Reply
Highlighted
Novice

Re: How do I disable WPS?

Hello Devor, thanks for the reply.
I would like to say that my router does not have WPS. My friend who has been scared to go wireless intends buying a WNR2200, and asked me to set it up. This is why i started looking into WPS.
Also I am not making any claims, I am just concerned about vulnerabilities.

Having found some of the links, it seems most of them are directed at other brands. There seems to be a lot of confusion about, whether WPS is actually disabled or not, when it says it is in the interface.
Here is a link from Backtrack http://www.backtrack-linux.org/forums/showthread.php?t=47038&page=2&p=212552&viewfull=1#post212552 Netgear is not mentioned , so apologies for that
The only link i can find directed at netgear is here http://www.house4hack.co.za/brute-force-attack-against-wifi-protected-setup
I realise there is absolutely no proof of what this person is claiming, however it is worrying.
Looking at this document https://docs.google.com/spreadsheet/ccc?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c#gid=0
It appears a lot of tested Netgears have WPS enabled by default and are hackable. How many people are unaware of this ? However it also suggests disabling the pin, blocks the attacks.
I just feel there is a bit of uncertainty about all this, and feel I should recommend my friend buys a router without WPS.
Many thanks for any advice answers
Message 26 of 36
Highlighted
Tutor

Re: How do I disable WPS?

KevTech wrote:
If you have a v1 install firmware 1.0.7.98

Disable PIN then push the WPS button.

LED will blink and get faster then turn off completely.

LED will remain off unless you disable/enable wireless with the pushbutton, reboot router or make changes to wireless setting.

All you have to do in that case is push button again, blinks, goes off.

This does not work with newer firmwares including 1.0.16.98


According to the link posted by Micheal77 above, the WNDR3700V1 with firmware 1.0.16.98 is one of the few devices that is not vulnerable.

Look at item #112 in this link:
https://docs.google.com/spreadsheet/...SSHZEN3c#gid=0
Message 27 of 36
Highlighted
Guide

Re: How do I disable WPS?

You can disable the PIN... The push button you can not.

At the end of the day, if someone is close enough to push the button, then they are close enough to plug in an ethernet port.

Disable the PIN and your okay.

The PIN is a part of WPS, but so is the push button, NFC, web type push button.

This router doesnt support NFC, WPS Pin can be disabled, and the "push button" one is only hackable if someone is close enough to push the button, so why worry about it?
Message 28 of 36
Highlighted
Tutor

Re: How do I disable WPS?

jlewter wrote:
[...]the "push button" one is only hackable if someone is close enough to push the button...
However, the WNDR3700 interface also provides a "soft" (clickable) WPS button as an option in the "Add WPS Client" dialog.

Actually, I like that soft button. I've used that on my smart phone to "press" the WPS button while downstairs trying to pair the TV with the router. It saves me a trip up and down the stairs, or trying to enter my lengthy WPA2 password using a TV remote.
Message 29 of 36
Highlighted
Guide

Re: How do I disable WPS?

Yea, I had that in at first and edited it out ;P..
I couldnt remember for sure if the option was in there, and also I figgured if it was then anyone who can get into the admin console can just set the wifi password anyhow, totally bypasisng wps.

I like the push button setup, if you use a large ( say 20+ key ) passphrase then life can be simple (Unless you have an iProduct as they dont seem to support WPS!)...
Message 30 of 36
Highlighted
Luminary

Re: How do I disable WPS?

If an individual has concerns about WPS, shouldn't the individual also have concerns about using WPS?

That is to say, since WPS has a major security flaw, is the convenience worth any potential breaches of security?
_____
WNDR3700v1 (v1.0.7.98NA) - Router uptime (d:h:m:s): 1155:02:31:46 - How To Check and Change Your Router's Firmware: http://forum1.netgear.com/showthread.php?t=63234
Message 31 of 36
Highlighted
Novice

Re: How do I disable WPS?

Devor wrote:
If an individual has concerns about WPS, shouldn't the individual also have concerns about using WPS?

That is to say, since WPS has a major security flaw, is the convenience worth any potential breaches of security?

Hi Devor, I don't know if your reply was directed at me specifically, I suppose you are stating the obvious. My concern was not about using WPS, it was about whether the security flaw still existed, when WPS was disabled. Also there seems some confusion from some people whether unticking the WPS pin option actually disables WPS completely.
Anyway it would seem sensible to seek a router without WPS completely, however all new routers, whatever brand seem to have it built in.
I am a little surprised that no one from netgear has actually tried PWS penetration tests, and commented, or maybe they have, and didn't like the results. Thanks anyway
Message 32 of 36
Highlighted
Guide

Re: How do I disable WPS?

The netgear routers dont suffer that bad... I think I made a post on it when the exploit was first posted.

