Looks like your WiFi might not be quite as secure as you thought it was. A paper recently published by [Stefan Viehböck] details a security flaw in the supposedly robust WPA/WPA2 WiFi security protocol. It’s not actually that protocol which is the culprit, but an in-built feature called Wi-Fi Protected Setup. This is an additional security protocol that allows you to easily setup network devices like printers without the need to give them the WPA passphrase. [Stephan’s] proof-of-concept allows him to get the WPS pin in 4-10 hours using brute force. Once an attacker has that pin, they can immediately get the WPA passphrase with it. This works even if the passphrase is frequently changed.
Apparently, most WiFi access points not only offer WPS, but have it enabled by default. To further muck up the situation, some hardware settings dashboards offer a disable switch that doesn’t actually do anything!
It looks like [Stephan] wasn’t the only one working on this exploit. [Craig] wrote in to let us know he’s already released software to exploit the hole.
Oh good you had me worried for a second there. I don’t use that junk anyway. :-) I’ll bet most of us readers actually enjoy setting up our new networking hardware and never bothered with WPS. It is a little scary, however, to read that in some routers turning it off doesn’t actually do anything.
“I don’t use that junk anyway.”
Unless you mean Wi-Fi, as in “I don’t use Wi-Fi”, you may still be vulnerable. You may want to confirm that your router/firmware isn’t one of the ones that has the feature “always on”.
He likely means most of us don’t use junk(original firmware).
I assumed by “that junk” he meant WPS.
Umm… I have setup DSL wifi routers for myself and 4 of my neighbors (i am the neighborhood geek). On all 4 actiontec routers the WPS PIN is printed on the bottom label.
For every actiontec wifi router I have looked at (multiple models) the PIN was *always* 12345678
Perhaps the reaver program should test that PIN first ???
I just the reaver wps_pin_checksum() function the pin 1234567 and it returned a checksum of 0, not the 8 that I was expecting. I then looked at my actiontec router label in a brighter light, and indeed, it is a zero with a slash, which looks a lot like an 8.
So, the actiontec PIN is 12345670.
That’s truly pathetic. For interest, I tried that on a few networks in my area, what’da know. Worked for almost all of them.
I did mean WPS by “junk.” I guess I prematurely assumed disabling it in my router actually meant it was disabled. I then tested it and disabling WPS actually works for Motorola “Surfboard.”
As far as which firmwares are junk, stock or custom, I’ve noticed a fair amount of bugs in both.
Agreed. Just using custom firmware doesn’t make you safe. You gotta test this shit.
And some routers, like mine (WNDR3700), don’t even have an option to disable WPS without flashing custom firmware.
I flashed DD-WRT onto my WNDR3700 months ago, and have it’s WPS support turned off.
Drat. I’ve got that routed, but I’ve been looking at it sideways for months now. It only serves as a wireless access point and a switch… but I’ll be damned if I didn’t lose the thing on my network. It doesn’t show up in a ping sweep anywhere. It doesn’t show up as a hop. It’s just…missing.
I just checked mine, and yup, it’s enabled by default (now disabled). I never used WPS, so I didn’t even think about its vulnerability, and I didn’t know it was always on. That really shouldn’t be enabled by default.
I have my E3000 set to manual configuration but does anyone know if it’s actually disabled?
If it’s like my E2500, then no, it’s not.
https://lh4.googleusercontent.com/-8uHHAWDkCiI/Tv2wgd0B3fI/AAAAAAAACqk/wb4xu2S2l60/s640/reaver.jpeg
Wow, this is such an obvious attack vector, and I had never thought of it before. Thanks for the eye opening article.
I just always turn it off because I never needed it, turns out it is better to be lucky than smart :)
My Microtik router does not seem to have any WPS functionality in it. I’m guessing that’s a good thing.
Saw this hit the news in the last couple of days. I always figured WPS was silly anyway.
WPS aside, it’s still possible to crack WPA with a pair of computers and the know-how. ;)
Does the method you speak of require me to have the target network’s password in a wordlist, require a short password, or require the two computers to have a couple of nVidia Tesla’s apice? Link?
i can’t figure out if you’re trying to act cool, or if you’re just bullshitting and trying to act cool.
