Attack Tool Released For WPS Setup Flaw

Trailrunner7 writes "Just a day after security researcher Stefan Viehbock released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on a given router and then recover the WPA passphrase for the router, as well. Tactical Network Solutions has released the tool as an open-source project on Google Code, but also is selling a more advanced commercial version."

WTF is WPS?

Oh, I see. It's a tool for retards.

Seriously, if you can't admin your router and at least setup a WPA2 protected network without resorting to some sort of giant "easy button", then you have absolutely no right to complain when someone breaks into your network and does whatever it is script kiddies do these days.

This dumbing down of consumer electronics needs to stop. Dilbert said something to the effect of "If you idiot proof something, someone invents a better idiot" (Scott Adams may not have come up with that quote, but that's where I first read it). Therefore, by trying to produce equipment that targets the stupidest of the stupid, we're only dooming everyone to greater depths of stupidity.

It will not end until we literally take a stand against stupidity- draw a line in the sand, and say "If you can't comprehend this stuff, you don't deserve to use it". This "black box" user thing has gone too far. Especially when I read about retarded things like WPS that serve no useful purpose then to let idiots use gear that they would not normally be able to- either because the manufacture fucked up the design and turned it into some obfuscated piece of crap, or because the user simply has no desire to understand things that must surely seem magical to them.

-AC

Re:WTF is WPS?

[errandum]

The problem is not the need for the giant button, it's that it is on by default in some routers.

I own a D-Link and I did set up everything by hand, but since I didn't want to use this, I simply didn't touch the option - assuming that, by default, this would be off.

I was wrong, and corrected that, but I wonder how many of those people that use the setup wizard know enough to even get to the advanced features, much less turning this off because it is a security risk.

Re:WTF is WPS?

[gnasher719]

Oh, I see. It's a tool for retards.

A quote from Billy Joel, after being ripped off by his manager (and I think he is one of few people who successfully sued their lawyer): "I know many excellent businessmen who can't sing."

Just because you find it entertaining to know who to admin a router and set up a protected network, most people have a lot better things to do in their lives. Someone who wants a giant "easy button" isn't a retard, but someone who has better things to do in their life.

And guess what, it isn't the people you call "retards" who messed it up. It's the real retards who designed a system where an eight digit PIN number can be cracked in at most 11,000 tries.

Re:WTF is WPS?

[Ihmhi]

I've been seeing stuff like this happen more often to me. I use Windows XP at home but I've been using 7 at a friend's house for the last week or so. There's a lot of stuff that's sorta helpful to newbie uses (UAC, for instance) but a waste of time for experienced people.

Hell, even XP has it. I've had to memorize things like sc stop wuauserv just so it will shut the hell up about restarting every 15 minutes.

Re:WTF is WPS?

[Penguinshit]

That is the crux of the problem: The solution was (pathetically) poorly implemented.

Re:WTF is WPS?

[jamesh]

It will not end until we literally take a stand against stupidity- draw a line in the sand, and say "If you can't comprehend this stuff, you don't deserve to use it"

I see this attitude more and more. I wonder if people had to put up with the same elitist bullshit after the car become affordable to masses... or even the printed book. You might know how to use a computer but I wonder if you'd know how a transistor works and how to build one, or what an IRQL is, or a DPC. And even if you do, there will be someone else that knows more than you who will look down their nose at you and tell you you have no right to use a computer without understanding how it works.

WPS isn't that bad an idea really... it just turns out it has a bug, and unfortunately that bug is going to be unfixable in a lot of cases (end-of-life model AP with no firmware update available)... hopefully those AP's at least have a way to turn it off. If you are pointing the finger of blame at anyone, point it at the people who implemented it - they're the ones who screwed up.

If i'm feeding the trolls... i might as well give them a good meal.

Re:WTF is WPS?

[neokushan]

The reason such a thing exists is because the good ol' secure password was too complicated for average-joe users to deal with. The precursor to this is Wireless routers that don't actually have a password set. To this day, you can still find unsecured wireless routers nearby and we all know what that leads to. The "easy" solution was put there so that routers could have security set by default, yet not confuse average-joe to the point where he just disabled it because it was the easiest thing to do.

And believe me, I worked for an ISP up until a few months ago - our Router/Modems (or Hubs, as they called them) now come with wireless security enabled. The default password (unique per hub) is written on the side of the device - and people still get confused and don't know what to do to connect their wireless.

Unfortunately, the implementation of the "easy" solution is the issue, not the solution itself. I mean, what's the point in having a secure PIN if you tell the user when they got the first half of it right? Especially if you don't prevent people from attempting thousands of connections.

Re:WTF is WPS?

[h00manist]

much less turning this off because it is a security risk.

...but it's a security *feature*! See it's called "wifi protected setup". No way I'm disabling that, and then what, my wifi setup won't be protected? Are you kidding me? These hacker guys are trying to fool you into turning it off!

Re:WTF is WPS?

[neokushan]

It's on by default because it's there for the average user to easily connect their equipment. If it was off by default, it would require connecting (either via password or cable) and enabling it manually via the setup page - and by that point, you'd just connect the usual way.
In a similar vein, it'd be like UAC being disabled by default - average user won't turn it on, even if it does help them.

Re:WTF is WPS?

[Lumpy]

And there are off brand routers and AP's that dont have a function to turn it off.

Unless that is what the "more happy fun" setting is. the Engrish in some of these products is getting silly.

Re:WTF is WPS?

I wonder if people had to put up with the same elitist bullshit after the car become affordable to masses

Not that I agree with GP point-of-view, but you usually (in most country) need a driving licence in order to be allowed to drive a car. Your car analogy would be correct if there was an equivalent "computer licence".

Agreed, even with the driving licence system, there are too many dangerous drivers ...

Re:WTF is WPS?

[MrNthDegree]

Erm, 8 digit PIN is fine. Routers can limit PIN guesses y'know...

Re:WTF is WPS?

[Nertskull]

I don't totally buy that. I do to a small degree. But its kind of like saying we should give people cars without making them learn how to drive.

We live in a day and age where everyone wants the quick fix, and the easy solution. But to use a tool properly, you need to understand some things about that tool. And when you try to make it overly simple, bad things (as we are seeing here) can happen.

