back to article Rubbish WPS config sees WiFi router keys popped in seconds

Passwords within routers sold by chipset manufacturer Broadcom and another unnamed vendor can be accessed within seconds thanks to weak or absent key randomisation, security bod Dominique Bongard has claimed. The weakness relates to the implementation of WiFi Protected Setup (WPS) which allows attackers to calculate the correct …

Bronze badge
Coat

WPS stands for...

Wireless Pwning Service?

6
0
Silver badge

Re: WPS stands for...

Don't be daft.

It stands for Worthless Piece of Shit.

HTH.

Steven R

3
0

Re: WPS stands for... (Jen Barber version)

What doesn't it stand for...

2
0
Gold badge

Re: WPS stands for... (Jen Barber version)

"What doesn't it stand for..."

Wireless Protected Setup, it would appear.

(Seriously, guys? Hard-coding zero as the key? I assume that the WPS specification actually forbids this, so is there a case to be made that the vendor in question made a dishonest claim when they said they supported WPS?)

2
0
Anonymous Coward

" used a non-random seed value or nonce."

I'd be worried if there was a nonce in my router...

9
0

He's talking nonce-sense

8
0
Bronze badge

phil collins

5
0
Anonymous Coward

Does this mean routers have DNA closer to crabs?

5
0

There's no real evidence for it, but it is scientific fact.

3
0

Is that why my kids smell like hammers when they've been using the WiFi?

2
0
Anonymous Coward

I bought a ADSL router off amazon a few months back

and returned it because of this and other security vulnerabilities, the manufacturer swore blind they had fixed it but given that it effects pretty much their entire range they must have decided BS is cheaper than coding

5
0
Headmaster

Re: I bought a ADSL router off amazon a few months back

given that it effects pretty much = given that it affects pretty much ...why do so many get this wrong?

2
1
Alert

Dumb questions here

OK, I'm no security expert, hence these questions. If someone gains access to the router what does that mean from a security point of view? What can the hacker do? Can they gain access to the computers that use that router or would they have to get through each computer's firewall too? Could hackers view all your internet traffic or redirect it through a man in the middle - then see or interfere with your internet traffic? If I do a hardware reset will the settings on the Wifi router go back to their pre-hacked factory settings? Presumably the same hacker could just repeat their attack again anyhow? How would I know if someone had gained access to my WiFi router?

0
0

Re: Dumb question here

When you crack the WPS passcode, you are provided with the WPA(2) encryption key. As a result, you are sitting on the WiFi network the same as any other device. From there on in you can start attacking the devices as you would a wired network, sniff traffic (depending on network config), etc etc.

1
0
Bronze badge

Re: Dumb question here

A particular favourite is to change the DNS server to one of your own via the default router password most people don't bother to change, so you can divert every web page (etc) request wherever you want it.

As to one of the questions you've just added: assuming they haven't gained access to your router configuration (you changed the password...), to see what else is on the network you can check your router logs, list of attached clients, etc. Take a look - all routers are different.

1
0

This post has been deleted by its author

Re: Dumb question here

well to put this in perspective, maybe I'm missing something,

1) the hacker has to be in wifi range? This makes it a hell of a lot less serious in my opinion as I'm pretty sure the old lady next door is not going to exploit this.

2) to do any of that clever DNS stuff you need the routers admin password as well, posibly on some routers you can see logs without this

3) if you enable the mac address filtering , even somone who knows the wifi password wont get anywhere.

4) dont broadcast the SSID

5) use , wotsit called , psk2 or whatever

0
4

Re: Dumb question here

3)... not strictly true as you could change your mac address to that of a trusted device and therefore gain access.

In a similar vein I used to use this method to "reset" my bandwidth usage when staying at hotels by changing to a different mac address and it worked lovely :)

3
0

Re: Dumb question here

haha , thanks for the hotel tip .

The old lady next door would have to grab my phone when i'm not looking and check its mac to know what to spoof though

0
3
Bronze badge

Re: Dumb question here

Most routers don't use https for admin logins, so if someone has cracked your WPS and is listening to all network traffic they can scrape your admin password. At which point all of the above warnings are true.

The same thing applies to mac addresses because they can be spoofed quite easily. And if you're listening to traffic then you know which MAC addresses to try spoofing.