I’m just ignorant of the method he’s talking about. Not familiar with one that needs two computers. Just making sure it’s not the same old guess the password method. If I acted cool I wasn’t trying, it’s just something that happens when you’re cool I guess.
Oh wait, you weren’t talking to me. Not cool…
rainbow tables
I’m already testing out this software. It works pretty good so far. It has a few minor bugs but the author is on top of them and has already released some updates to the code.
I’m using it on a VM of BT4R2 with an Alfa AWUS036H. It’s slow, but fast as shit compared to trying to crack WPA using a wordlist with the huge possibility of it not succeeding.
So far, every network around me is vulnerable to this attack. There isn’t a single one where WPS is disabled. And some of the people around me are supposedly tech experts working for comcast and verizon.
Something about WPS never seemed all that safe to me. I’ve always had it disabled. I’m surprised it took this long for someone to find an easily exploitable flaw.
Should the router makers care about the 1% of users who care about security?
Or the 99% who just want to plug in a printer and see it work? (and they don’t give a fuck about security)
HMM. That’s a tough choice, huh… lol
Defaults are for the 99%… They don’t even need to know the printer has an “Aye-pee”. (IP)
The paper just travels like magic from the computer to the tray.
*mimics caveman bashing on broken printer* << average printer user.
that or you simply wait it out and sniff the pass
I haven’t been able to get this to work yet
Such a racist title :(
Oh please. Yes, lets stop using valid English words because some people have over sensitive “hate crime” sensors.
Will somebody think of the children!!!!!
I think we should forbid Hamlet too because Polonius is killed because Hamlet thinks is another one behind the curtain. Curtains don’t kill people, people kill people. And we should stop with The Merchant of Venice too because of its antisemitism. We should call black tie dressing afro-american tie, we should call women people of female gender, and specially people like you of mentally challenged and not retarded.
What color are car tires? Now don’t give the color a racist name…. Friggen moron.
chink [chingk]
noun
1.
a crack, cleft, or fissure: a chink in a wall.
2.
a narrow opening: a chink between two buildings.
I’m fairly certain he was joking. Goddamnit you people are touchy.
Good ol Openwrt, it has the lovely ‘feature’ of not supporting WPS at all in the Luci interface. Sure hostapd supports it but theres no frontend unless you feel like coding up your own, how thoughful of them.
hostapd fixed this vulnerability in 2009, even if you had found a way to use WPS. :-)
http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap-07.git;a=commitdiff_plain;h=3b2cf800afaaf4eec53a237541ec08bebc4c1a0c
I was just checking. Open source beats vendors again.
What nonsense. That’s like saying the deadbolt on your front door is flawed because if you leave the side door open, people can still enter your house.
Nothing – NOTHING – is ever secure as people think it is. That has been proven against every new ‘secure’ technology that comes out.
Whether it’s tricking people into revealing their passwords, or stupid SQL administration that leads to internal document exposure that contains decryption keys, nothing will ever be completely secure.
Now broadcast encryption information over some wireless bands and let’s see how security ratings drop precipitously.
>>is ever secure as people think it is.
There is a difference between things being insecure and things being badly implemented. As far as I can tell WPA/WPA2 are still fairly secure.. i.e. capturing cipther text and turning it into plain text is not trivial. Router vendors being retarded and shipping units with predictable keys etc doesn’t mean that “WPA is insecure” just that the vendors implementation is bad.
>>That has been proven against every new
>>‘secure’ technology that comes out.
Has it? SSL is pretty old.. it’s still secure for the most part.
>>Whether it’s tricking people into
>>revealing their passwords,
Stupid passwords doesn’t mean a cipher or protocol is insecure.
>>or stupid SQL administration that
>>leads to internal document exposure
>>that contains decryption keys,
Again, that is bad implementation. Encrypting some thing with and then attaching a post it note with the key to the media doesn’t not mean is insecure.
>> nothing will ever be completely secure.
s/completely secure/completely secure again bad implementation and side channel attacks/
>>Now broadcast encryption information over
>>some wireless bands and let’s see how
>>security ratings drop precipitously.
People “broadcast” sensitive information by the terabyte over this massive public network called “the interwebs” and its still possible to have a secure channel.
wordpress stripped what it thought were tags..