I'm not by any means saying people need a perfect understanding of wifi or networks or security. But I don't think its unfair to require people to do a little bit of reading of a manual to set something up. Having "better things to do in life" is not an excuse for getting out of everything we find complicated. Its narcissistic to think that the ONLY things that are worthwile are the things ONLY oneself is interested in.

Sometimes we have better things to do, absolutely. But sometimes life requires we dig into projects we find boring to get things done correctly.

Simply setup for networks? Absolutely. But at the cost of security for the benefit of ease? Not what I would call ideal.

Re:WTF is WPS?

[ACE209]

Luckily the European Union likes car analogies too ;)
http://en.wikipedia.org/wiki/European_Computer_Driving_Licence

Re:WTF is WPS?

[kbolino]

I've been using and administering Windows since the 3.0 days, and not only do I leave UAC on, but I turn it up to the highest level (7 has variable levels, where the highest level corresponds to the only one available on Vista). I agree it can be a nuisance, and 95% of the time I just click through it (knowing what I did beforehand to trigger it). But every once in a while, it pops up when I know it shouldn't, and that tells me right away that something is doing something it's not supposed to be doing. Not only that, but I can decline to allow it to continue, which to me is UAC's most useful property: the ability to say no. Then it's much easier to locate the problem and remove it. I practice safe browsing and safe e-mail reading as much as possible, and I have a router with a drop-all-unknown-packets (ghost? stealth?) firewall, but I know that I'm not perfect--and neither are the other people who use the computers. YMMV but I've found it to be one of the best improvements over Windows XP.

Re:WTF is WPS?

[gnasher719]

Erm, 8 digit PIN is fine. Routers can limit PIN guesses y'know...

You didn't read the article, did you? The routers tell you that the pin is wrong after four digits. So you need 10,000 tries at most to get the first four digits. The last digit is a checksum, so you need at most another 1000 tries to get the complete number.

Of all the routers tested, only _one_ model limited PIN guesses (you can't turn PIN guesses off obviously because that would just enable a DOS attack) to about one guess every 20 seconds, which means it is cracked within a few days.

Re:WTF is WPS?

[kbolino]

Dammit, meant to reply to post above.

Re:WTF is WPS?

UAC isn't useless. It's like having to sudo before doing something. A regular user will just always hit yes. An experienced user will know that this should be happening or not.

Re:WTF is WPS?

Pretty sure most manuals would only list "WPS is a secure way and simple way to securely add new wireless devices to your wireless network".... and maybe "this can be disabled"...

But I highly doubt they mention any sort of possible security risks etc etc, so how is reading the manual really going to help?

Going with the car example above, did you read your whole owners manual? Do you know the service schedule?
If you say yes, you're either flat out lying or one of the extremely rare people who really does.know what services/inspections should be done when (and not just oil change, filter change, tire rotation, etc but checking brake fluid, condition of trans fluid and when to change/flush, etc).

And chances are you're the type who take the easy way and hit up a garage or the dealership to get those services done instead of doing it yourself.

Point is, just because you know about IT stuff and read up on articles like these doesn't mean everyone else does, and using a helpful feature/option that saves time isn't inherently bad, just like having a shop change the fluid in your car or repair a mechanical issue rather than purchasing a factory service manual or another repair manual and doing the work yourself so you make sure every bolt is torque exactly to spec or that the oil drain plug wasn't put back in or loose, etc.

Re:WTF is WPS?

[geekmux]

It will not end until we literally take a stand against stupidity- draw a line in the sand, and say "If you can't comprehend this stuff, you don't deserve to use it".

-AC

No, actually it won't stop until people are running around with small computers comprised of nothing but a touch-screen, no keyboard, no mouse, and one large button that starts....er, oh wait...nevermind.

Re:WTF is WPS?

[thegarbz]

HA you should have bought a Linksys. I turned on WPS, I typed in my router PIN and I even pushed the button and my devices are still unable to connect.

Secure by design?

Re:WTF is WPS?

[rrossman2]

Bad comparison... think about it.

The test for a drivers license just shows you can use the basics... no different than using the WPS button.

If you wanted something comparable that would apply with this article, it would be like requiring knowing how to change the spark plugs, change the oil, when to flush and fill the transmission fluid and how to do it (and change the transmission filter etc), *none* of which is required for a drivers license (at least not in any area I know of)

Using the turn signals, how to go, turn, read street signs etc would be the equivalent of the very basics of a router setup (including using the WPS button)

Re:WTF is WPS?

[indre1]

Well I checked the manual for Thomson TG784 and it seems that if I use WPA/WPA2, then WPS is enabled by default and can't be disabled.
Maybe from CLI, but that's absurd...

Re:WTF is WPS?

[Knuckles]

I wonder if people had to put up with the same elitist bullshit after the car become affordable to masses... or even the printed book.

But a line *was* drawn in the sand for the car - the driver's license. And in developed countries we try to give *everyone* the knowledge required to used a printed book.

Re:WTF is WPS?

[flimflammer]

Er, what? UAC a "waste of time for experienced people"? It's about useless for anyone but experienced people.

Or are you of the belief that applications should just automatically have admin privileges without user consent?

Re:WTF is WPS?

[thegarbz]

So I take it your drivers licence test explains exactly how to find and fix a problem in your car when the check engine light comes on? They explain the engine management systems too I guess?

My guess is you take your car to a mechanic to do anything more than change a tyre. But while we're on that topic, explain to me how a transistor works because you shouldn't be allowed to use any electronics until you can explain the pie model properly.

Re:WTF is WPS?

Oh, I see. It's a tool for retards.

I tell you what: you are either a retard or the usual social-impaired troll living in the dark of your parents' basement.

My router is setup with 2 different wireless VLANs, one for home and one for friends that come over and want to hook to the router with the phone to play around on the interwebs (or for any other reason for what matters). So, when I need it, instead of being there like a retard dictating a 256 random characters password I keep things very simple: WPS has to be activated through a frontal button on the router and allows connecting for 2 minutes. If someone else is outside my house waiting for days for me to push the button and connects instead of my friend I will notice immediately. Not a big deal, lot of convenience.

