Re: Trying to disable WPS (bringing the topic to the top of lists again)

Sarevian · ‎2015-08-08

So - I've had my R6300v2 for a day. I've fiddled with most settings and I'm happy that for most things it'll do what I need.

ALL EXCEPT WPS!

A week ago I ordered a D-Link which shocked me when I found the WPS couldn't be turned off AND the unalterable PIN was printed on the base. Sent it back. Very odd as I have a little DIR-615 which CAN turn WPS on/off and alter the PIN all from the web interface.

I looked at NetGear models, read through User Guides and went for the R6300. I definitely got the impression that you could turn WPS on or off.

I've tried a whole bunch of variations but WPS stays on regardless ... ON THE TWO MAIN SSIDs.

Quite interesting to note that WPS does not appear on the Guest SSIDs when activated.

For a moment I thought I had the answer to my problem - use the Guests and disable the main ones.

Alas - as you are probably already thinking - turning the main SSID off disables that WiFi frequency entirely.

So, I'm left wondering WHY has this feature been omitted? And why is there no official response to at least one of the previous WPS threads on here? In fact, if you search, you'll find one respondent even says they were treated poorly by telephone support when they contacted them.

I refuse to believe that a feature available in older hardware is now impossible to implement. The underlying silicon almost certainly has been developed from older designs and they are unlikely to have removed any features.

So, come on NetGear - one (or more) of your bright developers needs to say, "You know, there are a lot of articles discussing the problems and insecurities of WPS, as a Google search of the last month shows. Perhaps we should give our customers the ability to turn it off if they want. No-one will moan if we give them more features."

doraemon · ‎2015-08-11

You don't have a checkbox to disable WPS in Advanced Wireless Settings?

View solution in original post

doraemon · ‎2015-08-11

You don't have a checkbox to disable WPS in Advanced Wireless Settings?

Sarevian · ‎2015-08-15

Thanks for the reply.

I can see exactly the settings you have screenshotted.

Turning the first checkbox on or off does not disable WPS.

The others just adjust settings of the already enabled feature.

Sarevian · ‎2015-08-15

[Replying to myself to "show" my imperfect solution.]

I think I saw this on another post so I don't claim originality.

Turning off SSID broadcast disables WPS. ..... (as far as I can tell)

I still have both 2.4GHz and 5GHz wireless active but (I guess) WPS doesn't work when there's no name (SSID) to start things off.

The two guest accounts/wireless still show up but WPS doesn't apply to them.

Pressing the WPS button causes the LED to flash very fast for a second or two.

Not ideal at all but it works after a fashion.

I'd still like the NetGear developers to add a simple WPS enable/disable checkbox in a future firmware update.

Kaluoma · ‎2015-10-10

I unchecked the "Enable SSID Broadcast" on 2.4GHz and 5GHz. Then clicked apply. I got a message that says...... "WPS requires SSID broadcasting in order to work. If you make this change, WPS will become inaccessible. Do you want to continue?" I think this is the answer. The only issue is now you will have to know what your network name is in order to connect. But it keeps the somewhat tech savvy kids that are grounded from the Internet from using the WPS button while you are at work. 😉

Sarevian · ‎2015-10-11

Hi, thanks for your reply as it confirms what I wrote in message #4.

The problem I have with disabling the SSID broadcast to "enable" a security feature is that, from what I've read, it is not a very good way of doing things. Not all clients handle hidden SSIDs very well, for example, I have an old Nexus phone that can't seem to manage to re-connect when it needs to, while other devices are okay. Plus, if I've understood the techinical stuff, a hidden SSID requires the client to broadcast more often to remain connected - and for a mobile device that's not ideal for battery life.

But, whether I'm right or wrong about the downside of hiding SSID broadcast, I'd still like to see a feature that was available on an older piece of equipment still be available. There are lots of places where WPS is not wanted - let's just be able to turn it off from the settings.

netwrks · ‎2015-10-11

You can't disbale WPS in stock firmware, and you are right hiding an SSID only creates issues for some devices.

@Sarevian wrote:
Hi, thanks for your reply as it confirms what I wrote in message #4.

