back to article Rubbish WPS config sees WiFi router keys popped in seconds

Passwords within routers sold by chipset manufacturer Broadcom and another unnamed vendor can be accessed within seconds thanks to weak or absent key randomisation, security bod Dominique Bongard has claimed. The weakness relates to the implementation of WiFi Protected Setup (WPS) which allows attackers to calculate the …

  1. sorry, what?
    Coat

    WPS stands for...

    Wireless Pwning Service?

    1. Steven Raith

      Re: WPS stands for...

      Don't be daft.

      It stands for Worthless Piece of Shit.

      HTH.

      Steven R

    2. Lexxy

      Re: WPS stands for... (Jen Barber version)

      What doesn't it stand for...

      1. Ken Hagan Gold badge

        Re: WPS stands for... (Jen Barber version)

        "What doesn't it stand for..."

        Wireless Protected Setup, it would appear.

        (Seriously, guys? Hard-coding zero as the key? I assume that the WPS specification actually forbids this, so is there a case to be made that the vendor in question made a dishonest claim when they said they supported WPS?)

  2. Anonymous Coward
    Anonymous Coward

    " used a non-random seed value or nonce."

    I'd be worried if there was a nonce in my router...

    1. J. R. Hartley

      He's talking nonce-sense

      1. psychonaut

        phil collins

    2. Anonymous Coward
      Anonymous Coward

      Does this mean routers have DNA closer to crabs?

      1. J. R. Hartley

        There's no real evidence for it, but it is scientific fact.

        1. garden-snail

          Is that why my kids smell like hammers when they've been using the WiFi?

  3. Anonymous Coward
    Anonymous Coward

    I bought a ADSL router off amazon a few months back

    and returned it because of this and other security vulnerabilities, the manufacturer swore blind they had fixed it but given that it effects pretty much their entire range they must have decided BS is cheaper than coding

    1. speedbird007
      Headmaster

      Re: I bought a ADSL router off amazon a few months back

      given that it effects pretty much = given that it affects pretty much ...why do so many get this wrong?

  4. Andy Non Silver badge
    Alert

    Dumb questions here

    OK, I'm no security expert, hence these questions. If someone gains access to the router what does that mean from a security point of view? What can the hacker do? Can they gain access to the computers that use that router or would they have to get through each computer's firewall too? Could hackers view all your internet traffic or redirect it through a man in the middle - then see or interfere with your internet traffic? If I do a hardware reset will the settings on the Wifi router go back to their pre-hacked factory settings? Presumably the same hacker could just repeat their attack again anyhow? How would I know if someone had gained access to my WiFi router?

    1. Dave Wray

      Re: Dumb question here

      When you crack the WPS passcode, you are provided with the WPA(2) encryption key. As a result, you are sitting on the WiFi network the same as any other device. From there on in you can start attacking the devices as you would a wired network, sniff traffic (depending on network config), etc etc.

      1. handle

        Re: Dumb question here

        A particular favourite is to change the DNS server to one of your own via the default router password most people don't bother to change, so you can divert every web page (etc) request wherever you want it.

        As to one of the questions you've just added: assuming they haven't gained access to your router configuration (you changed the password...), to see what else is on the network you can check your router logs, list of attached clients, etc. Take a look - all routers are different.

        1. mark 63 Silver badge

          Re: Dumb question here

          well to put this in perspective, maybe I'm missing something,

          1) the hacker has to be in wifi range? This makes it a hell of a lot less serious in my opinion as I'm pretty sure the old lady next door is not going to exploit this.

          2) to do any of that clever DNS stuff you need the routers admin password as well, posibly on some routers you can see logs without this

          3) if you enable the mac address filtering , even somone who knows the wifi password wont get anywhere.

          4) dont broadcast the SSID

          5) use , wotsit called , psk2 or whatever

          1. FlatSpot

            Re: Dumb question here

            3)... not strictly true as you could change your mac address to that of a trusted device and therefore gain access.

            In a similar vein I used to use this method to "reset" my bandwidth usage when staying at hotels by changing to a different mac address and it worked lovely :)

            1. mark 63 Silver badge

              Re: Dumb question here

              haha , thanks for the hotel tip .

              The old lady next door would have to grab my phone when i'm not looking and check its mac to know what to spoof though

              1. TwistUrCapBack

                Re: Dumb question here

                "The old lady next door would have to grab my phone when i'm not looking and check its mac to know what to spoof though"

                No .. A hacker can use tools to see the mac addresses of all devices already communicating with the router ..

