New WiFi Setup Flaw Allows Easy Router PIN Guessing 86
Trailrunner7 writes "There is a newly discovered vulnerability in the WiFi Protected Setup standard that reduces the number of attempts it would take an attacker to brute-force the PIN for a wireless router's setup process. The flaw results in too much information about the PIN being returned to an attacker and makes the PIN quite weak, affecting the security of millions of WiFi routers and access points. Security researcher Stefan Viehbock discovered the vulnerability (PDF) and reported it to US-CERT. The problem affects a number of vendors' products, including D-Link, Netgear, Linksys and Buffalo. 'I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide,' Viehbock said."
WPS (Score:4, Insightful)
Don't you still have to physically push a button to (temporarily) enable WPS? If not, whose bright idea was *that*?
Re: (Score:2, Informative)
There's push button mode, and there's a shared PIN mode.
Re:WPS (Score:4, Insightful)
I believe you still have to put the router into setup mode even when using shared PIN mode. That limits the times this attack could possibly work.
Re: (Score:2)
There are ways around that. You could just keep your computer on 24/7 until the unsuspecting victim pairs something with their router, but it is more efficient to use a trick similar to that used to force WPA authentication which is required for attacking WPA keys. In the case of WPA the attacker forces a client to re-connect, e.g. by sending de-auth packets appearing to come from said client.
For WPS you can use the same technique until the victim thinks their wifi is broken and tries to re-pair their devic
Re: (Score:3)
This is incorrect. Look at the paper. It states WPS has three methods:
Push-button-connect
PIN - Internal Registrar (web interface)
PIN - External Registrar (PIN)
Default on the Buffalo WHR-HP-G300N I just reviewed is to have External Registrar (PIN) enabled.
The paper further states that if a device is WPS certified then it must have the External Registrar (PIN). To make it "user friendly" it will be enabled by default. Hopefully your devices have the ability to disable it.
Side note: trust no wireless. Bes
Re: (Score:2)
That is incorrect. With External Registrar (PIN) method nothing has to be done on the router and it is all done remote. Per the paper, External Registrar (PIN) is a required feature for all WPS-certified devices. (Note, it doesn't have to be enabled by default, but that wouldn't be user friendly, would it?).
Two flaws:
1. The WPS access point should not NACK the PIN before the entire PIN is transmitted. This cut the amount of guesses down from 100,000,000 (10^8) to 11,000 (10^4 + 10^3).
2. Most access poin
Re:WPS (Score:5, Funny)
HAHAHAHA I got a new Linksys. My WPS doesn't work at all. Joke's on them! HAHAHAHAWAit a minute.
WPS - maybe not that easy (Score:3)
Thus the attacker program should be low-level enough to fake its own MAC address all the time.
Re: (Score:2)
Much fun to be had by de-authing an existing client and spamming WPS with their MAC, thus booting them off for whatever the cooldown period was.
Oops?
ok... (Score:3)
Re:ok... (Score:5, Informative)
No. If your router supports the "external" authentication mode using only a PIN, it is vulnerable no matter which encryption type you use or how good your password is. I did not realize that there was such a mode - I too thought it required the pushbutton.
The easiest mitigation is to disable the WPS PIN on your router, re-enabling it when you want to add a device. Some routers may not have such an option, but at least mine does.
Scary.
Re: (Score:3)
No. If your router supports the "external" authentication mode using only a PIN, it is vulnerable no matter which encryption type you use or how good your password is.
I didn't see Apple mentioned anywhere. Apparently the recent Airport Extremes do support WPS mode, but (when I checked my router's preferences) it appears there's no set PIN enabled by default. When I go to see how it works, it asks me to enter a PIN that's been chosen by the client. If true, that shouldn't be problematic - although I haven't ever used that "feature" since I never found WPA2 to be particularly difficult to set up in the first place.
Re: (Score:3)
Launch "Airport Utility" and select either an Extreme or an Express. Click on "Manual Setup". Then go to the "Base Station" pulldown menu. The WPS setup is the very last item in that menu - "Add Wireless Clients".
Re: (Score:2)
In can be difficult when you use a sufficiently long WPA2 passkey, but that's largely due to how well you can type a password that could be 60+ characters.
