WPS is ON all the time, and can't be disabled

Please visit and post about this over in the Orbi with Cable modem forum:

https://community.netgear.com/t5/Orbi-with-Built-in-Cable-Modem/bd-p/en-home-orbi-cable

Thank you. 

---

@GWild wrote:

Orbi RBS20/CBR40 System

 

WiFi Monitor is showing the network as WPS enabled: so it seems it is susceptible to the WPS hacks out there. There is also no visible way to disable WPS within the Orbi Login controls.

 

Has anyone figured this out?

 

ps: the article people refer to in other threads says all three methods are used, so please don't contradict what Netgear by saying PIN mode isn't used.  Sure, we can't enter or change the PIN, but the router seems to have the code to support it running 24/7 (the router will respond to a PIN request my WiFi tool is probing). And it's the WPS protocol that is hackable, not by the brute force method which Netgear says they defend against.

 

Ideas?

---

---

@GWild wrote:

WiFi Monitor is showing the network as WPS enabled: so it seems it is susceptible to the WPS hacks out there. There is also no visible way to disable WPS within the Orbi Login controls.

---

The Wikipedia article on WPS gives the impession that WPS is a mandatory WiFi feature.

https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup 

The WPS "button" method has proved useful for connecting a number of devices.

When I look at Orbi parameters, there are several that have "wps", including:

wps_lock_down=0

WPS_type=0

wps_pin_attack_check=1

I guess a person could telnet into the Orbi and set wps_lock_down to some other value ("1"?)

I would also guess that turning on Access Control and checking "Do not allow new devices to connect" might block WPS connections.

If it will block devices that present the correct WiFi SSID/password, it would seem reasonable to block new devices which use WPS.

That should be easy to verify.

I am exploring how much effort it will be to hack the Orbi WPS PIN. While looking for hacking tools, I ran across this comment on the Cyber Weapons Lab web site: (emphasis mine)

https://null-byte.wonderhowto.com/how-to/hack-wi-fi-breaking-wps-pin-get-password-with-bully-0158819... 

"It's important to note, though, that new APs no longer have this vulnerability. This attack will only work on APs sold during that window of 2006 and early 2012. Since many families keep their APs for many years, there are still many of these vulnerable ones around."

Orbi came on the market in 2016. The WPS PIN method is not mentioned in the Orbi User Manual, and a WPS PIN is not printed on the product label or (as far as I can tell) shown on the Orbi web interface or through telnet.

I might presume that NG may employ some form of there own WPS handling and syncing that is proprietary on Orbi or NGs MESH systems which only is behind the scenes and is apart of there core non GPL code. Something that can't be access or changed by access from telnet. 

By looking at all of the channels in use by the Orbi, there are several back channels without SSID open, I'm going to guess that the WPS is used to create and open those back channels.  The only option to create a new PIN is to use the Backhaul "Generate New Password" ... This new PIN is then stored for when the router/slave reboot or power cycle.

Bottom line, there is a PIN to hack, and it looks like it is an inherent system capability/vulnerability that can't be disabled.

Again, I might presume that NG may employ some form of there own WPS handling and syncing that is proprietary on Orbi or NGs MESH systems which only is behind the scenes and is apart of there core non GPL code.

If you feel that his is an issue. Please contact NG support and advise them of your concerns. There would not nothing we can do here in the forums to effect a change. 

Netgear won't discuss this with me because I am outside their 90 day customer service window. 

But folks - customers - should understand that this vulnerability still exists in Orbi routers... and it isn't anything proprietary: because my tools report it as standard WPS (conforming to standards) ... lol. 

Well you can surely post about this here then:

https://community.netgear.com/t5/Idea-Exchange-For-Home/idb-p/idea-exchange-for-home

Also make contact with a forum moderator as well.

Again, nothing we can do here in the forums.

Good Luck. 

I installed the ""reaver" WPS hack tool for Linux.  After several attempts, all it manages to say is, "detected AP rate limiting. Waiting 60 seconds before re-checking."  One attempt said, that it was trying PIN 12345670, but nothing after that.  Not encouraging that the tool designed to discover WPS PIN in a minimum of 11,000 attempts has failed miserably.

Of course, I will keep plugging away trying to hack the Orbi WPS PIN, but I have this feeling that the comment from 2014 is correct that "Modern WiFi access points are not vulnerable to PIN attack."

That leaves the physical WPS button, which I do not see as that much of a vulnerability.  If someone can physically touch my Orbi to press the WPS button, they can do so much more.

@CrimpOn Interesting results, but not surprising. The fact you can attack the PIN is evidence Netgears post is not fully representative of the facts. The Orbi's do have WPS Pin-mode enabled and it is pretty much the standard implementation. Since they've applied the "try too many times we will stop responding" fix - your tests confirm that it works - it's probably not worth bothering with.  The "listen for handshake attack" that detects the PIN being used is probably the worst case: but since that is only used the first time the slave connects after reboots, the chance of someone listening long enough is probably quite small.

After more playing, I found that the "no new connections" security feature also seems broken. When I set Access Control ON devices that come and go (e.g., TV and phones) fail to gain access if they were off when I changed the setting -- yet they appear in the prior devices list and are in my device reservation list. But this is a subject for another post ... lol.

After several more attempts, I am getting nowhere with hacking WPS on the Orbi.

I have yet to get a single attempt to get past "Trying PIN 12345670". All the examples of Reaver on the web describe various messages, getting NACK responses, and then trying another PIN.  Mine never get a response at all, much less make another attempt.

A couple of the hacker web sites make the same comment that WPS PIN hacks work only on WiFi routers built between 2006 and 2014.

("But a log of people keep electronics for 10 years or more, so...")

While "push button" WPS is definitely an Orbi feature, I am beginning to doubt that PIN WPS is.