The WiFi range thing is a very useful limiter on your network's exposure. However there are many easy ways to boost signal strength (eg the infamous Pringle can method) and attack a network from otherwise unfeasible distances. Just because your iPhone can't see your home network halfway down the street doesn't mean it's impossible to access your network from there.

7
0

Re: Dumb question here

-yes the hacker would have to be in wifi range .. ie parked down the road with a pringle tin antenna ect.

-No, I don't need your routers admin password to poison your ARP table and then perform any number of MITM attacks

-I type this :- macchanger --mac=00:11:22:33:44:55 wlan1, and my mac is whatever I want it to be

- broadcast or not, there are tools to see your BSSID

5
0
Bronze badge

@mark63

The problem might not be with the little old lady next door, but a visiting grandchild scriptkiddie 'helping' her

but do use MAC filtering & psk2

2
0
Bronze badge

Re: Dumb question here

>A particular favourite is to change the DNS server to one of your own

The only problem I see with this is that many (low spec) domestic routers don't give user the option to change DNS servers etc. - they simply pick up the DNS severs from the ISP. So this would seem to be more of a threat to those with higher spec routers eg. draytek where the local admin can configure DNS and WPS etc..

0
0

Re: Dumb question here

"The old lady next door would have to grab my phone when i'm not looking and check its mac to know what to spoof though"

No .. A hacker can use tools to see the mac addresses of all devices already communicating with the router ..

And then he can just spoof one of those

0
0
Bronze badge

WPS

If I'm not flashing with DD-WRT or OpenWRT then disabling WPS is one of the first things I do with a new router.

I'm obviously out of touch, though, because I had thought WPS was well known to be extremely dodgy already. Did someone manage to fix it for a while?

5
0
Bronze badge

Re: WPS

It might be known to you, but I didn't know it, and while my third-party router firmware, which has a reputation for caring about security, disables one service by default (and warns about it), it says nothing about WPS. I'm not sure it's "well known".

1
1
Silver badge
Thumb Down

Re: WPS

No, it's not fixed. When you reduce your wi-fi password to a four digit PIN and someone decides to brute-force attack it, what could possibly go wrong?

Just another thing to disable when you get your router.

3
0
Silver badge

Re: WPS

"I'm not sure it's "well known"."

It's obvious common sense. My router password is a 30+ combination of characters that is very secure. WPS reduces it to a short PIN number that is obviously much less secure, especially since it is auto generated.

Turning off WPS is the first thing you should do after changing the default password. It's a total no brainer.

3
0
Anonymous Coward

Re: WPS

You might think you have turned WPS off on the router web page. But, many routers keep the service running anyway ..

1
0
Bronze badge

Re: WPS

@irongut: Having never used it, I didn't know it was a "short PIN" - assuming the PIN method is enabled at all, being optional. Time to get off your high horse.

2
1
Bronze badge

Re: WPS

@AC: Consult an Android phone to see if it's still running?

1
0
Bronze badge

Just switched off WPS

Not even sure if my router contains a Broadcom chipset, but I never use it anyway.

I notice Android phones now helpfully tell you if the networks they find have WPS.

0
0
Bronze badge

Re: Just switched off WPS

<big bad wolf>

All the better to hack you with!

</big bad wolf>

1
0

UPnP, WPS, SNMP

All switched off at first setup time, whatever router/firmware you use.

UPnP and WPS are security suicide tools and SNMP can be used as an attack mean if not implemented correctly and is in 99% of cases not used at all.

2
0

Re: UPnP, WPS, SNMP

Same here. Current router has been reconfigured to use the WPS button as a WiFi on/off button instead.

It becomes very annoying when something requires UPnP to work, I'm sure its useful for the average low grade consumer, but I know what im doing dammit!

UPnP would be much better if you could control what was allowed to use it and/or when it was active, I really dont want random bits of software opening up my firewall without me knowing.

2
1
Bronze badge

Re: UPnP, WPS, SNMP

My router allows you to specify allowed internal and external UPnP port ranges - better than nothing?

0
0

Re: UPnP, WPS, SNMP

"My router allows you to specify allowed internal and external UPnP port ranges - better than nothing?"

Barely. Security through obscurity. Let's hide the port which opens the firewall ...

