NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

GWild's avatar
GWild
Guide
Jan 28, 2021

WPS is ON all the time, and can't be disabled

Orbi RBS20/CBR40 System   WiFi Monitor is showing the network as WPS enabled: so it seems it is susceptible to the WPS hacks out there. There is also no visible way to disable WPS within the Orbi L...
CrimpOn's avatar
CrimpOn
Guru
Jan 28, 2021
GWild wrote:

WiFi Monitor is showing the network as WPS enabled: so it seems it is susceptible to the WPS hacks out there. There is also no visible way to disable WPS within the Orbi Login controls.

The Wikipedia article on WPS gives the impession that WPS is a mandatory WiFi feature.

https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup 

The WPS "button" method has proved useful for connecting a number of devices.

 

When I look at Orbi parameters, there are several that have "wps", including:

wps_lock_down=0

WPS_type=0

wps_pin_attack_check=1

 

I guess a person could telnet into the Orbi and set wps_lock_down to some other value ("1"?)

 

I would also guess that turning on Access Control and checking "Do not allow new devices to connect" might block WPS connections.

If it will block devices that present the correct WiFi SSID/password, it would seem reasonable to block new devices which use WPS.

That should be easy to verify.

 

  • CrimpOn's avatar
    CrimpOn
    Guru
    Jan 28, 2021

    I am exploring how much effort it will be to hack the Orbi WPS PIN. While looking for hacking tools, I ran across this comment on the Cyber Weapons Lab web site: (emphasis mine)

    https://null-byte.wonderhowto.com/how-to/hack-wi-fi-breaking-wps-pin-get-password-with-bully-0158819/ 

     

    "It's important to note, though, that new APs no longer have this vulnerability. This attack will only work on APs sold during that window of 2006 and early 2012. Since many families keep their APs for many years, there are still many of these vulnerable ones around."

     

    Orbi came on the market in 2016. The WPS PIN method is not mentioned in the Orbi User Manual, and a WPS PIN is not printed on the product label or (as far as I can tell) shown on the Orbi web interface or through telnet.

     

     

    • FURRYe38's avatar
      FURRYe38
      Guru
      Jan 28, 2021

      I might presume that NG may employ some form of there own WPS handling and syncing that is proprietary on Orbi or NGs MESH systems which only is behind the scenes and is apart of there core non GPL code. Something that can't be access or changed by access from telnet. 

      • GWild's avatar
        GWild
        Guide
        Jan 28, 2021

        By looking at all of the channels in use by the Orbi, there are several back channels without SSID open, I'm going to guess that the WPS is used to create and open those back channels.  The only option to create a new PIN is to use the Backhaul "Generate New Password" ... This new PIN is then stored for when the router/slave reboot or power cycle.

         

        Bottom line, there is a PIN to hack, and it looks like it is an inherent system capability/vulnerability that can't be disabled.

         

        Backhaul Password
        Orbi can generate a new hidden password to improve security for its backhaul connection.
        WARNING: Generating a new password might cause the Orbi satellite to lose connection from the Orbi router. To reconnect, use the SYNC button