That being said, I have never had a problem typing my passkey, and have never had a need to use WPS to set up my router. Mine does support the pushbutton authentication mode, as well as the pre-generated PIN mode, but the PIN is disabled by default, which is exactly how it should be... and I think (I'd have to check the documentation) that if you enable t
Re: (Score:2)
Bad Security = Bad Security big surprise (Score:1, Interesting)
Re: (Score:2, Informative)
If you don't use Tomato or DD-WRT on your router you obviously don't really care about security anyway so who cares? The OOB ROMs on most consumer routers are full of more holes than a breadboard.
A) Citation needed.
B) Apparently youre not aware of the issues that historically plagued DD-WRT, what with their broken HTTPS daemon which would either spike your cpu to 100% or require you to use HTTP only. Thats some mighty good security there.
C) Apparently youre also not aware that the old WRT-54Gs were the starting point for DD-WRT, and were linux based. What makes you think theres more security in DD-WRT?
D) Security has never been a chief concern of either Tomato or DD-WRT.
Re: (Score:3)
If you don't use Tomato or DD-WRT on your router you obviously don't really care about security anyway so who cares? The OOB ROMs on most consumer routers are full of more holes than a breadboard.
BS. I can't speak to some brands, but the main reason to install Tomato or DD-WRT is *not* security, it's features. If you're not using one of those firmwares, then it's because you don't need the added features that they offer (or perhaps, you have a router which came with every single one of those features out of the box, and see no point in installing them). There is absolutely nothing that Tomato can do which can't be done with the default firmware on my TP-Link router, because the default firmware is t
Re: (Score:2)
I think they designed the protocol to use Diffie-Hellman to prevent offline attacks.
Does it matter? (Score:3, Interesting)
Re:Does it matter? (Score:5, Funny)
Rubbish. That's just half-assed security.
If you want real security, you need to personally design the chips, fab them [then microwave the resulting chips to make sure they actually fabbed your design], then put fabricate the pcb, solder it all together, then write the router's OS.
Oh, and for extra credit, implement your own personal wireless protocol [using either/both of the public 2.4/5 GHz frequencies] for both the router you just fabbed as well as for your computing devices.
Re: (Score:2)
For Very Sensitive national security projects that's just what they do.
Sandia National Laboratory has a semiconductor fab. No doubt they're few generations behind Intel in process, but that isn't the point of these.
It is because They have discovered very subtle and apparently intentional hardware flaws inserted into chips made in the East. Not mistakes.
Re: (Score:1)
wire does not work that well on laptops (Score:2)
if you don't have any laptops and just desktops then don't get a wifi router if you want a secure connection.
Re:Does it matter? (Score:4, Interesting)
WPA2-PSK is, I would argue, more secure than bog-standard wired ethernet. Wired ethernet is trivial to tap with a laptop with a USB-ethernet port bridged to its internal NIC. Its also possible to tap by simply capturing the EM emissions from the line. ARP poisoning could also trivially reveal plaintext passwords, and what sites you visit.
With properly set up wifi, on the other hand, every communication is encrypted, HTTPS or not. Im not sure as Ive never tried, but I do not believe that you can arp-poison a wifi connection that has been secured with WPA2.
Of course you can throw in IPsec, but you can do that regardless of the physical layer involved.
Re: (Score:2)
Re: (Score:2)
* WiFi is wireless. Most hackers are more apt to hack from a coffee shop across the street with a nice 1-Watt WiFi radio/9+db antenna than try to gain physical access. You have to physically intrude into the network in order to get ethernet access -- and if you've gone this far, can't you just break into the server room and take the disks out of the servers!?!
* WPA2-PSK use
Re: (Score:3)
* WiFi is wireless. Most hackers are more apt to hack from a coffee shop across the street with a nice 1-Watt WiFi radio/9+db antenna than try to gain physical access. You have to physically intrude into the network in order to get ethernet access
The problem is, youre looking at the best case scenarios for each, and I would agree-- on a hardened network with a managed switch and security policies in place, a wired solution can be more secure. But in an average scenario, wired setups are horribly vulnerable to ARP sniffing, DHCP spoofing, inserting a tap between wall jack and workstation, etc. No authentication is needed for ANY of those-- your attacker doesnt even need authorization, just physical access, which is terribly easy in 90% of offices a
Re: (Score:3)
Wifi on my Netgear didn't even work until I assigned my own password. It wouldn't even allow open Wifi until I created a secure wifi at least once.
Nothing new (Score:4, Informative)
Re:Nothing new (Score:4, Interesting)
I just can't believe how incredibly poor this implementation was. For that matter, I can't believe no one noticed it up until now. This just seems like security 101 stuff. If nothing else it shouldn't have passed the you-don't-get-something-for-nothing common sense check.
