chips, fab them [then microwave the resulting chips to make sure they actually fabbed your design], then put fabricate the pcb, solder it all together, then write the router's OS.

Oh, and for extra credit, implement your own personal wireless protocol [using either/both of the public 2.4/5 GHz frequencies] for both the router you just fabbed as well as for your computing devices.

Re:Does it matter? (1)

mbkennel (97636) | more than 2 years ago | (#38511664)

For Very Sensitive national security projects that's just what they do.

Sandia National Laboratory has a semiconductor fab. No doubt they're few generations behind Intel in process, but that isn't the point of these.

It is because They have discovered very subtle and apparently intentional hardware flaws inserted into chips made in the East. Not mistakes.

Re:Does it matter? (0)

Anonymous Coward | more than 2 years ago | (#38513760)

implement your own personal wireless protocol [using either/both of the public 2.4/5 GHz frequencies] for both the router you just fabbed as well as for your computing devices.

Actually, that's just half-assed security.

"Anyone can invent an encryption algorithm they themselves can't break; it's much harder to invent one that no one else can break".

Re:Does it matter? (1)

operagost (62405) | more than 2 years ago | (#38517534)

You forgot to write your own encryption algorithm. FAIL

wire does not work that well on laptops (1)

Joe_Dragon (2206452) | more than 2 years ago | (#38509432)

if you don't have any laptops and just desktops then don't get a wifi router if you want a secure connection.

Re:Does it matter? (3, Interesting)

LordLimecat (1103839) | more than 2 years ago | (#38512006)

WPA2-PSK is, I would argue, more secure than bog-standard wired ethernet. Wired ethernet is trivial to tap with a laptop with a USB-ethernet port bridged to its internal NIC. Its also possible to tap by simply capturing the EM emissions from the line. ARP poisoning could also trivially reveal plaintext passwords, and what sites you visit.

With properly set up wifi, on the other hand, every communication is encrypted, HTTPS or not. Im not sure as Ive never tried, but I do not believe that you can arp-poison a wifi connection that has been secured with WPA2.

Of course you can throw in IPsec, but you can do that regardless of the physical layer involved.

Re:Does it matter? (1)

wertarbyte (811674) | more than 2 years ago | (#38512776)

Of course you can use arp poisoning on a WPA2 connection, as long as you have access to the broadcast domain. This means either a valid WPA2 passphrase to connect to the network via air or access to the wired part of the network (which is usually bridged). Remember: WPA2 encryption is only a way of preventing anyone from connecting to your network, it is not a sufficient way to protect your data: What use is an encrypted wifi link if the data is travelling the next 1000 miles beyond that purely unencrypted? Use HTTPS/TLS/SSL/SSH/... whereever you can!

Re:Does it matter? (0)

Anonymous Coward | more than 2 years ago | (#38516012)

I think the story is specific to home routers... If you've got someone with nefarious purposes in your house tapping into your wired network then you, my friend, have much bigger problems than network security. At that point I think it becomes more of a home security issue. inb4 businesses that use "for home" wireless routers

Re:Does it matter? (0)

Anonymous Coward | more than 2 years ago | (#38516804)

What a load of bullshit. We are talking about when you DON'T have physical access here.

My WALL and LOCKED DOOR beat your encryption.
It makes it impossible to ever TRY to connect.
And my personal authentication is ME, only letting people in that I trust, and watch what they do.

Some people really need to get out of their basement into the real world again...

Oh, and when they can break into the house and room without me noticing it or being able to prevent it, that your WPA2-PSK will do nothing to stop them from just opening the router or server anyway.

Re:Does it matter? (2)

Midnight_Falcon (2432802) | more than 2 years ago | (#38516896)

I would argue that WPA2-PSK is not nearly as secure as ethernet, especially 802.1x protected ethernet (which is rare). Here's why:

* WiFi is wireless. Most hackers are more apt to hack from a coffee shop across the street with a nice 1-Watt WiFi radio/9+db antenna than try to gain physical access. You have to physically intrude into the network in order to get ethernet access -- and if you've gone this far, can't you just break into the server room and take the disks out of the servers!?!
* WPA2-PSK uses a shared key. It is not 802.1x, there's no external auth gateway like LDAP or even an internal database. This key is subject to being inadvertently shared if any computer or device with wifi access is compromised. Then, all your WiFi communications are in the clear!
* WPA2-PSK has absolutely no affect on ARP spoofing, poisoning, or other methods of running man-in-the-middle attacks. It's merely a perimeter security service -- once you're in the network, you can still run any attacks that the given routing equipment/firewalls allow you to, wireless or not.