                And then he can just spoof one of those

          2. brooxta

            Re: Dumb question here

            Most routers don't use https for admin logins, so if someone has cracked your WPS and is listening to all network traffic they can scrape your admin password. At which point all of the above warnings are true.

            The same thing applies to mac addresses because they can be spoofed quite easily. And if you're listening to traffic then you know which MAC addresses to try spoofing.

            The WiFi range thing is a very useful limiter on your network's exposure. However there are many easy ways to boost signal strength (eg the infamous Pringle can method) and attack a network from otherwise unfeasible distances. Just because your iPhone can't see your home network halfway down the street doesn't mean it's impossible to access your network from there.

          3. TwistUrCapBack

            Re: Dumb question here

            -yes the hacker would have to be in wifi range .. ie parked down the road with a pringle tin antenna ect.

            -No, I don't need your routers admin password to poison your ARP table and then perform any number of MITM attacks

            -I type this :- macchanger --mac=00:11:22:33:44:55 wlan1, and my mac is whatever I want it to be

            - broadcast or not, there are tools to see your BSSID

          4. tony2heads

            @mark63

            The problem might not be with the little old lady next door, but a visiting grandchild scriptkiddie 'helping' her

            but do use MAC filtering & psk2

        2. Roland6 Silver badge

          Re: Dumb question here

          >A particular favourite is to change the DNS server to one of your own

          The only problem I see with this is that many (low spec) domestic routers don't give user the option to change DNS servers etc. - they simply pick up the DNS severs from the ISP. So this would seem to be more of a threat to those with higher spec routers eg. draytek where the local admin can configure DNS and WPS etc..

    2. This post has been deleted by its author

  5. brooxta

    WPS

    If I'm not flashing with DD-WRT or OpenWRT then disabling WPS is one of the first things I do with a new router.

    I'm obviously out of touch, though, because I had thought WPS was well known to be extremely dodgy already. Did someone manage to fix it for a while?

    1. handle

      Re: WPS

      It might be known to you, but I didn't know it, and while my third-party router firmware, which has a reputation for caring about security, disables one service by default (and warns about it), it says nothing about WPS. I'm not sure it's "well known".

      1. Irongut Silver badge

        Re: WPS

        "I'm not sure it's "well known"."

        It's obvious common sense. My router password is a 30+ combination of characters that is very secure. WPS reduces it to a short PIN number that is obviously much less secure, especially since it is auto generated.

        Turning off WPS is the first thing you should do after changing the default password. It's a total no brainer.

        1. Anonymous Coward
          Anonymous Coward

          Re: WPS

          You might think you have turned WPS off on the router web page. But, many routers keep the service running anyway ..

          1. handle

            Re: WPS

            @AC: Consult an Android phone to see if it's still running?

        2. handle

          Re: WPS

          @irongut: Having never used it, I didn't know it was a "short PIN" - assuming the PIN method is enabled at all, being optional. Time to get off your high horse.

    2. Dan 55 Silver badge
      Thumb Down

      Re: WPS

      No, it's not fixed. When you reduce your wi-fi password to a four digit PIN and someone decides to brute-force attack it, what could possibly go wrong?

      Just another thing to disable when you get your router.

  6. handle

    Just switched off WPS

    Not even sure if my router contains a Broadcom chipset, but I never use it anyway.

    I notice Android phones now helpfully tell you if the networks they find have WPS.

    1. brooxta

      Re: Just switched off WPS

      <big bad wolf>

      All the better to hack you with!

      </big bad wolf>

  7. regadpellagru

    UPnP, WPS, SNMP

    All switched off at first setup time, whatever router/firmware you use.

    UPnP and WPS are security suicide tools and SNMP can be used as an attack mean if not implemented correctly and is in 99% of cases not used at all.

    1. James 139

      Re: UPnP, WPS, SNMP

      Same here. Current router has been reconfigured to use the WPS button as a WiFi on/off button instead.

      It becomes very annoying when something requires UPnP to work, I'm sure its useful for the average low grade consumer, but I know what im doing dammit!

      UPnP would be much better if you could control what was allowed to use it and/or when it was active, I really dont want random bits of software opening up my firewall without me knowing.

      1. handle

        Re: UPnP, WPS, SNMP

        My router allows you to specify allowed internal and external UPnP port ranges - better than nothing?

        1. regadpellagru

          Re: UPnP, WPS, SNMP

          "My router allows you to specify allowed internal and external UPnP port ranges - better than nothing?"

          Barely. Security through obscurity. Let's hide the port which opens the firewall ...

          And how is it hard, for someone who almost get the notion of port, to do any firewall config explicitly, rather than relying on UPnP ?

  8. John Robson Silver badge

    We'll not tell you who

    No, it wasn't atheros.

    SO I just need to start a rumour against each manufacturers, and get them all denied except one?

  9. Steve Graham

    I bought a Netgear DGN-1000 a few years ago. Disabling WPS was disabled (if you see what I mean) and the company explicitly announced that they weren't going to issue a fix. (They expected owners to buy a newer model.)

    1. regadpellagru

      " I bought a Netgear DGN-1000 a few years ago. Disabling WPS was disabled (if you see what I mean) and the company explicitly announced that they weren't going to issue a fix. (They expected owners to buy a newer model.) "

      Pretty retarded indeed.

      Solution is to buy only those routers that can install one of the popular freewares.

    2. Cpt Blue Bear

      That's Netgear all over these days. Another once great company brought low by 'tards.

      Having said that, the DGN-1000 was always a POS and I can understand why the manufacturer would rather you replaced it. Back when I dealt with domestic stuff, we took one look at the feature set compared to the 834 it replaced and started supplying Billion. I still have a pair of 1000s that we replaced in use as a point-to-point relay.

  10. Truth4u

    n00b here

    Why use WPS?

    Why is it easier than setting a long password and typing that in? Mine is longer than the alphabet but is a catchy lyric that everyone in my household can remember.

    I better go and check that this WPS junk is turned off, if you can even do that?

    1. Nerden

      Re: n00b here

      Supercalifragilisticexpialidocious?

      1. brooxta
        Joke

        Re: n00b here

        No, I'm pretty sure that's an El Reg headline.

  11. James O'Shea Silver badge

    hmmm...

    I never thought that I'd say this, but...

    BellSloth is actually good for something. The 2Wire (a.k.a. 'Pace') device they make us use for U-Verse (TV, phone, internet) service comes with WPS disabled by default. It also shipped with a _long_ random key printed on the side of the device; if you have physical access you know the key, if you don't, good luck guessing the 12-digit alphanumeric key. And they recommend changing the key, Which I have, to something a little easier to remember, though a bit longer.

    BellSloth, a.k.a. AT&Useless, actually did something good. Probably for the first time ever, and by accident... Let's not let them know, they'll change it.

  12. grumpy feline
    Angel

    Wait wait wait....

    Dominique Bongard? Really really!? Why am I alone in pointing this out? Possibly the best real name in the Reg evah!

  13. Ken Hagan Gold badge

    Another dumb question

    Why don't all router manufacturers use one of the several FOSS firmwares? This would mean they have more features and security updates for free. (They'd still have to contribute drivers for any bleeding edge hardware they used, but they must develop that anyway for their own purposes.

    None of them actually sell the software, or enhanced add-ons. I can't see the economic argument for spending extra cash to produce a shoddier product.

    1. Dan 55 Silver badge

      Re: Another dumb question

      Buffalo does routers which have an official DD-WRT install, although that said there's often a long wait between DD-WRT updates these days.

  14. Anonymous Coward
    Anonymous Coward

    The time between beta builds its fairly fast, stable (fully tested) builds take for ever (not that beta builds are not normally unstable, just untested).

    That said and im not blaming dd-wrt they support a massive number of devices, that from time to time a new beta build can break an existing feature that worked just fine, but that's why its a beta build, if you test it and it works for your use scenario hey ho, if it doesn't report the bug and use a version that's not broken until its fixed.

    OpenWRT/Tomato/Gargoyle is always another option, but you tend to find they all support less devices than dd-wrt and in my experience on smaller devices with less nvram your better off going with dd-wrt (personally i find it easier to configure, but that's just me).

    However if you have 150Meg + internet speeds most routers struggle to keep up (especially once you want more advanced options like traffic shaping), thats why I now use dd-wrt for wireless access points, site to site bridges and cat5 wireless clients and then a low power x64 atom box running pf sense for gateways where ever possible.

    1. Anonymous Coward
      Anonymous Coward

      However if you have 150Meg + internet speeds most routers struggle to keep up (especially once you want more advanced options like traffic shaping), thats why I now use dd-wrt for wireless access points, site to site bridges and cat5 wireless clients and then a low power x64 atom box running pf sense for gateways where ever possible.

      Personally, that's a problem I'd love to have. Unfortunately moving isn't an option, and nor is broadband faster than 20Mbps ADSL2+.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like