Re: (Score:2)
Is Amazon's security bad?
Yes. Yes it is.
Re: (Score:2)
Re: (Score:2)
I won't go into how many certificate authority breeches in the last year.
Yeah, they're all just pants [wikipedia.org].
Re:Nothing new (Score:4, Informative)
Same old thing, default configuration is bad.
Not really. That would imply that changing the default configuration to something else would fix the problem, but it doesn't. The only thing that fixes it is disabling WPS. Well, I suppose setting a really long PIN -- but the default is 8 digits which most people would expect is reasonable anyway. If the protocol didn't leak information about the PIN, or the device didn't allow brute force searches, this wouldn't be a problem.
This isn't a default configuration problem, this is a security protocol defect coupled with an implementation error.
Re: (Score:2)
Re: (Score:2)
I can try 8 digit pin (0-9 only?) in mere seconds on modern hardware just a bruteforce.
Only if the router is stupid. A proper implementation should at a minimum impose a second or two delay after failed attempts, and a good one should implement exponentially increasing delays.
Actually, "mere seconds" is likely impossible even without any delays. 10^8 values tested in, say, 10 seconds, means you have to be able to test 10^7 keys per second -- that's ten keys per microsecond. Given wireless protocol overheads, inter-frame delays, etc., plus the fact that the router hardware isn't tremendou
Re: (Score:2)
Re: (Score:2)
Actually. it is achievable, it's not about speed it's about being extremely parallel, if I try a different key across each 200+ processor cores.
You only have one router to test against. Every key you want to try must be transmitted to the router, as part of a multi-step protocol. I don't care how many cores you have, the router is the bottleneck.
This is different from a situation where you have, say, a hash of a password and can parallelize hashing operations, trying to find a password that hashes to a known value. Ditto for brute forcing a cryptographic key space searching for one that decrypts a known ciphertext to a known plaintext (or a pl
Re: (Score:2)
So your only defense now is that I can't capture a packet and do an offline attack?
Ah, sorry, I missed this part.
Yes, that's exactly the problem. You can't capture a packet and do an offline attack. There is no packet to capture which will enable you to test many values offline. Each attempt to guess the PIN must be an on-line attack, transmitted to the router.
Re: (Score:2)
Re: (Score:2)
Yes, as in this specific case one does a Diffie-Hellman key exchange before an attack. But when proofing anything against bruteforce style attacks on assumes that it's going to be an offline attack.
Depends on the context. Structuring the protocol to eliminate off-line attacks and then implementing countermeasures to defeat on-line attacks is a common and perfectly valid strategy. Particularly when you want to have human-usable keys, as in this case.
We assume worse case in cryptography research, not best case and hope someone doesn't work out how to make it offline.
No, we don't assume worst case. The right way to build cryptographic security systems is to define the threat model, identify the avenues of attack and implement necessary threat mitigation countermeasures -- with an appropriate level of conservatism, of
Word (Score:1)
and this is why I didn't trust WPS (Score:2)
Since my ISP uses MAC registering, I have to setup the damn router with a specific MAC address and since I'm in there doing that, I may as well configure the rest of the damn thing with it's passphrase and name. This actually saves me lots of trouble as I don't have to reconfigure the damn authorized systems again (they already have the needed connection information) so they're connected as soon as I'm done configuring the router.
Re:and this is why I didn't trust WPS (Score:5, Funny)
It sounds like all of your gear has been damned. That probably means that you have bigger things to worry about than security threats coming from this world.
Too much information? (Score:4, Funny)
"The flaw results in too much information about the PIN being returned to an attacker and makes the PIN quite weak"
Does anyone else visualize a router responding with: "Getting warmer!"
Re: (Score:2)
"I'd like to buy a vowel..."
Re: (Score:2)
My first thought was "higher", "lower", "lower", "higher", etc.
Re: (Score:2)
0 BULLS, 1 COWS.
Actually, it sounds like a lot of bulls...
On LinkSys (Score:2)
Is this the "Secure Easy Setup" option on the "Wireless" menu, which by default is enabled, and of which there's no info on the help screen of my WRT54G?
Re: (Score:2)
Answering myself: Looks like Secure Easy Setup was the prior version, before the standard was set. No notion if it has the vulnerability. But I've turned it off anyway. Wouldn't have had it on if I'd notice it before in the menu, since I never use it anyway.