The problem I have with disabling the SSID broadcast to "enable" a security feature is that, from what I've read, it is not a very good way of doing things. Not all clients handle hidden SSIDs very well, for example, I have an old Nexus phone that can't seem to manage to re-connect when it needs to, while other devices are okay. Plus, if I've understood the techinical stuff, a hidden SSID requires the client to broadcast more often to remain connected - and for a mobile device that's not ideal for battery life.

But, whether I'm right or wrong about the downside of hiding SSID broadcast, I'd still like to see a feature that was available on an older piece of equipment still be available. There are lots of places where WPS is not wanted - let's just be able to turn it off from the settings.

TheEther · ‎2015-10-11

Are you saying that WPS is still active even when Enable Router's PIN is unchecked? This is what I have on my R7000.

Sarevian · ‎2015-10-11

@netwrks wrote:
You can't disbale WPS in stock firmware, and you are right hiding an SSID only creates issues for some devices.

Thanks for confirming that, was beginning to wonder if it was just me!

Sarevian · ‎2015-10-11

@TheEther wrote:
Are you saying that WPS is still active even when Enable Router's PIN is unchecked? This is what I have on my R7000.

Thanks for your reply.

Indeed that's what happens for me.

Whether the tick box is checked or not seems to have no effect, WPS remains active and works very well ... if that's what is wanted!

In fact, it doesn't matter which setting is chosen in the R6300v2 (at least the one I've got) as it doesn't require a PIN number to set up the connection. Press WPS button, hit WPS setup and the mobile device (latest one I tried was a Galaxy Tab S) simply makes the connection.

If that's not happening for you then there's possibly some difference between the R6300 and R7000. But it is odd (unhelpful perhaps) that the setting screen seems to be identical when they may not actually be behaving the same.

TheEther · ‎2015-10-11

TL;DR Disable the Router's WPS PIN. Then all you have to worry about is physically securing the router. WPS will only be enabled for 2 minutes after the WPS button is physically pushed.

Ok, I did some research.

There are two methods WPS can be used on many routers, including Nighthawks.

By entering the router's WPS PIN from a client.
By pushing either the physical button or the soft push button in ADVANCED > WPS Wizard

The WPS PIN in method #1 has been proven to be easy to hack. Netgear provides additional protection against PIN hacking by automatically disabling #1 if it detects 3 failed connections by the PIN method. It is also possible to disable #1 altogether as I have shown in my previous post by unchecking Enable Router's PIN.

The method you demonstrated is #2. You and @netwrks are correct that it cannot be disabled, except by disabling SSID broadcast. The soft push button can only be accessed by logging into the router, so that's relatively secure. That leaves just the physical button on the router itself. If you can physically secure the router against prying hands, then you should be safe. WPS is not active when the PIN is disabled and is only active for 2 minutes after the push button is pressed.

If you are inclined, I suppose you could physically modify the router and remove/disable the push button. Personally, I think that would be overkill. If someone can physically access the router, then it would easier to connect to one of the Ethernet ports.

Sarevian · ‎2015-10-12

Thanks again for your reply.

@TheEther wrote:
TL;DR Disable the Router's WPS PIN. Then all you have to worry about is physically securing the router. WPS will only be enabled for 2 minutes after the WPS button is physically pushed.

Ok, I did some research.

There are two methods WPS can be used on many routers, including Nighthawks.
By entering the router's WPS PIN from a client.
By pushing either the physical button or the soft push button in ADVANCED > WPS Wizard
The WPS PIN in method #1 has been proven to be easy to hack. Netgear provides additional protection against PIN hacking by automatically disabling #1 if it detects 3 failed connections by the PIN method. It is also possible to disable #1 altogether as I have shown in my previous post by unchecking Enable Router's PIN.

The method you demonstrated is #2. You and @netwrks are correct that it cannot be disabled, except by disabling SSID broadcast. The soft push button can only be accessed by logging into the router, so that's relatively secure. That leaves just the physical button on the router itself. If you can physically secure the router against prying hands, then you should be safe. WPS is not active when the PIN is disabled and is only active for 2 minutes after the push button is pressed.

If you are inclined, I suppose you could physically modify the router and remove/disable the push button. Personally, I think that would be overkill. If someone can physically access the router, then it would easier to connect to one of the Ethernet ports.

