Reply

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

Simon0
Novice

New flaw in WPS, Everyone should disable WPS when not needed!!

Just read that a new flaw in WPS allow someone to hijack your network in two hours. Under advanced, there is an 8 digit PIN and it is the weakness. Apparently Netgear enables it by default.

Simon
Message 1 of 20
sabretooth
Apprentice

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

And.... Netgear allows you to disable the PIN also.
Message 2 of 20
jerry66
Tutor

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

That's why I never use WPS
Message 3 of 20
Simon0
Novice

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

The issue is that it is enabled by default. Even if you don't use it, it is most likely still making your router vulnerable. A new firmware update is called for which disables this feature by default for the masses. A feature such as depressing the button turns it on for half an hour at a time would probably be fine.
Message 4 of 20
jlewter
Guide

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

It's a brute force attack mixed with poor design.
I would imagine that Netgear will re-roll the current firmware with a FIX for WPS (not changing it from on to off by default).

Netgear has received official notice of the flaw.

The same thing can be said for users who have passwords that are words found in the dictionary, common phrases, words used in l33tsp33k or the kinda crud ppl use in text msging.

2-3 hours to break WPS could be similar to what it would take for someone to break a dictionary. 20,000 "WORDS" to test with WPS, Common english words are less than half of that. Still...

It's a major flaw and if you didnt have WPS disabled you should disable it :P....
Message 5 of 20
jlewter
Guide

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

Details Here

Looks like Netgear trumps the competition :P...


The Netgear device has lock down functionality implemented, but the lock down phases are not long enough to make an attack impractical. In this case an attack will on average succeed in less than a day


What surprises me is that I thought this "Lock Down" time would have been set up well before anyhow, so I think the industry needed a wakeup call to not have it in place.
The Upshot of Netgear having it in place (There's nothign to say it's in place on ALL NG products) is that they could change the cycle delay from what it is now to a higher number without ANY real change to the firmware at all... So NG could put out a 0day fix for this without any major issue (If, that delay does exist on ALL products)..
Message 6 of 20
jmizoguchi
Virtuoso

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

Love those people uses family name as their part of encryption.. ! Lol
VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]





June Mizoguchi-
Message 7 of 20
mdmc
Aspirant

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

So I think I disabled WPS as suggested by doing the following:

Advanced Wireless Settings
WPS Settings
Disable Router's PIN (checked this box, clicked apply)

Unfortunately doing so caused the following settings to become unchecked and now none of my wireless devices can connect.

Advanced Wireless Settings (2.4GHz b/g/n)
Enable Wireless Router Radio (This was checked, but became unchecked after disabling my routers PIN)

Advanced Wireless Settings (5GHz a/n)
Enable Wireless Router Radio (This was checked, but became unchecked after disabling my routers PIN)

I can check the boxes, and click apply, but after the router recycles, they remain unchecked...

Furthermore, since WPS is disabled, "Add WPS Client" function is greyed out (as expected) and the following settings are also greyed out with no way to re-enabled them as far as I can see...

WPS Settings
Router's PIN: XXXXXXXX
Disable Router's PIN (box checked)
Keep Existing Wireless Settings (2.4GHz b/g/n) (box checked)
Keep Existing Wireless Settings (5GHz a/n) (box checked)

Anyone have any suggestions? I figure I'm missing the obvious, but can't see it. Ideally I would like to have my wireless back, but have WPS disabled, failing that I would prefer to reset everything back to the way they were.
Message 8 of 20
mdmc
Aspirant

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

Fixed: Had to power cycle the router, everything is working fine. Radio's are enabled, WPS is disabled.
Message 9 of 20
jmizoguchi
Virtuoso

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

Most new model does soft reboot when setting is applied but physical on/off insures you the setting are in effect!:)
VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]





June Mizoguchi-
Message 10 of 20
BigHoss
Aspirant

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

This article on Ars says that on some routers even when you turn off WPS through the GUI it does not actually disable the WPS functionality. They specifically mentioned linksys routers were doing this. I wonder if other brands like Netgear behave the same way? Anyone have any insight on this?

http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars
Message 11 of 20
jlewter
Guide

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

You would need to test it to tell.

That linksys router (I read the story when it was first posted) is a older one if I recall correctly. You can disable the pin on the 3700, so that SHOULD fully disable WPS. The unit he had allowed you to disable the WPS by using the button and that maight or might not turn off the pin code.

This is a serious problem but we will need to give it another 2-3 weeks to see if action comes out. There's currently 3 tools that all run the "test" but you need a basic wardriving setup to bolt that tool on.