Again, that is bad implementation. Encrypting some thing with CIPHER and then attaching a post it note with the key to the media doesn’t not mean CIPHER is insecure.
Physical access is a massive issue.
An undisclosed company was booted from the datacenter I work in, as they were dumping CC information from their customers servers and virtual servers.
Though all communication out of the servers would have been secure, the encryption keys were still on the server, so physical access by a corrupt admin was still an inherent issue.
You sure “chink” is the best phrase to use?
http://en.wikipedia.org/wiki/Chink
I know what you meant, but…
a-chink-in-the-armor-of-wpawpa2
wap wap wap
Yes, I do believe chink is the correct term:
http://en.wiktionary.org/wiki/chink
Does the phrase “A {Chinese person} in the armor of WPA/WPA2 WiFi security” make sense?
Yea, I didn’t think so.
lol
http://en.wiktionary.org/wiki/Chink
http://en.wiktionary.org/wiki/chink
Don’t believe the net.
Chink doesn’t mean anything but the meaning you give it. If you’re a racist, it’s going to have a racist meaning. For others it’s just a chink in the cable.
Actually, it’s WAAAY worse than you think. ALL common consumer/prosumer/commercial network connected hardware bleeds information by design. From your printers to your network interface hardware, from your cell phone to your TV, data leaks out your network like heat from an incandescent bulb. Yawn.
How many people know that cameras double as the IR remote interfaces on many big screen TVs?
Yeah, this isn’t such a big deal in the grand scheme of things.
“How many people know that cameras double as the IR remote interfaces on many big screen TVs?”
Not many, considering the fact that a CMOS/CCD sensor isn’t nearly fast enough too see anything else than the fact that the remote IR is on.
The signal is on a kilohertz frequency range carrier, so you’d need a camera that can do tens to hundreds of thousands of frames per second to receive it.
nice post
when did brute forcing over a protocol handshake become an “exploit”?
He’s exploiting the protocol, namely the timing attack style first sending M4 then M6.
Also he’s exploiting the WPS system to easily gain the WPA passkey.
Luckily I’d turned this off already, not cause I thought it was vulnerable but because I had no idea what it was.
“not cause I thought it was vulnerable but because I had no idea what it was”
Ha, glad I was not the only one. :-)
It might not really be off.
I use a lot of vuln hotspots, most units don’t have this it seems, they just have some other set of WPS functions for 0-config. This is interesting though, I may do a tool.
I have WPS disabled. However, now I’m wondering, how do I tell if it is really disabled, especially when I read the below line:
“To further muck up the situation, some hardware settings dashboards offer a disable switch that doesn’t actually do anything!”
After using reaver an a brand new Asus router with WPS turned off, we were shocked to see it print out our multi-word and symbol WPA2 passphrase in less than two hours.
Other routers were getting timeout errors, but after adjusting the timeout to 20 seconds 3 of them fell prey to reaver in less than a day. We may try a timeout of 25 seconds for the ones that are resisting.
Perhaps WPA isn’t cracked, but WPA *ROUTERS* are dropping like flies around here.
And by the way, most of them (multiple different brands) have a PIN code of 12345670, and most of them have WPS off. We could have gotten this done a LOT quicker if reaver checked that “standard default” PIN first.
Interesting, that new router that spilled its secrets so fast was from Asus, whose products are not even listed in the Cert advisory list of vulnerable routers.
I tried using reaver with the -P 12345670 -vv options and it seems to try that pin over and over (seemingly without success). Can you try it against a known vulnerable router with that pin?
Can you name the ASUS models . I tried the WPS attack, the ASUS N13U disables WPS automatically after 2mins
When I first started setting up wireless nets, there was no such thing as WPS. I just got used to setting everything up by hand. When I bought my first router that did have WPS, I couldn’t get the thing to work using the WPS, so I just set it up manually and disabled the WPS. So, even now I still set up my nets manually, and disable WPS every time. I guess sometimes it’s good to be set in your ways.
WIFI PENTEST TOOLS WEP WPA WPS
http://www.youtube.com/watch?v=fRwqrp_ISbw
some 6 months before this article was published i was trying to connect to some network in windows and when got prompt for entering pin an idea crossed my mind: this shit might be easy to bruteforce :D