Re: (Score:2)
I wondered, as well, and was surprised at how little information is available -- both in the Linksys literature and online -- on this feature. Reprehensible.
Re: (Score:2)
After getting the "our developers are working on it" runaround for months and months when Linksys didn't issue new drivers without the Broadcom vulnerability for my WPC54G v.4 adapter [linksysbycisco.com], rendering it totally useless, I decided to never, never, buy Linksys equipment.
I actually "inherited" this card from a relative who had bought it and found out he didn't need it.
This really has to show you how bad Linksys's customer relations were with me: I didn't even pay for the adapter myself and Linksys still managed to
Immune. I use Tomato Linux on my guest WIFI router (Score:3, Interesting)
I use OpenWRT on my private router. As can be said of ALL default installed software: SCREW the firmware that comes with the routers.
It's just like my Laptop, Servers, Workstations, and Phone: If I can't install MY OS on it, it's not worth any of my time. If I haven't installed my OS on it, I DON'T USE IT.
That "easy setup" button on my router now gives me a minimal window of time during which I can SSH in to the router itself -- I have to be connected to the router already to do so over Ethernet or WPA2 w/ AES.
If you don't know how to drive GET THE HELL OUT from behind the steering wheel! The same can be said for networks, security, computers in general. If you can't configure your network, get someone who can to do so. Otherwise, expect to lose control and have a horrible accident when you brake instead of clutch, or WPS or WEP instead of WPA PSK w/ custom firmware.
Re: (Score:1)
I just bought a new router. I must confess, I have no clue what it's default firmware even looks like. First thing I did was install DD-WRT on it and tweak almost everything.
Re: (Score:2)
Let me carry that vehicle analogy just one step further to the infrastructure level, and then you can answer some questions: Do you know how thick the class 5 limestone needs to be to support a four lane concrete freeway when building a road on a clay-silt base? What's the weight required for the tamping machine to ensure it's adequately packed down so the roadbed doesn't crack? How much reinforcing mesh do you have to put in the concrete, and how close to the road surface can it be? What is the proper
Safe? (Score:2)
I have a regular non-wifi router and then behind that a separate wifi access point (WPA2 protected)... Am I safe from this attack then?
Simple mistake, simple correction (Score:4, Informative)
From the PDF, the implementation mistake is to give the attacker feedback on whether the tried key is correct after the first half of authentication (phase M4), and then after the complete authentication (phase M6). Since the PIN is only 8 digits, and the last one is a checksum, the problem is reduced to guessing 1 number in 10000, and then 1 in 1000.
The document states that there are few possible mitigations for the problem. However, it skips the obvious one: do not notify authentication success/failure until the response to the M6 message. This would restore the 1 in 10,000,000 guessing complexity of the PIN code, without changing the protocol. It should even be a new issue tested by the compliance suite the vendors need to pass to get the WPS certification.
Re: (Score:1)
Unfortunately, allowing the protocol to always run to M6 is likely to be even more disasterous as it exposes an offline attack which allows the first half of the PIN to be determined with ease. Only the second half of the PIN then has to be cracked in a maximum of 1000 trials.
Designed by complete morons (Score:5, Insightful)
The attack in short: WPS NACKs a partially transmitted PIN if the first part is wrong. This leaves 20k trials needed for brute-force, instead of 1M.
I have no idea how people this incompetent get to design widely used protocols.
Re: (Score:1)
From the article:
The number of attempts goes from 10^8 to 10^4 + 10^3 which is 11,000 attempts in total," the US-CERT advisory says.
It goes from 100M down to 11k, not 1M down to 20k. It's ~9091 times faster and now take mere hours (0.5-3 secs per attempt according to the article) rather than years.
Re: (Score:2)
Ah, yes. Sorry, for the inaccuracy.
Re: (Score:2)
I have no idea how people this incompetent get to design widely used protocols.
The guys who wrote WEP were willing to work for cheap.
Practical test? (Score:2)
Very interesting. But how can we test for this vulnerability in practice? I guess there isn't a readily available exploit for it. So if we don't want to check all configuration pages of all our wifi routers to see if they support WPS and whether it is enabled, what can we do? Is there an easy way to send an appropriate packet and see in the response if the router may be vulnerable or not?
Irrelevant at least for me (Score:1)
Attack code posted (Score:1)
Code for this attack has been posted: http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.html