You see? Once you get of the basement, there are plenty of things that may suddently to start to make sense. I agree these are just small things yet very convenient.

Re:WTF is WPS?

[dbIII]

WPS isn't that bad an idea really... it just turns out it has a bug

It's not a bug. It's a bad design that somebody thought was a feature and it was purely intentional.

Re:WTF is WPS?

Yes, because clearly setting a WPA passphrase manually requires one to know how a transistor works.

Or maybe you're an idiot; that is also possible.

Re:WTF is WPS?

[dbIII]

To this day, you can still find unsecured wireless routers nearby

Not near me, but there are plenty of secured access points with names similar to "fOffUbastard".
As for passwords, something along the lines of the XKCD "correct horse battery staple" goes a long way - they laugh but they remember.

Re:WTF is WPS?

My old linksys wrt54gs required the running of a cd (while connected to the router over ethernet) to setup the router/wireless password, otherwise it just didn't function.

Re:WTF is WPS?

[lucidlyTwisted]

Not that I agree with GP point-of-view, but you usually (in most country) need a driving licence in order to be allowed to drive a car.

And guess what is not covered in getting a license? Checking the oil, changing a tyre, finding and replacing a blown fuse, changing a bulb, correctly inflating tyres or any number of other actions which could be considered "administration" of the car.
If there were an equivalent driving test to routers/Internet it would be thus:
Can you
1) plug the router in?
2) press the shiny button?
3) connect your PC to the router (cable or wireless)?
4) find the router's administration page (no actual use of page is required)?
5) get teh download codez?
Depressing.

I just checked my re-bradged Netgear router and WPS was on by default (it's now off). Why is it so hard to have these things off by default and a clear explanation of what they are? The "help" on the Netgear is useless. For WPS it tells me "An external registrar can only configure the Super Hub's wireless settings through WPS when the Super Hub's PIN is enabled. When it's disabled, users still can add a wireless client through WPS with either Push Button or PIN Number method." Eh? So if I disable the PIN I can still use the PIN? That makes no fucking sense. WTF is WPS? Oh, not going to tell me.
And the push button...what push button? There's no button on the router. Oh, wait, do they mean one of the buttons on the web page? Which one? Is it beyond their wit to tell me? Seems it is.
Then there is this gem "Keep Existing Wireless Settings - This option shows whether the Super Hub is in the WPS configured state." How does the explanation relate to the topic? The two seem totally unrelated. Which wireless setting? My own wireless? if I uncheck that will my wireless access be disabled?
The same repeats for WPA vs WEP - there is nothing about what these actually are and it contains stuff like this as an explanation: "Primary Radius Server IP Address - This field is required. Enter the IP address of the Radius Server on either WAN side or LAN side. "
Really? Wow. The "help" for the techno-babble contains yet more techno-babble with no further explanation. I have an understanding of what all the above means, but only because I have a passing interest in tech and not being cyber-raped by the script kiddies. Joe Average won't and the use of techno-babble will just freak them out on making changes, thus they are likely to leave everything at the insecure defaults.

I'm not asking for the above to be explained (my router is configured and works correctly), I am just pointing out that what precious little documentation is provided is utterly pathetic and totally useless. The little 12 page leaflet I got with the new washing machine contained lots of pertinent information on how it works, how to install it (which I did, the clear instructions made it really easy) and basic trouble shooting. If they can do it for a washing machine, they can do it for a router. There is no excuse.

Re:WTF is WPS?

[AJH16]

There is one thing I don't understand why they don't do. Why not store a hash of an executable and allow storage of the approval? If the same program, in an unaltered state wants to run again later, it should be allowed to without prompting. (If the user chose to approve it for future use.) Personally, I'm willing to use it even if I have to click every time, but this would be more convenient without noticeably impacting security. (Technically there are executable stuffing approaches that could match the hash, but that would seem to be tricky, particularly if rewriting the file became a protected operation itself.)

Re:WTF is WPS?

Given his comment about stopping the Windows Update service so it won't pester him to restart, and since the updater NEEDS to restart in order to fix things like security vulnerabilities that it can't while said code is still running hot...

Well, "All Signs Point To Yes".

Re:WTF is WPS?

[AJH16]

On the flip side, if the car could drive itself, would people need to know how to drive? Initially, yeah, they probably would in case things don't work right, but eventually it wouldn't really be necessary. I'm not saying that your point doesn't have validity either, but trying to point out that that line is constantly moving. The average consumer doesn't know how to hook up their TV either and buys $40 3 ft monster cable HDMI cables and thinks they got a good deal cause it was 20% off. At the end of the day, once a network is setup, it really shouldn't have to be touched. I'd say they should probably have an idea how to join a wireless network, but not necessarily the knowledge to understand the configuration options and setup a base station. I'd argue the ability to remember I was using that WPA thing with this password is probably sufficient. The rest can be magic that they have someone setup or some fancy wizard from the vendor helps configure.

Re:WTF is WPS?

[adonoman]

I use Windows XP at home

There's your first problem. The OS is nearly unsupported. If your computer isn't up for installing 7, then install some flavor of Linux.

...a waste of time for experienced people

UAC is more helpful for experienced users than otherwise. We're the ones who are going to look at the UAC prompt after opening a file, and think, "This shouldn't be running priviledged code!" and abort the operation.

WPS is the sort of thing that we need more of - simple to set up, and until now, quite secure. The path of least resistance needs to be secure. Like in Windows, where having a blank password prevents being able to access your computer remotely at all. Or systems where if you haven't explicitly configured a daemon to start, it doesn't (or at least doesn't allow remote access).

Re:WTF is WPS?

If you aren't a mechanic, it is your own fault when I cut your brake lines.

Re:WTF is WPS?

[null+etc.]

(you can't turn PIN guesses off obviously because that would just enable a DOS attack)

I'm not so sure that's true. The PIN is only used during the setup process. If someone DOS'd you out of pin guesses, you could always PUSH THE BIG SETUP BUTTON AGAIN ON YOUR ROUTER.

Re:WTF is WPS?

[BrokenHalo]

WPS is the sort of thing that we need more of - simple to set up, and until now, quite secure.

