A new attack on wifi routers has emerged, and it's the biggest wifi threat since WEP cracking. And this time, it applies to WPA/WPA2 encrypted networks.
WPA/WPA2 itself has not been broken - it remains as cryptographically viable as before.
However, almost every modern router on the market has a feature called WPS - Wifi Protected Setup. It's supposed to be the "easy" way for technologically illiterate people to set up encrypted networks. You've probably seen the little push buttons on the front of some routers, for enabling a sort of "pairing" mode, to easily get a new device onto the network.
WPS - and this is the part I was not aware of - is not limited only to the push button pairing mode. It also is in an always on state, ready to accept a static 8-digit PIN number that is usually written on a sticker on the bottom of the router.
And here's the other part I was not aware of - WPS is required to be both present and on by default in order for a device to be giving Wifi Alliance certification and use the little "wifi" logo. Which, of course, every wifi maker wants, and so they comply. Virtually every big-name router manufacturer (Linksys, D-Link, Netgear, Belkin, Cisco, etc) have WPS on by default on virtually all of their routers.
So, that's not good - Joey Nerdboy has a WPA2 router at home with a 64-character random key, yet it's got an 8-digit PIN number that would be much easier to crack instead.
And it gets much worse. Because the vulnerability I'm talking about is a weakness in that 8-digit PIN number, which reduces it from ~10 million possibilities to a search space of about 11,000 instead. And that is what turns this from a long brute-force attack into a fairly trivial one.
This is not a theoretical attack either. A tool called Reaver has been released to run this attack. It is very much like WEP cracking - it's open season on vulnerable routers now. If you want to see how easy it is, Lifehacker has made a How-To.
The solution here is, turn WPS off. There's a problem, though. If you have a Cisco or Linksys router, you can't! There's a setting in the admin panel for turning WPS off, but it doesn't actually do anything. Look for a firmware update for your router very soon.
If you are running DD-WRT or Tomato, you are not vulnerable. These firmwares do not implement WPS (by design). The only exception to this is the Buffalo routers that come with DD-WRT builds - Buffalo insisted on WPS and the DD-WRT guys provided it, but they intentionally leave it out of "true" DD-WRT.
So, in short:
* If you're running DD-WRT or Tomato, high five! Open source firmware rules again
* ... unless your DD-WRT is a Buffalo branded build, then go turn WPS off
* If you're running a router modern enough to have WPS, go check your admin panel NOW and turn WPS the hell off
* If you're on a Cisco or Linksys router, either go look for a firmware upgrade, or better yet, join the DD-WRT club 
Some links:
* Ars Technica writer runs Reaver, acquires his router's WPA2 key in 6 hours
* Google Spreadsheet of tested routers by users
* The US-CERT vulnerability warning
* Blog post of a guy who modified his Linksys firmware to disable WPS (neat, but hard to recommend actually doing instead of just installing DD-WRT)
You should follow me on Mastodon: @[email protected]
"The golden shower threw me off." -- garion333
Great post, thank you sir.
Hi five! Yay Tomato!
Quick "WTF is" on DD-WRT and Tomato?
I hope life gets better. From one dumpster fire to another.
Blaseball Playoff Status
Hah! My super cheap router doesn't even offer WPS as an option. Finally being a cheap bastard pays off.
You’ve got to remember that these are just simple farmers. These are people of the land. The common clay of the new West. You know… morons.
*High five*
Better to reign in P&C than serve in Everything Else. - Tanglebones
Free-to-play games are free so that the people who pay money for them have someone to play them with. -Cloquette
Yeah, I read about the WPS thing awhile ago and instantly went in and turned off WPS (Netgear router). It wasn't a router I setup, so I don't know why it was on to begin with. I was concerned because the article I read on Ars that the guy tried turning it off and that didn't close the hole. From what Legion says and looking carefully at the article, I guess it's just a Linksys/Cisco thing.
Tuffalo buffalo Tuffalo buffalo buffalo buffalo Tuffalo buffalo.
SW-0326-3336-1619
Yes. Most users of routers from other manufacturers have been able to disable WPS and confirm that it disables. That's one thing that they are charting in that Google spreadsheet I linked to in my second post.