I am not a Linux user, but I might install a copy to usb tonight and try to hack my 3700 and 4000.
Message 12 of 20
Kilgry
Aspirant

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

I have a WNDR3700v3 with latest (original release) firmware. I ran Reaver against the router with the WPS PIN enabled. Reaver connected to the router. Reaver correctly began running the brute force cracking and I was able to see each PIN number attempt it was using. I did not let Reaver finish its cracking but believe it would have been successful (it was only a matter of time).

Next, I disabled the WPS PIN in the firmware. Re-ran Reaver against the router. Reaver made its connection to the router but was unable to begin the cracking process. Reaver believed the router to be in its 5 minute WPS PIN locked mode and re-attempted every 5 minutes 15 seconds, however the router never came out of this mode. I let Reaver run for 15-20 minutes and it never showed an attempted PIN number against the router.

It appears to me that disabling WPS PIN for your WNDR3700v3 works as intended.

However, this might not be the case for all Netgear routers. This post shows another Netgear product owner (Netgear DGN2200) having a different outcome:
http://www.house4hack.co.za/?p=714
Message 13 of 20
jlewter
Guide

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

deffo not for all NG owners, It'll depend on the firmwares...
Since the v3 is so different from v1/v2 then I doubt the firmware builds are the same ;(....

Not had time to check yet, Perhaps we should all file my.netgear.com reports regarding it?..
Message 14 of 20
Kilgry
Aspirant

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

I would also like to set some of the record straight. I am seeing a lot of talk on the Internet with the mistaking understanding that a user MUST push the WPS button on the router to allow the WPS attack to take place. This is NOT the case.

WPS works under two separate methods: 1) WPS PIN 2) WPS button.

The current WPS hack that Reaver attempts is only against #1 WPS PIN.

Another misunderstanding is that Reaver does not crack your WPA/WPA2 passphrase. It only cracks your WPS PIN and uses that PIN correctly to obtain your WPA/WPA2 passphrase, which is just how the WPS PIN method works.

Finally, many router companies, Netgear included, made statements that 5 minute PIN lock outs would make you safe. They don't. Since your PIN can never change, Reaver just needs more time to guess your PIN than it would have without lockouts, but it will get it eventually since your router will come out of locked mode at some point (unless you have the WPS PIN disable, as I mentioned earlier for the WNDR3700v3).
Message 15 of 20
Silent_Patriot
Aspirant

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

Sure hope there's a firmware fix coming for this soon. This is a huge security hole that effectually nullifies WPA2 and needs to be patched ASAP!
Message 16 of 20
Renegade_Dragon
Aspirant

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

.

Here is some updated information that was posted today on another site which I frequent.

The links are what makes the information most interesting.

+++++++++++++++++++++++++++++++++++++++++++++

WPS vulnerable to Brute-Force Attack
- https://www.us-cert..../TA12-006A.html
January 06, 2012 - "... Solution: Update Firmware: Check your access point vendor's support website for updated firmware that addresses this vulnerability. Further information -may- be available in the Vendor Information section of VU#723755* and in a Google spreadsheet called WPS Vulnerability Testing**.
Disable WPS: Depending on the access point, it may be possible to disable WPS. Note that some access points may -not- actually disable WPS when the web management interface indicates that WPS is disabled..."

* http://www.kb.cert.o.../723755#vendors

** https://docs.google....NSSHZEN3c#gid=0
Message 17 of 20
SEMIJim
Novice

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

I'm wondering if Netgear is going to release patches for devices it no longer makes or considers EOL'd? I just a few months ago solved a networking problem I had by adding a WHNDE111 as a wireless bridge to my network. But it has no setting for turning off WPS. (Why the WHNDE111? Because Netgear currently makes nothing quite like it, and it was exactly what I needed.)

Last time I tried to update that device, it nearly bricked itself. (See: http://forum1.netgear.com/showthread.php?p=367373#post367373 ).

I don't know... I'm beginning to think that going forward I'll stick to only hardware upon which I can run OpenWRT. At least I'll be able to get support and updates for the firmware.

Jim
Message 18 of 20
jmizoguchi
Virtuoso

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

EOL (discontinue) products will not get any more updates on firmware.
VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]





June Mizoguchi-
Message 19 of 20
jlewter
Guide

Re: New flaw in WPS, Everyone should disable WPS when not needed!!

European Law would dictate otherwise.

I am sure all 11n products will get updated.
Message 20 of 20
Discussion stats
  • 19 replies
  • 14781 views
  • 0 kudos
  • 11 in conversation
Announcements

Orbi WiFi 6E