Hmmm. I heard of WPS for the first time not quite a week ago: I was given a Sony PRS-T1 ebook reader for Christmas, and the little leaflet that came with it said something about WPS, so I looked it up.

Having found out what it was (and ascertained that my WAP doesn't support it), I discarded the guide and just followed my nose in the usual way for a WiFi setup. I see no reason why we need WPS at all: if we are incapable of typing a password when our device already recognises the network and protocol, then we have no business being attached to the internet at all.

Re:WTF is WPS?

Thats like saying you deserve you car broken into because you didnt research which cars are the hardest to break into before buying. Being an internet elitist and spouting your alleged knowledge for e-peen doesnt change the law, or if not applicable where you live, what should be law. Nobody "deserves" it.

Re:WTF is WPS?

[digitalaudiorock]

I'll tell you one thing WPS is, apparently...an excuse for other hardware manufacturers to NOT supply an on-board means of entering a passphrase. The last all in one printer I bought (an HP-B209A) came with wireless, but no wired networking, and NO means to setup the wireless without WPS (which my router, thank God, doesn't have). The only way to set it up otherwise was to first install it as a USB printer solely to have a means of entering the wireless passphrase....can you imagine??

Re:WTF is WPS?

[SQLGuru]

The main reason you don't want auto-re-auth is that you don't want those pre-authorized programs to become attack vectors of any sort......annoying, but for your own safety.

And I take it one more level.....I have an Admin account and a Limited account (not the actual account names). I use the Limited account, so when UAC pops up, I can't just click "yes"....I have to actually type my Admin password. I've done the same with every other computer I've set up for friends and family.

Re:WTF is WPS?

[Grishnakh]

That's like my Cisco/Linksys E4200 that has a buggy Reserved DHCP implementation.

After buying an older E1000 router on Ebay and installing DD-WRT on it so I could set up a wireless bridge to one of my printers, I think the best course of action is to buy a DD-WRT-supported router and use that firmware instead (or openWRT or Tomato). The tricky part is finding a router that supports one of these alternative firmwares; even with the same model number, one of the revisions may not be supported as they'll completely change the hardware and wifi chip between revisions.

Re:WTF is WPS?

[Grishnakh]

Just because you find it entertaining to know who to admin a router and set up a protected network, most people have a lot better things to do in their lives. Someone who wants a giant "easy button" isn't a retard, but someone who has better things to do in their life.

I have better things to do with my life than to sit around in bumper-to-bumper traffic and deal with the annoyances of driving. However, since Personal Rapid Transit doesn't exist yet, and I can't afford a limo and chauffeur to relieve myself of the annoyance of having to do the driving myself, I put in the time to learn how to operate a piece of heavy machinery by myself.

If you want to do complex things, sometimes you have to learn some somewhat complex things to get to that point. There's nothing particularly hard about using a router's setup menu, typing in an SSID and a WPA2 passphrase, and then typing those same two pieces of information in on whatever device you're trying to connect to that router. If you can't handle that, you probably can't handle just starting up your PC.

Re:WTF is WPS?

I believe that the Wi-Fi Alliance requires that the option be enabled by default, in order to obtain the Wi-Fi certification logo. The desire when this program was instituted was to minimize the number of consumer APs that were installed without any security, at all. The security decision were made mostly by non-security folks, consistently rejecting stronger security procedures recommended by the participants that knew better.

Re:WTF is WPS?

[AmiMoJo]

You should check the descriptions next to those levels on the options window. It explains quite clearly that by default settings changes you initiate usually don't create a UAC prompt - there is no need as you clicking on it is authentication enough. When a program tries to make a change then you get the prompt, which seems to be what you and most other people want.

Note that it doesn't affect things like prompts when opening unapproved software and the like, just the really annoying and security wise pointless ones inside cryptographically signed system setting apps.

Re:WTF is WPS?

[Grishnakh]

Why is it so hard to have these things off by default and a clear explanation of what they are?

I'm no fan of WPS, but if it were off by default, then it'd be unusable. It only exists for morons who can't figure out how (or are too lazy) to log into their router's admin webpage and type in a passphrase. If someone figures out how to log into their router's admin webpage to turn WPS on, then there's little point bothering with the WPS any more because the passphrase part is right there.

Maybe they should put a physical switch on the backside of the router to turn it on. Of course, that'd add $0.30 in parts which would be an unacceptable hit on their bottom line.

And the push button...what push button? There's no button on the router.

Ok, that's weird. I thought all WPS implementations had a physical button on the router; the idea is that it's like modern garage door openers, where you press a button on main unit, then press the button on your remote control, to "sync them up". You sure there isn't a hidden button somewhere? The Linksys E1000 I just bought off Ebay has one that's molded flush with the case so it's a little hard to see (note: I upgraded this to DD-WRT and highly recommend this).

Re:WTF is WPS?

[AmiMoJo]

It is a security feature. If the app is not in a protected storage area (such as the Program Files directory) it is vulnerable to being modified by other apps. Hashing the executable won't help because chances are the first thing it does is open some DLLs and trusted data files, any of which could be modified too.

Re:WTF is WPS?

[AmiMoJo]

They could just have a hardware switch on the box and a flashing red light next to a sticker explaining that once your laptop is set up you should flip it. They could even have a warning sound like when you leave your car's lights on after removing the key. The fact that they don't make any real effort to even tell people about this important option (e.g. the way printers always come with huge warning stickers telling you to install the software before attaching the USB cable) is simply down to reducing support costs.

I don't know how many people are too dumb to understand simple instructions or ignore a bright flashing red light and siren by they must think they are significant enough in number to warrant having WPS on all the time by default. I happen to be in Japan at the moment and took a quick look at some routers today and most of them seemed to have a WPS button that enables it for 1 minute, but most of the ones sold in the UK/US don't bother. Japanese people are known for reading the manual I suppose.

Actually the ISPs are as much or even more to blame since most people's routers were free with their broadband connection. Many ISPs don't even off modems any more, only modem/routers with wifi.

Re:WTF is WPS?

[ColdWetDog]

Christ. This.

Can't somebody at Netgear find a native English speaker who can write clear, non technical documentation and maybe do it at least once? Or make it simple enough that you don't need documentation (the Apple Approach).