Also, I'd like to point out that using WPA2-PSK does NOT secure your HTTP connections like HTTPS -- they are still subject to eavesdropping if someone is within your internal network, or, if they are at your ISP, or any intermediary network in between. WPA2 is highly distinct from, with little overlap and no substitute for using SSL/TLS for HTTP transmissions!!
My opinion is that WPA2-PSK is adequate security for a home of the average person, but not for any mid sized or above business (or small business processing credit cards or other financial data). The choice of WiFi security algorithm is only like a gatekeeper at the city walls, once someone has entered your city, you still need to police your city.

Re:Does it matter? (2)

LordLimecat (1103839) | more than 2 years ago | (#38520874)

* WiFi is wireless. Most hackers are more apt to hack from a coffee shop across the street with a nice 1-Watt WiFi radio/9+db antenna than try to gain physical access. You have to physically intrude into the network in order to get ethernet access

The problem is, youre looking at the best case scenarios for each, and I would agree-- on a hardened network with a managed switch and security policies in place, a wired solution can be more secure. But in an average scenario, wired setups are horribly vulnerable to ARP sniffing, DHCP spoofing, inserting a tap between wall jack and workstation, etc. No authentication is needed for ANY of those-- your attacker doesnt even need authorization, just physical access, which is terribly easy in 90% of offices and homes.

On the other hand, WPA2 exposes itself to a much wider audience, but demands authorization, and has proven security. Good luck cracking WPA2-AES 16 character passwords with aircrack-ng, its gonna be a while.

WPA2-PSK has absolutely no affect on ARP spoofing, poisoning, or other methods of running man-in-the-middle attacks.

It does in the sense that anyone and any device that wants to perform those attacks must have the key.

WPA2-PSK uses a shared key. It is not 802.1x....all communications in the clear...

I was under the mistaken impression that WPA2 PSK performed a secure session key exchange, which is apparently not the case; I should have not specified PSK in particular. The fact remains, WPA2 has more built-in security than a bog-standard Cat5 connection, which is incredibly trivial to tap.

Also, I'd like to point out that using WPA2-PSK does NOT secure your HTTP connections like HTTPS -- they are still subject to eavesdropping if someone is within your internal network, or, if they are at your ISP, or any intermediary network in between

It protects it from node to AP, whereas ethernet provides no such security. Imagine if you will, two networks-- one, all hops are cat5 (and no ipsec), and the other, all hops are WPA2 AES w/ strong password (mixed alphanumeric 30 characters).

Which would you say is more susceptible to an MITM attack? The one with no authentication or encryption built into the physical layer, or the one with?

Re:Does it matter? (2)

Bengie (1121981) | more than 2 years ago | (#38514096)

Wifi on my Netgear didn't even work until I assigned my own password. It wouldn't even allow open Wifi until I created a secure wifi at least once.

Nothing new (3, Informative)

ewanm89 (1052822) | more than 2 years ago | (#38509320)

Same old thing, default configuration is bad.

Re:Nothing new (3, Interesting)

gadzook33 (740455) | more than 2 years ago | (#38510002)

I guess. Except that shouldn't be (isn't?) true. Is the default mode I use SSL in bad? Is Amazon's security bad?

I just can't believe how incredibly poor this implementation was. For that matter, I can't believe no one noticed it up until now. This just seems like security 101 stuff. If nothing else it shouldn't have passed the you-don't-get-something-for-nothing common sense check.

Re:Nothing new (1)

MacGyver2210 (1053110) | more than 2 years ago | (#38510878)

Is Amazon's security bad?

Yes. Yes it is.

Re:Nothing new (1)

ewanm89 (1052822) | more than 2 years ago | (#38513242)

I won't go into how many certificate authority breeches in the last year. One CA actually managed to get itself revoked off every browser's list, but the bigger ones are not much better.

Re:Nothing new (1)

dkf (304284) | more than 2 years ago | (#38516942)

I won't go into how many certificate authority breeches in the last year.

Yeah, they're all just pants [wikipedia.org] .

Re:Nothing new (3, Informative)

swillden (191260) | more than 2 years ago | (#38510512)

Same old thing, default configuration is bad.

