NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
WiFi Protected Security (WPS), not sure if it is secure !
A few days ago I got NETGEAR DGN1000 from Orange to connect to my internet. I'm also IT myself and went through all the settings to make sure everything is secure. Then I came across WPS. I read the manuals and all the forums and NETGEAR website and other web info regarding this. And I just got off the phone to NEGEAR support and after half an hour non-the-wiser !?!
First of all I don't use or want WPS (never had or used it before), but there's no way to disable it on DGN1000 - see details below. Apparently it's designed for dummies to connect their WiFi devices (if you ask me, if someone can't type a WiFi pass key it should not be using it anyway!?). As far as I can see it seems it is a bit of a security risk, the way that I understand it - so correct me if I'm wrong.
Contrary to some people on this forum and others, WPS works in two ways as follows:
1- You push the WPS button (or virtual button from admin tool) on your NEGEAR router (AP), then within the 2 minutes press a (similar or virtual) button on your (WPS compliant) client device. That's it, hey presto, the devices are connected and paired for good. Nothing else needs doing.
People reckon the chances of someone else also press their button on their WPS client within that 2 minutes is minimal !!?? But wait, can a hacker write a little program to try and connect every 10 seconds to any router that has it's WPS button pressed and made itself available - it's like fishing, I bet in a large neighbourhood he'll get a few connections in a week or a month ! Is this secure !? (I'm not pressing my WP non-S button for the time being! :eek:)
But it doesn't end here, wait for this:
2- Without you having to press ANY button on your NETGEAR router, as long as it is ON and the WiFi active, ANYONE can just type a 8 digit pin (not alphanumeric, just numeric) and connect to your WiFi !!!??? Boy o boy, we have come a long way from WEP haven't we !?
This PIN can not be changed by the user, so all NETGEAR employees and anyone in between from manufacturing to packaging to delivery knows this pin for every serial number of NETGEAR device - before you say, if they want to of course ! (If you are one, note them down, I bet it worth a few bob for the ones that end up in banks !!? :p)
This PIN connection mechanism (means you don't even have to press any buttons) can NOT be disabled on DGN1000. Despite having a checkbox for it in Advanced Web Settings, it's greyed out and can not be altered (I have the latest firmware by the way).
So, I guess our hacker friend can just add another piece of code to his program and try various 8 digit number combinations (these hackers must think is xmas every day !), I bet he will get lucky more than the "Push 'N' Connect" mechanism with this PIN system.
I just don't understand this. How could this be, the support person didn't know much about it and kept saying the PIN is encrypted, but I guess he means in communication, but that is not the point here. (I bet the encryption mechanism is already out there as all WPS devices needed to communicate with routers.
I asked if there was a way to completely disable the WPS - of course not, why would they provide this feature, who needs it !!?? We are all dummies, right ?! :confused:
I think there must be more to it than this. This WPS is being introduced by WiFi Alliance company or something like that, and somehow approved by someone somewhere, they didn't think of these issues ! There are only a few mentions of this on the web and a few posts on this forum.
My only hope is this, in the instructions on right-side of the Advanced Web Setting, for the checkbox to "Disable router PIN" (which is normally greyed-out), it says:
"for security reasons the router might disable the PIN mechanism, you can then enable it again using this checkbox." (I think that is why it's greyed out, it only work the other way I guess.)
So I'm thinking maybe NETGEAR has built a mechanism to prevent brute-force attack by temporary disabling this PIN - something they don't even know about themselves.... !LOL :rolleyes:
My other half solution is to set it to change the SSID and passkey on every connection (there is an option for this). This is not recommended, but if someone did manage to connect using WPS, the settings change and I will know because I won't be able to connect myself. Then I have to connect via wire and re-set it, pain but at least I'll know.
These might help, but what I really want is the way to completely get rid of this piece of **** WPS, what we have to endure for a few dummies amongst us !!! - I might be looking at another router without this, but I'm guessing this damn thing will be rolled out on every thing that plugs in the main soon. What a mess, what do you think ? Please tell me I'm not right !:(
First of all I don't use or want WPS (never had or used it before), but there's no way to disable it on DGN1000 - see details below. Apparently it's designed for dummies to connect their WiFi devices (if you ask me, if someone can't type a WiFi pass key it should not be using it anyway!?). As far as I can see it seems it is a bit of a security risk, the way that I understand it - so correct me if I'm wrong.
Contrary to some people on this forum and others, WPS works in two ways as follows:
1- You push the WPS button (or virtual button from admin tool) on your NEGEAR router (AP), then within the 2 minutes press a (similar or virtual) button on your (WPS compliant) client device. That's it, hey presto, the devices are connected and paired for good. Nothing else needs doing.
People reckon the chances of someone else also press their button on their WPS client within that 2 minutes is minimal !!?? But wait, can a hacker write a little program to try and connect every 10 seconds to any router that has it's WPS button pressed and made itself available - it's like fishing, I bet in a large neighbourhood he'll get a few connections in a week or a month ! Is this secure !? (I'm not pressing my WP non-S button for the time being! :eek:)
But it doesn't end here, wait for this:
2- Without you having to press ANY button on your NETGEAR router, as long as it is ON and the WiFi active, ANYONE can just type a 8 digit pin (not alphanumeric, just numeric) and connect to your WiFi !!!??? Boy o boy, we have come a long way from WEP haven't we !?
This PIN can not be changed by the user, so all NETGEAR employees and anyone in between from manufacturing to packaging to delivery knows this pin for every serial number of NETGEAR device - before you say, if they want to of course ! (If you are one, note them down, I bet it worth a few bob for the ones that end up in banks !!? :p)
This PIN connection mechanism (means you don't even have to press any buttons) can NOT be disabled on DGN1000. Despite having a checkbox for it in Advanced Web Settings, it's greyed out and can not be altered (I have the latest firmware by the way).
So, I guess our hacker friend can just add another piece of code to his program and try various 8 digit number combinations (these hackers must think is xmas every day !), I bet he will get lucky more than the "Push 'N' Connect" mechanism with this PIN system.
I just don't understand this. How could this be, the support person didn't know much about it and kept saying the PIN is encrypted, but I guess he means in communication, but that is not the point here. (I bet the encryption mechanism is already out there as all WPS devices needed to communicate with routers.
I asked if there was a way to completely disable the WPS - of course not, why would they provide this feature, who needs it !!?? We are all dummies, right ?! :confused:
I think there must be more to it than this. This WPS is being introduced by WiFi Alliance company or something like that, and somehow approved by someone somewhere, they didn't think of these issues ! There are only a few mentions of this on the web and a few posts on this forum.
My only hope is this, in the instructions on right-side of the Advanced Web Setting, for the checkbox to "Disable router PIN" (which is normally greyed-out), it says:
"for security reasons the router might disable the PIN mechanism, you can then enable it again using this checkbox." (I think that is why it's greyed out, it only work the other way I guess.)
So I'm thinking maybe NETGEAR has built a mechanism to prevent brute-force attack by temporary disabling this PIN - something they don't even know about themselves.... !LOL :rolleyes:
My other half solution is to set it to change the SSID and passkey on every connection (there is an option for this). This is not recommended, but if someone did manage to connect using WPS, the settings change and I will know because I won't be able to connect myself. Then I have to connect via wire and re-set it, pain but at least I'll know.
These might help, but what I really want is the way to completely get rid of this piece of **** WPS, what we have to endure for a few dummies amongst us !!! - I might be looking at another router without this, but I'm guessing this damn thing will be rolled out on every thing that plugs in the main soon. What a mess, what do you think ? Please tell me I'm not right !:(