Happy fun ball, indeed!

Re:WTF is WPS?

[LordLimecat]

I agree!

Im also of the opinion that the 1040 EZ Tax form needs to be gotten rid of, and that companies like HR Block need to disappear. If youre too stupid to understand the intracacies of the tax system, why, you have no business making money in the US.

And I think going to a doctor is practically cheating. If you cant suture your own injuries, you really have no room to complain when you get an injury at all.

Life sure is good for those of us who are experts in every field.

Re:WTF is WPS?

[LordLimecat]

UAC is not useless at all. Without UAC, there are many types of installer that simply would not work on Windows 7 due to missing permissions; UAC allows those programs, instead of silently failing, to request permissions to do so.

And turning off UAC basically says "yes, please abandon the principle of least privilege!"

I have seen a number of computers running 7 that Ive seen get viruses, but the user did not have the admin password for the UAC prompt that appeared. This meant that the virus couldnt do jack, and was removed in about 3 minutes with a autorun cleanup tool like Autoruns. UAC is like the old runas, but far far more capable, compatible, and useful.

Re:WTF is WPS?

[AmiMoJo]

Of all the routers tested, only _one_ model limited PIN guesses (you can't turn PIN guesses off obviously because that would just enable a DOS attack) to about one guess every 20 seconds

Rate limiting won't prevent a DOS attack. The attacker can just set there sending a continuous stream of wrong PIN numbers and the millisecond the rate limiting timer expires it will be reset. Generally speaking there is little you can do to prevent DOS attacks on WiFi, e.g. by sending de-auth packets or just flooding a channel with noise, so it isn't worth worrying about unless the attack doesn't require the attacker to stick around (e.g. causing the router to lock up until power cycled).

Re:WTF is WPS?

[LordLimecat]

They do this with GPOs. You can set paths where prorgam execution is permitted / denied (denied on desktop and downloads, allowed in %programfiles%), and can even use hash-thumbprints to identify whitelisted apps.

Ive never used the thumbprint feature, but I have seen a sneaky virus use it.

Re:WTF is WPS?

[AmiMoJo]

It would be okay if there actually was an "easy button" that turned on WPS for say 1 minute. The problem is that many routers have it on all the time so you are free to sit around brute forcing it at your leisure, rather than having to wait for the victim to activate it and trying to guess it in under a minute.

Re:WTF is WPS?

[LordLimecat]

Sorry for double reply: to answer your question, imagine the situation where you are installing an Explorer extension which loads a DLL or some such. Explorer UAC prompt goes off, you authorize it. Later, you get a nasty virus that tries to alter the Explorer process, and then from that process initiate some file changes. The wrong thing to do would be for UAC to see explorer.exe, technically unmodified on disk, requesting changes and being pre-authorized. The right thing to do, as with sudo / su, is to require authorization for each change that requires administrative privileges.

Re:WTF is WPS?

[LordLimecat]

You have to give some credit to the cleverness of Cisco / Linksys. After the debacle of the WRT54G being the most wildly popular router ever and the basis for DD-WRT (which got tons of people buying those routers), they realized their mistakes of making a great router OS based on proven work. They vowed that NEVER AGAIN would a router be so popular that people would give two craps about the OS on it.

Hence the lowering of the RAM and flash on subsequent WRT54G generations. But it didnt work! People kept buying them, and using DD-WRT! This was unacceptable, and so they moved to a new OS written in India that NOONE could possibly love (as its interface didnt even work right in IE), and changed to the WRT54G2.

Since then, phenomenal progress has been made in curbing enthusiasm for Linksys products. There are still those who care about their products, but Cisco Indian engineers are working feverishly to tidy up even those loose ends.

Re:WTF is WPS?

[AJH16]

Not that that is a bad approach, but if something manages to compromise the integrity of the UAC screen to be able to click the approve button, couldn't it also then compromise the integrity of the password entry and log your password off of a legitimate authentication? It is still another hurdle to overcome, but I'm not sure that it is significantly more or a hurdle than managing to somehow interface with the accept button to bypass UAC.

Re:WTF is WPS?

[AJH16]

Sorry for two posts, but also, how would they become an attack vector. That's the point of having a hash. If you could compromise the system, then sure it would be a viable vector, but if you can do that, why not simply have your malware sit waiting for you to launch the app and when the app launches, exploit your legitimate authorization? It might delay the exploit, but wouldn't prevent it from eventually occurring. It just slows it down a little. Granted in a small number of cases, that might make a difference if virus defs were updated before you ran the affected program or had a chance to update the program. That said, you presumably wouldn't save authorization on apps you didn't use frequently.

Re:WTF is WPS?

[g0bshiTe]

This is why my router is an older computer with two nics using IPTABLES.

I have no WPS.

Re:WTF is WPS?

[g0bshiTe]

So you agree it's pointless then. If a regular user is trained to hit "YES" it doesn't matter what is executing, but a trained user will know if it should be happening or not. So then why have it, is it just a piece of tape marking off the edge of a roof, as in the minimum they should do to make them not liable.

Re:WTF is WPS?

[Khyber]

"most people have a lot better things to do in their lives."

Such as taking the 5 minutes it would require to learn how to set up WPA2 and get your computers connected and ensuring nobody else could (theoretically) get on your network and fuck with your property, identity, or worse?

Re:WTF is WPS?

[AJH16]

That's a fair point, though wouldn't that really still be a problem with UAC? If the application is a known good executable that can be compromised, by altering a library, then when someone legitimately uses it, it would still be compromised. If you are worried about automatic exploits that would compromise and then self launch, I suppose those would be a concern, though you could also probably check hash values from anything getting loaded in to a privileged state (program and dll atleast). It would still leave corrupt documents as an issue, but even those could theoretically have hashes stored and then updated on save. It does add some complexity to the system though.

Re:WTF is WPS?

[AJH16]

Hmm, I'll have to look in to that, I don't mind the risks of certain apps having attack vectors utilize them if I use them frequently anyway (since it could compromise and simply wait for me to launch anyway).

Re:WTF is WPS?