Not really. That would imply that changing the default configuration to something else would fix the problem, but it doesn't. The only thing that fixes it is disabling WPS. Well, I suppose setting a really long PIN -- but the default is 8 digits which most people would expect is reasonable anyway. If the protocol didn't leak information about the PIN, or the device didn't allow brute force searches, this wouldn't be a problem.

This isn't a default configuration problem, this is a security protocol defect coupled with an implementation error.

Re:Nothing new (0)

Anonymous Coward | more than 2 years ago | (#38512954)

I've worked on Carrier grade networks for a long time. I consider any form of in-band administration to be a bad idea.
Unfortunately consumer grade routers don't come with a dedicated console port, so it's kind of a necessity. But most implementations are crappy enough that I wouldn't enable anything remote or wifi, and stick with only using LAN-facing wired connections.

Re:Nothing new (1)

ewanm89 (1052822) | more than 2 years ago | (#38524510)

I can try 8 digit pin (0-9 only?) in mere seconds on modern hardware just a bruteforce. The problem is bad security options set as default, do we remember when they turned WPA on and then used a hashed router serial number + ESSID for the key so the autoconfig software could figure it out remotely?... Same badness there. Now if you are using default security on your routers, this is to be expected.

Re:Nothing new (1)

swillden (191260) | more than 2 years ago | (#38530462)

I can try 8 digit pin (0-9 only?) in mere seconds on modern hardware just a bruteforce.

Only if the router is stupid. A proper implementation should at a minimum impose a second or two delay after failed attempts, and a good one should implement exponentially increasing delays.

Actually, "mere seconds" is likely impossible even without any delays. 10^8 values tested in, say, 10 seconds, means you have to be able to test 10^7 keys per second -- that's ten keys per microsecond. Given wireless protocol overheads, inter-frame delays, etc., plus the fact that the router hardware isn't tremendously fast, I seriously doubt that's achievable. Hours, definitely, minutes, maybe, seconds, no way. With exponential backoff, and without additional weakness in the protocol, an attacker is basically out of luck.

The 8-digit PIN is fine, assuming the rest is done right.

Re:Nothing new (1)

ewanm89 (1052822) | more than 2 years ago | (#38532620)

Actually. it is achievable, it's not about speed it's about being extremely parallel, if I try a different key across each 200+ processor cores. A S2050 1U GPU Computing System from Nvidia has 4 GPU's each with 448 Thread processors in them giving a total of 1792 parallel processing cores. Even if each one can only try 1 key a millisecond (this is slow but algorithm dependent!) we are talking about ~55,804 milliseconds, which is just under a minute. So your only defense now is that I can't capture a packet and do an offline attack?

Re:Nothing new (1)

swillden (191260) | more than 2 years ago | (#38533942)

Actually. it is achievable, it's not about speed it's about being extremely parallel, if I try a different key across each 200+ processor cores.

You only have one router to test against. Every key you want to try must be transmitted to the router, as part of a multi-step protocol. I don't care how many cores you have, the router is the bottleneck.

This is different from a situation where you have, say, a hash of a password and can parallelize hashing operations, trying to find a password that hashes to a known value. Ditto for brute forcing a cryptographic key space searching for one that decrypts a known ciphertext to a known plaintext (or a plausible plaintext). That sort of attack is eminently parallelizable. This case isn't.

Re:Nothing new (1)

swillden (191260) | more than 2 years ago | (#38533958)

So your only defense now is that I can't capture a packet and do an offline attack?

Ah, sorry, I missed this part.

Yes, that's exactly the problem. You can't capture a packet and do an offline attack. There is no packet to capture which will enable you to test many values offline. Each attempt to guess the PIN must be an on-line attack, transmitted to the router.

Re:Nothing new (1)

ewanm89 (1052822) | more than 2 years ago | (#38536890)

Yes, as in this specific case one does a Diffie-Hellman key exchange before an attack. But when proofing anything against bruteforce style attacks on assumes that it's going to be an offline attack. We assume worse case in cryptography research, not best case and hope someone doesn't work out how to make it offline. but I'm just pointing out, generally speaking *any brute-force* 10^8 keys is not a lot, infact an 8 digit full alphanumeric + symbol password.passphrase is nolonger considered secure. And enforcing certain symbols, or not all lowercase etc actually makes things worse, as I can cut out that area of the key space.