"Then all you have to worry about is physically securing the router."

And that's my problem. This was for my daughter at uni. The guest feature looked great for enabling her to share the connection when and with whom she chose, and to share access to files on USB as she decided. But WPS makes setting up a connection very quick and - note my previous message - disabling the PIN actually makes no difference (at least on my R6300).

So, I guess it'll have to be the hidden SSID after all.

The lesser of two evils really.

One last thought - WPS really shouldn't be active permanently anyway. In most (domestic) setups, once you've used WPS to make the connections you need you don't need it again. Scans of my neighbourhood and other places I go show the majority of routers have WPS enabled. A simple Google search shows lots of articles about using an active WPS to gain access although it's also clear that some routers are more vulnerable than others. But it shouldn't be too surprising as you're removing the need for (an up-to) 63 character WPA password with a simple numerical PIN.

Enough from me, thanks for the replies. I'm going to mark this as solved and move on.

Next I need to find a place to moan about using biometrics for security. (In case it isn't obvious I'd better say I'm joking.)

TheEther · ‎2015-10-12

Are you saying that the PIN still worked even though it was disabled in configuration? I would consider that a bug.

If your daughter is in a dorm, she should be careful about setting up her own wireless network. Many colleges have policies that prohibit that. It's not too hard for them to zero in on the location of a router.

Sarevian · ‎2015-10-12

Thanks again for the reply.

@TheEther wrote:
Are you saying that the PIN still worked even though it was disabled in configuration? I would consider that a bug.

If your daughter is in a dorm, she should be careful about setting up her own wireless network. Many colleges have policies that prohibit that. It's not too hard for them to zero in on the location of a router.

Indeed. PIN/No PIN works wonderfully well (!). A bug - I think you're right.

Thanks too for the warning about uni policies. Did check.

EXTRA EDIT :

With visiting this thread so often I'm now getting shown quite a few other forum discussions on a similar theme in the sidebar.

Some I saw before I started my post but I managed to miss this one before -

https://community.netgear.com/t5/R6000-Series-AC-WiFi-Routers/Can-t-Disable-WPS-Settings/m-p/395058#...

Haven't had time to try these ideas out but worth a go some time.

Over and out.

HitPoint · ‎2015-10-20

Why do you need WPS off completely when you have to physically hit the button anyway to allow access. The only way a bruteforce can get through your router is through the PIN, which when disabled removes any security threats through WPS... I think the only thing that might be an issue is if you have a guest/family member in your household that you're trying to prevent access and they're somehow getting to the WPS button, then I would understand your dilemma to a point, but still there is ways of preventing such acts with a few simple steps ---

1. Move the router to your room and hide it from plain sight

2. Ask your guest politely to leave the router alone

3. Stop being paranoid, no one is trying to hack your router (circumstantial).

WPS itself is a security feature to allow other means of supplying network access without SSID broadcast (most secure feature on the router). Netgear giving the option to disable WPS completely would only make security worse for you and your network. Not to mention WPS itself is built into the router without a circuit switch so that option is not possible in the first place unless it was added with newer models.

Again, if you want total physical control over security from within your network then you need to take the necessary steps I listed above. It's not Netgear's problem to fix your networking dilemma within your household, that's between you and your family/guests. Anyways, I hope you get through your issue and hopefully find eventual peace. I'm a network security nut myself and take pride in securing every hole and every vulnerability.

-Mike

TheEther · ‎2015-10-20

@HitPoint

I am in agreement with you about physically securing your router, but you lost me with your assertion that WPS is the "most secure feature on the router". It has been well known since 2011 that the WPS PIN is fundamentally insecure. There are only 11,000 combinations for the PIN. (Source: Wikipedia). Moreover, devices that provide WPS must support PIN as a baseline requirement! I suppose we should be thankful that Netgear provided options to protect the PIN against bruteforce attacks as well as disable the PIN, but why not offer the option to disable it altogether?

The best way to secure Wi-Fi is to use WPA2 with a strong password. It should be long and it should include upper and lower case letters, numbers and special characters. WPS was conceived to simplify the task of joining a Wi-Fi network. That's a noble idea, but unfortunately the design is broken.