[AJH16]

It would have to check hashes on everything being loaded in to execution and maybe even memory, not just the original EXE. Sorry if I was overly simplistic in my original explanation. I can see how it might reduce security slightly, but I think the majority of what UAC is designed to do would still be preserved.

Re:WTF is WPS?

[Artea]

Try looking at it from the other side, this security "feature" is a massive time and money saver for wireless device manufacturers. I've worked in retail, and wireless/adsl devices have the highest return rate out of any product sold. Not becuase of faults with the products, but because they "don't work" when the users plugs it in and expects it to go. People don't want to follow instructions, or learn how to use it. Some use the toll-free help hotline provided by the manufacturer. Most retailers will refund to product rather than bother trying to set it up for the end user. By adding WPS users suddenly have a one button setup feature, manufacturers now have reduced the number returns AND the number of support calls they need to deal with. Regardless of the security of WPS, if it improves the bottom line; what do they care?

Re:WTF is WPS?

It's okay for some people to be stupid in an area that other aren't. What are ya? Stupid or something? Quit raging.

Re:WTF is WPS?

[adonoman]

So what would you do if you got your eReader, but didn't have a computer to establish a wired connection to your router?

WPS in theory gives a built-in password that you can use to boot-strap the process with only wireless devices.

This exploit in WPS isn't due to a conceptual defect, it's an implementation defect that made the built-in PINs pretty much useless. So assuming that router vendors add in some rate-limiting, a proper-length PIN, or lock-outs for incorrect guesses (with a physical button to clear the lockout), the concept can be more secure than the average WPA password. It's ridiculous to suggest that only computer-savvy people should be able to use WIFI, and it's no longer an option to have the routers default to open access points.

Re:WTF is WPS?

[AmiMoJo]

If the application is a known good executable that can be compromised, by altering a library, then when someone legitimately uses it, it would still be compromised.

Only if the library can be modified. The point is that programs installed in Program Files normally only use DLLs that are either in their own Program Files subfolder or the Windows directory, both of which are protected. Some stupid apps will load DLLs from other locations (usually plug-ins) but really they shouldn't do that.

Re:WTF is WPS?

It's probably country-dependent, but in order to get my driving licence I had to know a bit more than just start the engine, turn left, turn right and brake (or whatever you call "basic").

You first have to show that you know how to (sorry for the probably loosy translations I don't know the exact terms in English):

• check the oil level
• check the tyres (pressure and weariness, at some point they planned to add the "change it" step but it wouldtake too much time :-p )
• check and change the anti-icing liquid
• check the level of the cooling liquid
• check the level of brake liquid
• lights usage (driving lights, direction lights, stop lights, ...)
• How to maneuver (parallel parking, half-turn in a narrow street, ...)

Then you can go pass your "outdoor" driving exam.

YMMV but I call this more advanced than "basics", so my comparison holds AFAIC.

http://www.mobilit.fgov.be/data/route/pdcrbw/exBf.pdf

NB: I'm the GP AC, not the GGGP AC nor that AC , though I kinda agree with his first sentence.

Re:WTF is WPS?

[sglewis100]

So what would you do if you got your eReader, but didn't have a computer to establish a wired connection to your router?

WPS in theory gives a built-in password that you can use to boot-strap the process with only wireless devices.

This exploit in WPS isn't due to a conceptual defect, it's an implementation defect that made the built-in PINs pretty much useless. So assuming that router vendors add in some rate-limiting, a proper-length PIN, or lock-outs for incorrect guesses (with a physical button to clear the lockout), the concept can be more secure than the average WPA password. It's ridiculous to suggest that only computer-savvy people should be able to use WIFI, and it's no longer an option to have the routers default to open access points.

There are that many people with eReaders and WiFi routers but not computers? Not only that, every wireless router I ever had came with a default SSID and admin password, and could be configured wirelessly.

Re:WTF is WPS?

[AJH16]

Perhaps I misunderstood your original post then. You mentioned that a hash of the executable wouldn't help because it opens some dlls or trusted data files, but for those files to be an issue, they must be able to be modified without elevated privileges which would mean that you are compromised as soon as you legitimatly launch the app the next time. In fact, if you were to store hashes of the files, it would offer additional protection as such tampering would be detected and a prompt would be given. If you know an app is pre-authorized and it prompts for authorization without having been modified, then you know something else modified it and the executable may not be safe.

Re:WTF is WPS?

Well, all sorts of programs that shouldn't need access do need access, legitimate programs.

The options on the shortcuts/programs DO NOT WORK, so it continually pops up, training people to just click yes over months.

Then one day, some random thing asks for access and you click ok, and it's all over.

Re:WTF is WPS?

A novice user in the presence of experienced users will ask what they should do about a UAC question they don't understand, especially if it's not their computer and they know they're novices.

An experienced user who gets a UAC question when they weren't trying to do what UAC asked for permission for, will conclude that something funny is going on and act appropriately. In the "bad old days", it wouldn't have even asked, it would've just done whatever malicious administration the web page called for.

Re:WTF is WPS?

[BosstonesOwn]

And a larger electrical bill comes with that.

Be green man !

Re:WTF is WPS?

[LordLimecat]

what about command options passed to a cmd.exe shell?

What you consider to be a "minor reduction in security" would be the one and only hole exploiters would care about to bypass it.

Re:WTF is WPS?

[dave562]

This attitude is also very short sighted. An "idiot" to one person is a potential customer / client to someone else. We live in an age where there so much specialized knowledge out there, it is impossible for anyone to know it all. Therefore we can make money from helping each other.

A molecular biologist might not know anything about how an OS works, but they probably understand more about the body than the average computer geek. Does that mean that the geeks are not worthy of living because they do not understand their bodies? Of course not, but the premise is just as absurd.

I work on my mechanic's computer all the time. He works on my car. I could work on my car, and when I was growing up and couldn't afford a mechanic, I did. He could figure out the computer, but in reality he'd rather do other things with his free time. To extend the analogy, I could still work on my car but I do not have a shop full of tools, lifts, etc. He could work on his computer, but he does not have the library of software and knowledge that I have. We each focus on what we are good at, and pay each other to do what we are not as good at.. either out of convenience, or due to lack of expertise.

Re:WTF is WPS?