Re:Nothing new (1)

swillden (191260) | more than 2 years ago | (#38540382)

Yes, as in this specific case one does a Diffie-Hellman key exchange before an attack. But when proofing anything against bruteforce style attacks on assumes that it's going to be an offline attack.

Depends on the context. Structuring the protocol to eliminate off-line attacks and then implementing countermeasures to defeat on-line attacks is a common and perfectly valid strategy. Particularly when you want to have human-usable keys, as in this case.

We assume worse case in cryptography research, not best case and hope someone doesn't work out how to make it offline.

No, we don't assume worst case. The right way to build cryptographic security systems is to define the threat model, identify the avenues of attack and implement necessary threat mitigation countermeasures -- with an appropriate level of conservatism, of course. Always assuming the worst case tends to produce systems which are unusable in practice, and often still insecure if the due diligence wasn't performed on the threat modeling side.

The fundamental structure of WPS is fine, and within that structure there's nothing wrong with an 8-digit PIN. The problem here is that protocol defects effectively reduce that 8-digit PIN to a 4-digit PIN. Even that might be okay, given appropriate countermeasures to slow a brute force search, but those countermeasures weren't implemented.

goat buttfart (1)

For a Free Internet (1594621) | more than 2 years ago | (#38509430)

is the borccolo thebroggoolo thethe? it!

Word (0)

edsousa (1201831) | more than 2 years ago | (#38509504)

While the content seems sound... Arrgh! Papers made on Word with default template. Yuck.

Re:Word (0)

Anonymous Coward | more than 2 years ago | (#38509620)

Also: It's not a scientific paper in any way or form. About as good as you'd expect from someone in the IT security field, and even nicely readable, but not a solid scientific paper, not even halfway there.

Default Flash (0)

Anonymous Coward | more than 2 years ago | (#38509536)

People still run routers with the default flash?

Alternate firmware (0)

Anonymous Coward | more than 2 years ago | (#38509540)

What about using alternate router firmware such as DD-WRT?

and this is why I didn't trust WPS (1)

fast turtle (1118037) | more than 2 years ago | (#38509760)

Since my ISP uses MAC registering, I have to setup the damn router with a specific MAC address and since I'm in there doing that, I may as well configure the rest of the damn thing with it's passphrase and name. This actually saves me lots of trouble as I don't have to reconfigure the damn authorized systems again (they already have the needed connection information) so they're connected as soon as I'm done configuring the router.

Re:and this is why I didn't trust WPS (4, Funny)

Waffle Iron (339739) | more than 2 years ago | (#38510272)

It sounds like all of your gear has been damned. That probably means that you have bigger things to worry about than security threats coming from this world.

So what's this mean to my DDWRT (0)

Anonymous Coward | more than 2 years ago | (#38510060)

Because I've replaced my router's original firmware with it, since it works a bit better with the features I need, which don't include WPS anyway.

Re:So what's this mean to my DDWRT (0)

Anonymous Coward | more than 2 years ago | (#38510094)

I have done the same thing. I just bought a new router and immediately installed DD-WRT on it. I am wondering if it is affected by this security flaw as well.

Too much information? (4, Funny)

jsm18 (1317959) | more than 2 years ago | (#38510164)

"The flaw results in too much information about the PIN being returned to an attacker and makes the PIN quite weak"

Does anyone else visualize a router responding with: "Getting warmer!"

Re:Too much information? (1)

MacGyver2210 (1053110) | more than 2 years ago | (#38510892)

"I'd like to buy a vowel..."

Re:Too much information? (1)

fotbr (855184) | more than 2 years ago | (#38511354)

My first thought was "higher", "lower", "lower", "higher", etc.

Re:Too much information? (0)

Anonymous Coward | more than 2 years ago | (#38511432)

What's happening is the PIN is verified by a two part challenge algorithm. If the first 4 digits of the PIN aren't right, the first challenge fails immediately. So you don't need to bother checking the remaining four digits, you already know the PIN is wrong. And it's even worse, because the last digit of the PIN is just a checksum, so you really only need to verify three of the remaining digits. I'm astonished how stupid this attack is actually. Who the hell designed this protocol?

Re:Too much information? (0)

Anonymous Coward | more than 2 years ago | (#38511448)

More like a high tech game of MasterMind.