Newer netgear firmware seems to now have a hard limit of something like 5 failures and then it turns off until the user goes back into the menu to enable it.

The WPS Pin flaw the last time I tested it would take a massive time to crack on the 3700 due to "time delays" or "lock" that it adds when there is a failure.

http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
Netgear suggest disabling routers pin.
http://kb.netgear.com/app/answers/detail/a_id/19824
The 3700's (both v1 and v2 I think) suffered from a "broken" disable option. So even when you would disable the pin would still work. Write down your pin and then disable it, reboot the router and see if it still shows disabled, if it does use your pc (or reaver) and try to connect using the pin. If it allows it then NG hasnt fixed that issue.

Just keep in mind that WPS PIN is not the same as WPS PUSH BUTTON.
A lot of people need to be aware that an 8 digit pin is fairly ample, the problem is not that the pin is only 8 digits, the problem is that it was split ito two blocks, and each block could be verified. two blocks of 4 is only double the security of 4, one block of 8 is 10,000 times more secure than one block of 4.... The flaw was with the standard, and the standard (that you need to pay to read) has still not changed.

Disable WPS Pin, the other methods are secure, jobs a good one.
ALL routers that have a WPS button will have the WPS Pin, As it is a standard with the WiFi Alliance then I would imagne virtually every certified router is also going to have this feature. But again, modern Netgear hardware does well in comparision to other mfgr's, older netgear hardware doesnt bode well at all. 3rd party rebrands (like ISP Routers) should also be looked at on their own, as they may not use the same firmware base as the retail counterpart.
Message 33 of 36
Highlighted
Novice

Re: How do I disable WPS?

jlewter, many thanks for your reply. I appreciate your advice, time and knowledge. Cheers
Message 34 of 36
Highlighted
Luminary

Re: How do I disable WPS?

michael777 wrote:
Also there seems some confusion from some people whether unticking the WPS pin option actually disables WPS completely.


Whether the pin can be disabled or it only appears to be disabled, evidently depends on the brand and model of router you own. Unfortunately, the only way to be 100 percent sure is to test your router.

michael777 wrote:
Anyway it would seem sensible to seek a router without WPS completely, however all new routers, whatever brand seem to have it built in.


The WPS standard was launched in January of 2007, was slow to adopt by manufactures and found to be flawed in early 2011. In early 2012, Netgear solution was to add restrictions. In contrast, Linksys solution was for you to turn off wireless. After almost two years, there is no revised 2.0 standard release that addresses the flaw. And, even if there was, it probably won't be adopted quickly.

If you must have a router that doesn't have WPS, you might consider looking at business class routers. WPS is for intimidated home users who know little of wireless security and those that wanted an easy way to add devices. In short, consumers.

michael777 wrote:
I am a little surprised that no one from netgear has actually tried PWS penetration tests, and commented, or maybe they have, and didn't like the results.


This forum, and the other Netgear forums, are a user-to-user support forum. However, Netgear did release a public response about WPS on 2012-01-07. This is what Netgear had to say:

[quote=Netgear]Wi-Fi Protected Setup (WPS) is a method developed by the WiFi Alliance for setting up a new wireless router for a home network which includes a way for users to easily connect to a secure network by pushing a button or entering a PIN code. Recently a security researcher posted an article highlighting security vulnerabilities with the WiFi Alliances WPS-PIN (WiFi Protected Setup-PIN) security protocol. Wireless routers that support WiFi Alliance WPS are vulnerable to a brute force attack. This vulnerability is likely to be addressed in the upcoming WPS 2.0 standard.

Today, NETGEAR routers go beyond the requirements of the WiFi Alliance WPS standard to deter such attacks. NETGEAR routers are the only ones mentioned in this article to have implemented a 'lock-down' feature, which locks down WPS PIN on the router after a number of failed attempts to connect using the PIN method. This hampers the brute force attack, but it doesn't completely eliminate the possibility of a brute force attack. Therefore NETGEAR recommends that customers manually turn off the WPS-PIN feature on their routers by following the simple steps posted below and on NETGEAR's support site. NETGEAR is one of the few networking vendors to have the capability to manually turn off WPS-PIN (WPS Push Button will still work), thus eliminating the possibility of the brute force attack mentioned in the article.

http://support.netgear.com/app/answers/detail/a_id/19824
To disable the Router PIN method:

    .
_____
WNDR3700v1 (v1.0.7.98NA) - Router uptime (d:h:m:s): 1155:02:31:46 - How To Check and Change Your Router's Firmware: http://forum1.netgear.com/showthread.php?t=63234
Message 35 of 36
Highlighted
Novice

Re: How do I disable WPS?

Thank you very much Devor Smiley Happy
Message 36 of 36
Discussion stats
  • 35 replies
  • 106518 views
  • 0 kudos
  • 15 in conversation
Announcements