[AJH16]

Make the command line parameters used for calling part of the hash then, perhaps part of the salt of it. My argument is simply that if you can be reasonably certain that the activity being performed is the same (exactly) as an action done in the past that was permitted, then it is likely still permitted (if the user choose to say they wanted that action to be permitted in the future.) If any part of the process is different or has not been previously authorized for future privileged access then the prompt should go again. The only vulnerability I can think of would be if the hash itself was compromised with the same length file as the previous (which is theoretically doable for some hashes, but not easy).

Re:WTF is WPS?

[Beeftopia]

"From its very beginnings, the software industry has suffered from having too many engineers," says David Gelertner, a professor of computer science at Yale University. "There are too many people who love computers and too few who are impatient with them." -- The Economist, December 3rd 2011, Technology Quarter, p. 27.

The average person doesn't want to futz with details of hardware and software. They just want to use it. They seem like mouth breathers and morons to hobbyists and professionals, reminiscent of the person who gets a car and when asked when they last changed the oil, they respond with a blank stare and "Change the oil?"

BUT - they are the market. They help keep us in the manner to which we are accustomed. Jobs understood it. That's why Apple devices are so locked down. The average person wants the functionality of the device so he can relay details of his proctosigmoidoscopy to his closest 137 friends. He doesn't care about the details of how the device operates. He just wants to hold it behind him, take a picture ("Smile, doc"), and get that shot on the social media.

Even programmers are the same way. You want to minimize the details you don't care about so you can focus on the details you do care about. C++: I just want to know the methods of an object I need without having to learn the implementation details. So, it seems to me that the average person needs to be given devices which support his use patterns and desires without. That means secure devices out of the box, devices which can be plugged in and are ready to use. Devices that even the "uninterested" can turn on and use. Because there's a lot of them out there. And their money's legal tender. They're going to get involved one way or another. Best to do it in a way that doesn't allow them to become walking malware portals.

Re:WTF is WPS?

[Bengie]

You don't need to know exact implementations to understand the basics. If you're good at analytical thinking, you can understand about anything. The fun thing about computer is you can learn about almost anything for home use in a short amount of time or even asking in forums.

Re:WTF is WPS?

[AmiMoJo]

There are three problems with what you suggest.

1) How do you know which files you need to hash? Many apps have hundreds of even thousands of files in their program directories. Do you want to check the hash of every single one every time the app opens? That wouldn't protect you against an attacker simply waiting for the hash check to complete and the main executable to load and then modifying some of the DLL/data files, which again you would have to waste resources trying to detect and then potentially have to terminate the app with the loss of user data.

2) Even apps that are pre-authorised to load sometimes need to generate UAC prompts if they want to make certain changes, such as altering system settings or copying files into protected directories (for updates etc). You really don't want to pre-authorise an app to do what the hell it likes.

3) Even if you think you know what you are doing and it is safe you can't expect the average user to understand that kind of complex security issue. In fact you don't understand it yourself which is a pretty good indication of just why it is needed.

Re:WTF is WPS?

[epine]

They seem like mouth breathers and morons and daemon spawn from frisky young adults who couldn't master the intricacies of condom use

FFS, I don't agree with David Gelertner's infantilization wish.

Convenience: Would you do it for me? I'm busy getting my rocks off.

Re:WTF is WPS?

[AJH16]

I think maybe you aren't fully understanding what I am suggesting. I will attempt to clarify on a point by point basis.

1) You don't try to hash the files directly, you hash on entry in to memory. It would probably look something like this. When an app first launches and needs elevation, the UAC prompt is given. When the user approves and specified to authorize for future use, it would load in to protected memory space and hash on what is loaded in to the elevated execution. After that, it would hash anything that was loaded in to memory or that was written out from memory in the elevated state, effectively tracking the authorized activities. On future runs, if anything tried to be loaded that didn't have a hash on file, the UAC prompt would be given. This might be difficult or even impossible to do for a native app, but should be reasonably easy to do with .Net apps at least.

2) This could be addressed with a maximum level of security that the persisted authorization would give. I know my main reason for wanting to be able to do pre-authorizations is that I have several monitoring and power user tools that I use which require administrative access to do their job fully. I have these set to run on start up since I use them all the time and it is frustrating to have to repeatedly click the UAC approval every time. Situations like this are what a feature like this would be perfect for.

3) There is possibly some truth to not wanting to give an average user access to this kind of functionality, but you also have to consider that the average user typically just clicks yes anyway, particularly if it shows up a lot. If you can reduce how often it shows up and also highlight if an elevated process has changed since last run, then it could make much more effective warning when something appears to be amok. As for your claim that I don't understand it, I don't know why you feel that way. Perhaps you simply didn't understand the full concept I was presenting and how it could work. I'm not saying it would work in every situation, but even if it could work in some, it would be helpful.

Re:WTF is WPS?

Actually, even better: they got a button you can press to flip the router into magic-setup-mode temporarily (I assume it flips back after a while, or after a device is connected). And I mean it's already there in WPS. I can't imagine how that's harder than having to find a PIN to type in...

Re:WTF is WPS?

[AmiMoJo]

1) You don't try to hash the files directly, you hash on entry in to memory. It would probably look something like this. When an app first launches and needs elevation, the UAC prompt is given. When the user approves and specified to authorize for future use, it would load in to protected memory space and hash on what is loaded in to the elevated execution. After that, it would hash anything that was loaded in to memory or that was written out from memory in the elevated state, effectively tracking the authorized activities. On future runs, if anything tried to be loaded that didn't have a hash on file, the UAC prompt would be given. This might be difficult or even impossible to do for a native app, but should be reasonably easy to do with .Net apps at least.

I see what you mean but there are two major problems with that. Firstly it would allow apps to be exploited by sending them malicious data. Say the user approved changing a system setting in their browser and it was then compromised by a web page, well now that web page can silently change that setting too without a UAC prompt. The browser executable in memory is not changed in any way. There have been browser exploits that write files to arbitrary locations on disk in the past, for example. It is unlikely, I know, but far from impossible.