Re:Too much information? (1)

plover (150551) | more than 2 years ago | (#38526042)

0 BULLS, 1 COWS.

Actually, it sounds like a lot of bulls...

Re:Too much information? (0)

Anonymous Coward | more than 2 years ago | (#38511784)

or a router that plays mastermind [wikipedia.org] with you?

On LinkSys (1)

wytcld (179112) | more than 2 years ago | (#38511390)

Is this the "Secure Easy Setup" option on the "Wireless" menu, which by default is enabled, and of which there's no info on the help screen of my WRT54G?

Re:On LinkSys (1)

wytcld (179112) | more than 2 years ago | (#38511482)

Answering myself: Looks like Secure Easy Setup was the prior version, before the standard was set. No notion if it has the vulnerability. But I've turned it off anyway. Wouldn't have had it on if I'd notice it before in the menu, since I never use it anyway.

Re:On LinkSys (1)

behindthewall (231520) | more than 2 years ago | (#38511754)

I wondered, as well, and was surprised at how little information is available -- both in the Linksys literature and online -- on this feature. Reprehensible.

Re:On LinkSys (2)

Mathinker (909784) | more than 2 years ago | (#38511912)

After getting the "our developers are working on it" runaround for months and months when Linksys didn't issue new drivers without the Broadcom vulnerability for my WPC54G v.4 adapter [linksysbycisco.com] , rendering it totally useless, I decided to never, never, buy Linksys equipment.

I actually "inherited" this card from a relative who had bought it and found out he didn't need it.

This really has to show you how bad Linksys's customer relations were with me: I didn't even pay for the adapter myself and Linksys still managed to totally piss me off with their lying stories about their developers working on new drivers.

(Disclaimer: I've posted this before here, when it was on-topic. I'll probably stop bothering to post it sometime in the next 10 years or so.)

Error Response: "2 white pins, one black pin" (0)

Anonymous Coward | more than 2 years ago | (#38511414)

mm lets try red red blue white this time

what kind of MasterMind(tm) came up with that?

Immune. I use Tomato Linux on my guest WIFI router (2, Interesting)

VortexCortex (1117377) | more than 2 years ago | (#38511582)

I use OpenWRT on my private router. As can be said of ALL default installed software: SCREW the firmware that comes with the routers.

It's just like my Laptop, Servers, Workstations, and Phone: If I can't install MY OS on it, it's not worth any of my time. If I haven't installed my OS on it, I DON'T USE IT.

That "easy setup" button on my router now gives me a minimal window of time during which I can SSH in to the router itself -- I have to be connected to the router already to do so over Ethernet or WPA2 w/ AES.

If you don't know how to drive GET THE HELL OUT from behind the steering wheel! The same can be said for networks, security, computers in general. If you can't configure your network, get someone who can to do so. Otherwise, expect to lose control and have a horrible accident when you brake instead of clutch, or WPS or WEP instead of WPA PSK w/ custom firmware.

Re:Immune. I use Tomato Linux on my guest WIFI rou (1)

Anonymous Coward | more than 2 years ago | (#38512402)

I just bought a new router. I must confess, I have no clue what it's default firmware even looks like. First thing I did was install DD-WRT on it and tweak almost everything.

Re:Immune. I use Tomato Linux on my guest WIFI rou (1)

plover (150551) | more than 2 years ago | (#38526378)

Let me carry that vehicle analogy just one step further to the infrastructure level, and then you can answer some questions: Do you know how thick the class 5 limestone needs to be to support a four lane concrete freeway when building a road on a clay-silt base? What's the weight required for the tamping machine to ensure it's adequately packed down so the roadbed doesn't crack? How much reinforcing mesh do you have to put in the concrete, and how close to the road surface can it be? What is the proper spacing for expansion joints? What joint material works best if the road is subjected to salting in the winter for traction? If you don't know how to build your own road, you certainly don't know how to drive on one, so "GET THE HELL OUT from behind the steering wheel!"

The argument may have had some merit in the past, before roads were regularly paved, and when driving through a puddle risked sinking the vehicle to the axles. But we've moved into the era where most people need to get on line just to function in society. They don't understand the infrastructure, they will never understand the infrastructure, but they still need the infrastructure, so they have to buy and install a router anyway. It's now the job of the infrastructure component providers to make the hardware and software work for these people who don't know what they're buying, or even why they have to buy one. If default router security is bad, it's now the fault of the router makers. If default switch security is bad, it's the fault of the switch makers.