And how is it hard, for someone who almost get the notion of port, to do any firewall config explicitly, rather than relying on UPnP ?

0
0
Bronze badge

We'll not tell you who

No, it wasn't atheros.

SO I just need to start a rumour against each manufacturers, and get them all denied except one?

3
0

I bought a Netgear DGN-1000 a few years ago. Disabling WPS was disabled (if you see what I mean) and the company explicitly announced that they weren't going to issue a fix. (They expected owners to buy a newer model.)

0
0

" I bought a Netgear DGN-1000 a few years ago. Disabling WPS was disabled (if you see what I mean) and the company explicitly announced that they weren't going to issue a fix. (They expected owners to buy a newer model.) "

Pretty retarded indeed.

Solution is to buy only those routers that can install one of the popular freewares.

0
0

That's Netgear all over these days. Another once great company brought low by 'tards.

Having said that, the DGN-1000 was always a POS and I can understand why the manufacturer would rather you replaced it. Back when I dealt with domestic stuff, we took one look at the feature set compared to the 834 it replaced and started supplying Billion. I still have a pair of 1000s that we replaced in use as a point-to-point relay.

0
0
Bronze badge

n00b here

Why use WPS?

Why is it easier than setting a long password and typing that in? Mine is longer than the alphabet but is a catchy lyric that everyone in my household can remember.

I better go and check that this WPS junk is turned off, if you can even do that?

0
0

Re: n00b here

Supercalifragilisticexpialidocious?

0
0
Bronze badge
Joke

Re: n00b here

No, I'm pretty sure that's an El Reg headline.

0
0
Bronze badge

hmmm...

I never thought that I'd say this, but...

BellSloth is actually good for something. The 2Wire (a.k.a. 'Pace') device they make us use for U-Verse (TV, phone, internet) service comes with WPS disabled by default. It also shipped with a _long_ random key printed on the side of the device; if you have physical access you know the key, if you don't, good luck guessing the 12-digit alphanumeric key. And they recommend changing the key, Which I have, to something a little easier to remember, though a bit longer.

BellSloth, a.k.a. AT&Useless, actually did something good. Probably for the first time ever, and by accident... Let's not let them know, they'll change it.

2
0
Angel

Wait wait wait....

Dominique Bongard? Really really!? Why am I alone in pointing this out? Possibly the best real name in the Reg evah!

1
1
Gold badge

Another dumb question

Why don't all router manufacturers use one of the several FOSS firmwares? This would mean they have more features and security updates for free. (They'd still have to contribute drivers for any bleeding edge hardware they used, but they must develop that anyway for their own purposes.

None of them actually sell the software, or enhanced add-ons. I can't see the economic argument for spending extra cash to produce a shoddier product.

1
0
Silver badge

Re: Another dumb question

Buffalo does routers which have an official DD-WRT install, although that said there's often a long wait between DD-WRT updates these days.

1
0
Anonymous Coward

The time between beta builds its fairly fast, stable (fully tested) builds take for ever (not that beta builds are not normally unstable, just untested).

That said and im not blaming dd-wrt they support a massive number of devices, that from time to time a new beta build can break an existing feature that worked just fine, but that's why its a beta build, if you test it and it works for your use scenario hey ho, if it doesn't report the bug and use a version that's not broken until its fixed.

OpenWRT/Tomato/Gargoyle is always another option, but you tend to find they all support less devices than dd-wrt and in my experience on smaller devices with less nvram your better off going with dd-wrt (personally i find it easier to configure, but that's just me).

However if you have 150Meg + internet speeds most routers struggle to keep up (especially once you want more advanced options like traffic shaping), thats why I now use dd-wrt for wireless access points, site to site bridges and cat5 wireless clients and then a low power x64 atom box running pf sense for gateways where ever possible.

0
0
Silver badge

However if you have 150Meg + internet speeds most routers struggle to keep up (especially once you want more advanced options like traffic shaping), thats why I now use dd-wrt for wireless access points, site to site bridges and cat5 wireless clients and then a low power x64 atom box running pf sense for gateways where ever possible.

Personally, that's a problem I'd love to have. Unfortunately moving isn't an option, and nor is broadband faster than 20Mbps ADSL2+.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums