Rubbish WPS config sees WiFi router keys popped in seconds Passwords within routers sold by chipset manufacturer Broadcom and another unnamed vendor can be accessed within seconds thanks to weak or absent key randomisation, security bod Dominique Bongard has claimed. The weakness relates to the implementation of WiFi Protected Setup (WPS) which allows attackers to calculate the …
"What doesn't it stand for..."
Wireless Protected Setup, it would appear.
(Seriously, guys? Hard-coding zero as the key? I assume that the WPS specification actually forbids this, so is there a case to be made that the vendor in question made a dishonest claim when they said they supported WPS?)
OK, I'm no security expert, hence these questions. If someone gains access to the router what does that mean from a security point of view? What can the hacker do? Can they gain access to the computers that use that router or would they have to get through each computer's firewall too? Could hackers view all your internet traffic or redirect it through a man in the middle - then see or interfere with your internet traffic? If I do a hardware reset will the settings on the Wifi router go back to their pre-hacked factory settings? Presumably the same hacker could just repeat their attack again anyhow? How would I know if someone had gained access to my WiFi router?
When you crack the WPS passcode, you are provided with the WPA(2) encryption key. As a result, you are sitting on the WiFi network the same as any other device. From there on in you can start attacking the devices as you would a wired network, sniff traffic (depending on network config), etc etc.
A particular favourite is to change the DNS server to one of your own via the default router password most people don't bother to change, so you can divert every web page (etc) request wherever you want it.
As to one of the questions you've just added: assuming they haven't gained access to your router configuration (you changed the password...), to see what else is on the network you can check your router logs, list of attached clients, etc. Take a look - all routers are different.
well to put this in perspective, maybe I'm missing something,
1) the hacker has to be in wifi range? This makes it a hell of a lot less serious in my opinion as I'm pretty sure the old lady next door is not going to exploit this.
2) to do any of that clever DNS stuff you need the routers admin password as well, posibly on some routers you can see logs without this
3) if you enable the mac address filtering , even somone who knows the wifi password wont get anywhere.
4) dont broadcast the SSID
5) use , wotsit called , psk2 or whatever
3)... not strictly true as you could change your mac address to that of a trusted device and therefore gain access.
In a similar vein I used to use this method to "reset" my bandwidth usage when staying at hotels by changing to a different mac address and it worked lovely :)
"The old lady next door would have to grab my phone when i'm not looking and check its mac to know what to spoof though"
No .. A hacker can use tools to see the mac addresses of all devices already communicating with the router ..
And then he can just spoof one of those
Most routers don't use https for admin logins, so if someone has cracked your WPS and is listening to all network traffic they can scrape your admin password. At which point all of the above warnings are true.
The same thing applies to mac addresses because they can be spoofed quite easily. And if you're listening to traffic then you know which MAC addresses to try spoofing.
The WiFi range thing is a very useful limiter on your network's exposure. However there are many easy ways to boost signal strength (eg the infamous Pringle can method) and attack a network from otherwise unfeasible distances. Just because your iPhone can't see your home network halfway down the street doesn't mean it's impossible to access your network from there.
-yes the hacker would have to be in wifi range .. ie parked down the road with a pringle tin antenna ect.
-No, I don't need your routers admin password to poison your ARP table and then perform any number of MITM attacks
-I type this :- macchanger --mac=00:11:22:33:44:55 wlan1, and my mac is whatever I want it to be
- broadcast or not, there are tools to see your BSSID
>A particular favourite is to change the DNS server to one of your own
The only problem I see with this is that many (low spec) domestic routers don't give user the option to change DNS servers etc. - they simply pick up the DNS severs from the ISP. So this would seem to be more of a threat to those with higher spec routers eg. draytek where the local admin can configure DNS and WPS etc..
This post has been deleted by its author
"I'm not sure it's "well known"."
It's obvious common sense. My router password is a 30+ combination of characters that is very secure. WPS reduces it to a short PIN number that is obviously much less secure, especially since it is auto generated.
Turning off WPS is the first thing you should do after changing the default password. It's a total no brainer.
Same here. Current router has been reconfigured to use the WPS button as a WiFi on/off button instead.
It becomes very annoying when something requires UPnP to work, I'm sure its useful for the average low grade consumer, but I know what im doing dammit!
UPnP would be much better if you could control what was allowed to use it and/or when it was active, I really dont want random bits of software opening up my firewall without me knowing.
"My router allows you to specify allowed internal and external UPnP port ranges - better than nothing?"
Barely. Security through obscurity. Let's hide the port which opens the firewall ...
And how is it hard, for someone who almost get the notion of port, to do any firewall config explicitly, rather than relying on UPnP ?
" I bought a Netgear DGN-1000 a few years ago. Disabling WPS was disabled (if you see what I mean) and the company explicitly announced that they weren't going to issue a fix. (They expected owners to buy a newer model.) "
Pretty retarded indeed.
Solution is to buy only those routers that can install one of the popular freewares.
That's Netgear all over these days. Another once great company brought low by 'tards.
Having said that, the DGN-1000 was always a POS and I can understand why the manufacturer would rather you replaced it. Back when I dealt with domestic stuff, we took one look at the feature set compared to the 834 it replaced and started supplying Billion. I still have a pair of 1000s that we replaced in use as a point-to-point relay.
I never thought that I'd say this, but...
BellSloth is actually good for something. The 2Wire (a.k.a. 'Pace') device they make us use for U-Verse (TV, phone, internet) service comes with WPS disabled by default. It also shipped with a _long_ random key printed on the side of the device; if you have physical access you know the key, if you don't, good luck guessing the 12-digit alphanumeric key. And they recommend changing the key, Which I have, to something a little easier to remember, though a bit longer.
BellSloth, a.k.a. AT&Useless, actually did something good. Probably for the first time ever, and by accident... Let's not let them know, they'll change it.
Why don't all router manufacturers use one of the several FOSS firmwares? This would mean they have more features and security updates for free. (They'd still have to contribute drivers for any bleeding edge hardware they used, but they must develop that anyway for their own purposes.
None of them actually sell the software, or enhanced add-ons. I can't see the economic argument for spending extra cash to produce a shoddier product.
The time between beta builds its fairly fast, stable (fully tested) builds take for ever (not that beta builds are not normally unstable, just untested).
That said and im not blaming dd-wrt they support a massive number of devices, that from time to time a new beta build can break an existing feature that worked just fine, but that's why its a beta build, if you test it and it works for your use scenario hey ho, if it doesn't report the bug and use a version that's not broken until its fixed.
OpenWRT/Tomato/Gargoyle is always another option, but you tend to find they all support less devices than dd-wrt and in my experience on smaller devices with less nvram your better off going with dd-wrt (personally i find it easier to configure, but that's just me).
However if you have 150Meg + internet speeds most routers struggle to keep up (especially once you want more advanced options like traffic shaping), thats why I now use dd-wrt for wireless access points, site to site bridges and cat5 wireless clients and then a low power x64 atom box running pf sense for gateways where ever possible.
However if you have 150Meg + internet speeds most routers struggle to keep up (especially once you want more advanced options like traffic shaping), thats why I now use dd-wrt for wireless access points, site to site bridges and cat5 wireless clients and then a low power x64 atom box running pf sense for gateways where ever possible.
Personally, that's a problem I'd love to have. Unfortunately moving isn't an option, and nor is broadband faster than 20Mbps ADSL2+.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