Like it or not, people who don't even know how they get on line are here to stay. We either have to deal with it, or create our own little anti-social darknet and hide out there, posting a "NO NEWBS ALLOWED" sign on the door, like it's the clubhouse for some very confused techno-Luddites.

Safe? (1)

xenobyte (446878) | more than 2 years ago | (#38512570)

I have a regular non-wifi router and then behind that a separate wifi access point (WPA2 protected)... Am I safe from this attack then?

Re:Safe? (0)

Anonymous Coward | more than 2 years ago | (#38513042)

If the access point has WPS disabled, you should be safe.

Simple mistake, simple correction (3, Informative)

romiz (757548) | more than 2 years ago | (#38512724)

From the PDF, the implementation mistake is to give the attacker feedback on whether the tried key is correct after the first half of authentication (phase M4), and then after the complete authentication (phase M6). Since the PIN is only 8 digits, and the last one is a checksum, the problem is reduced to guessing 1 number in 10000, and then 1 in 1000.

The document states that there are few possible mitigations for the problem. However, it skips the obvious one: do not notify authentication success/failure until the response to the M6 message. This would restore the 1 in 10,000,000 guessing complexity of the PIN code, without changing the protocol. It should even be a new issue tested by the compliance suite the vendors need to pass to get the WPS certification.

Re:Simple mistake, simple correction (1)

Anonymous Coward | more than 2 years ago | (#38517556)

Unfortunately, allowing the protocol to always run to M6 is likely to be even more disasterous as it exposes an offline attack which allows the first half of the PIN to be determined with ease. Only the second half of the PIN then has to be cracked in a maximum of 1000 trials.

Designed by complete morons (5, Insightful)

gweihir (88907) | more than 2 years ago | (#38512880)

The attack in short: WPS NACKs a partially transmitted PIN if the first part is wrong. This leaves 20k trials needed for brute-force, instead of 1M.

I have no idea how people this incompetent get to design widely used protocols.

Re:Designed by complete morons (1)

phizi0n (1237812) | more than 2 years ago | (#38521030)

From the article:

The number of attempts goes from 10^8 to 10^4 + 10^3 which is 11,000 attempts in total," the US-CERT advisory says.

It goes from 100M down to 11k, not 1M down to 20k. It's ~9091 times faster and now take mere hours (0.5-3 secs per attempt according to the article) rather than years.

Re:Designed by complete morons (1)

gweihir (88907) | more than 2 years ago | (#38526398)

Ah, yes. Sorry, for the inaccuracy.

Re:Designed by complete morons (1)

plover (150551) | more than 2 years ago | (#38526426)

I have no idea how people this incompetent get to design widely used protocols.

The guys who wrote WEP were willing to work for cheap.

Practical test? (1)

rduke15 (721841) | more than 2 years ago | (#38513392)

Very interesting. But how can we test for this vulnerability in practice? I guess there isn't a readily available exploit for it. So if we don't want to check all configuration pages of all our wifi routers to see if they support WPS and whether it is enabled, what can we do? Is there an easy way to send an appropriate packet and see in the response if the router may be vulnerable or not?

Irrelevant at least for me (1)

AverageWindowsUser (2537474) | more than 2 years ago | (#38515486)

Please hack my unsecured wifi network with default router login credentials. I don't live in an apartment building full of teenagers, so I can get away with it. Using passwords is really a pain for guests. Plus, my next door neighbors secretly think I'm the man for giving them free wifi. It's kind of the Google mindset applied to running my wifi network although it is just a mere byproduct of my carefree nature towards it. I think everyone should have their own broadband plus an open wifi network, that would really help out with the mesh-networks of the future.

Attack code posted (1)

Anonymous Coward | more than 2 years ago | (#38518850)

Code for this attack has been posted: http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.html

What is the point (0)

Anonymous Coward | more than 2 years ago | (#38525082)

I just got a new router and the old one was as old as the hills. I had never even heard of WPS and as far as I know I don't have any devices that can use it. I have it disabled on my router thanks to this article. Since I am a home user my network is pretty static, I only occasionally change devices. I use WPA2 and mac filtering so only specific devices can connect even if the neighbor manages to crack the WPA2 pin. What he hell use is WPS if you have to enter a pin anyway, why not just use the WPA2 pin? I truly don't understand the point for a home user.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?