I really wonder how aggressive Cisco is going to be in dealing with this. Even with a firmware update, how many users actually update their router firmware after purchase? I have to think there's going to be a ton of easily-hackable Linksys routers floating around for a long time.
Open source firmware that one can install to replace the built-in firmware on many router models. Better than stock firmwares in every conceivable way.
You should follow me on Mastodon: @[email protected]
"The golden shower threw me off." -- garion333
Maybe it's time I get a new router..
I feel like I'm being asked to play chess but before I can make my next move, I have to listen to the innermost feelings of my queen-side rook.
This might get me off my ass and get Tomato installed. The process has always intimidated me, though.
I almost installed DD-WRT a few months back when I was having problems with this Linksys/Cisco router. But then a regular firmware update seemed to fix it. Guess I should reconsider now...
What Stele said ^ -mortalgroove
Switch: 6273-9936-5107
Now I'm feeling kind of bad for not posting this in the forum sooner. I checked the article I read and that was from a couple weeks ago. Well, thanks to Legion, hopefully everyone on here will get the hole closed up now.
Tuffalo buffalo Tuffalo buffalo buffalo buffalo Tuffalo buffalo.
SW-0326-3336-1619
I unfortunately can't. Can't put DD-WRT on my router. I did upgrade to the latest firmware though.
I feel like I'm being asked to play chess but before I can make my next move, I have to listen to the innermost feelings of my queen-side rook.
Same here *high five*
Heh, so Apple's hilariously insecure setup protocol actually turns out to be better than the secure one.
Basically, on an Apple router, on initial bootup or after pressing reset, it comes up with an unsecured network and no password -- you then configure it with the Airport utility, hopefully before anyone else notices. It's laughably insecure, totally dependent on nobody else happening to notice your shiny new router before you password-protect it. But, once it's locked down, it's actually better than the sophisticated WPS method. Go figure.
The situation is bad enough right now, but it won't be very long before there's a Windows GUI "Press Button to Hack" app for every script kiddie to run around town with. It's even easier than WEP cracking - you don't have to depend on someone else generating traffic to capture, or using tricks with like packet injection to generate some yourself.
You should follow me on Mastodon: @[email protected]
"The golden shower threw me off." -- garion333
High fives all around!
Steam: Dysplastic / Battle.net Dysplastic#1920
Indeed... High five and a Drink!
I tried this out the other day as I started to teach myself something new each week. I broke into a router in 20 SECONDS. The very first pin that reaper used, worked. It was embarrassing.
Now other networks on the other hand have been giving me issues. Reaper has been at it over 24 hours and is still not in, which is great! Most people would give up by now. This has been quite the learning experience. Being the nice guy I am, I told the neighbor how easy it was and showed her how to fix it so she wouldn't be vulnerable. She seemed to appreciate it.
I was really curious about doing it, but I haven't. I'm guessing you could probably do it to half the routers sitting around my apartment complex. It's pretty scary how easy it would be.
Tuffalo buffalo Tuffalo buffalo buffalo buffalo Tuffalo buffalo.
SW-0326-3336-1619
The new version of reaver has a program (wash or walsh on older versions) that will detect vulnerable routers. If you do
wash -i mon0you should get a list showing all routers that are vulnerable.One of the things I didn't mention in the original post (for the sake of keeping it brief for the non-network-techies) is that proper implementations of WPS will enforce a "cool-down" lockout time after X invalid authentication attempts (I believe it's 3 attempts and a 1 minute cooldown period, which will significantly slow down a brute force attack - 3 attempts per minute * 1440 minutes in 24 hours = 4320 attempts in a 24 hour period, less than half of the ~11,000 search space).
The problem is that many router manufacturers have failed to implement this at all, and others have half-assed it. But some have gotten it right. And some even increase the delay period, making it even harder to successfully brute force in a timely manner.
With the attacks on other networks, have you noticed this sort of attempt limiting?
You should follow me on Mastodon: @[email protected]
"The golden shower threw me off." -- garion333
Absolutely. It'll show up as a 0x02 error in Reaper. I was toying around with the idea in my head to write a loop script that after 10 failures, Reaper should try another network and just jump back and forth between the whole list so it's always actively trying.
huh?
B-Net MonoCheli-1935 Switch SW-2388-5213-3906