It also doesn't address the main problem that UAC was invented to deal with - software doing undesirable things. UAC was not primarily about security, it was about stopping programmers making their apps do bad things by annoying the user and thus reducing the usability of the app. Microsoft could have simply cut off the ability to change certain settings or write files to certain locations but that would have broken a lot of software. Instead they decided to support backwards compatibility but strongly encourage apps to do things the right way in future.

There are actually APIs for doing something similar to what you suggest, and some apps use them. Enabling it for older apps that just call registry modifying APIs directly wouldn't be a good idea though.

Re:WTF is WPS?

[MrNthDegree]

Not hard to fix this:

Make it so PIN entries only work when the WPS button is pushed, limited to a 120 second timeout.

In addition, rate limiting would prevent a DoS attack if it's based on multiplication. For example, multiplying by 10:

1 failure = 10 second delay
2 failures = 100 second delay
3 failures = 1000 second delay
etc..

The WPS button could reset the counter...

Problem fixed, this "security flaw" is no worse than a bad SSH passphrase or the like...

Re:WTF is WPS?

[MrNthDegree]

That is a problem with the router implementations of WPS, not WPS itself. My Linksys WAG120N appears to block multiple bad PIN attempts, which can be reset by pushing the button, which leaves a security hole while the thing flashes, big whoop.

This is similar to the whole "OMG uPnP great hole!" issue of about 6 years ago, which was down to router implementations and not the spec itself...

Re:WTF is WPS?

[Ihmhi]

A novice user in the presence of experienced users will ask what they should do about a UAC question they don't understand,

No, no they won't. It depends. If the person strives to be technically literate and wants to learn the hows and whys, then they will ask themselves "Why am I clicking yes on UAC?"

Most average users will see a UAC popup and say, "Oh, this is the annoying thing I have to click Yes on all the time."

Re:WTF is WPS?

[Ihmhi]

When you have your system appropriately hardened, yes. I spend the vast majority of my time approving UAC than it saving my ass from malware trying to do something nasty.

It's just a wee bit overzealous and could be finer tuned in my opinion.

Re:WTF is WPS?

[Ihmhi]

I get that it needs to restart. I'm not ignorant of that. But it needs to restart now and pesters me every 5-15 minutes while I'm trying to play a multiplayer game with some friends. Bonus, every time that window comes up it tabs me out of whatever I'm doing! Oh look, I was typing and just happened to hit enter when the Restart window popped up.

Since there isn't a way to permanently defer it until I elect to restart, I instead entirely stop the service so it stops bugging me when I'd really rather not tab out or accidentally restart my computer in the middle of typing an essay. When I'm done with the things I"m doing at the moment, then I'll restart. An option to defer to a convenient time for me flat out does not exist in any other way than shutting the service off.

Re:WTF is WPS?

[AJH16]

A data file can't do anything without being loaded in to memory to be executed on. As long as you are hashing everything loaded in (including files) then you should be ok against data files. This would limit the practicality in terms of things that have to work with data files, but would work great for certain tools and anything being used with common files. There is also the fact that if the app is known to behave well, then in many cases, any data file that is user requested is going to be irrelevant and automatically opened files should have existing hashes after the first few runs. If the data file is user loaded, then pre-authorized or not, it would still be a problem (the one exploit scenario would be if someone could programatically call the authorized executable passing in a file to open, so that could be a flaw).

I disagree with what the purpose of UAC was. As I recall, the stated purpose for UAC was to prevent malware from being able to get elevated privileges without the user having to authorize it. It was supposed to be a means of protecting the user from unauthorized software doing bad things. It ended up having the side effect of making developers try to avoid doing things they didn't need to, but I never got the impression that that was MS' intent in the implementation, at least not from any of the material they were distributing to partners when they were implementing it with Vista. If you have some documentation that suggests otherwise though, I think it would be an interesting read. I don't disagree that it was an effect, I just wasn't under the impression it was even an intended one, at least not the primary intention.

Re:WTF is WPS?

[AmiMoJo]

A data file can't do anything without being loaded in to memory to be executed on. As long as you are hashing everything loaded in (including files) then you should be ok against data files.

Right, but many apps load data from the internet. And even if you were sure that the data file hadn't been altered in memory who is to say that the entire file was processed already? You just can't do it securely. That is why UAC is actually superior to just asking for the root password - even once given the authority granted can't be abused in future to do other stuff.

Have a read up on the blog posts MS developers did post Vista release on UAC. Making developers write less shitty software was a primary goal.

Re:WTF is WPS?

[AmiMoJo]

What you suggest would not prevent a DoS attack at all. The attacker just waits for each time period to expire and sends another wrong PIN, forcing the user to wait 10x longer each time before being thwarted again. You are actually making it worse.

Re:WTF is WPS?

[AJH16]

The entire data file doesn't have to have been run, just authorized. If it is unaltered, it could have run the last time when the file was run and the damage would be done. That said, one thing I realize you would give up is that once compromised by a legit app, there would need to be a mechanism checking entry points to make sure a new hashed exe isn't written and loaded directly in the future.

I'll take a look for the posts you mentioned. Most of my reading was pre Vista.

Re:WTF is WPS?

[MrNthDegree]

Oh really? I believe the attacker has to wait for the button to be pushed in my example of fixing this.

Which would be an impractably long time for households which rely on it for initial setup only...

Re:WTF is WPS?

[AmiMoJo]

The entire data file doesn't have to have been run, just authorized. If it is unaltered, it could have run the last time when the file was run and the damage would be done.

Okay, one last time... You click something in the app and it generates a UAC prompt. You can be fairly sure it is doing what you want because you clicked it. On the other hand if you are browsing a web page and a UAC prompt randomly appears you would be suspicious.

Re:WTF is WPS?

[AJH16]

Right, but if I hadn't been to that version of that page before and something I hadn't loaded before tried to run I would STILL get a UAC prompt because that data file isnt hashed.

Re:WTF is WPS?

[BrokenHalo]

So what would you do if you got your eReader, but didn't have a computer to establish a wired connection to your router?

Same as for any other WiFi device: enter (or scan for) my network SSID, then enter my WPA2 password. If typing in a reasonably strong WPA2 password is beyond the user's capabilities, then he doesn't really have any business being on the internet at all. Acting responsibly has nothing to do with being computer-savvy.

Re:WTF is WPS?

The real WTF is that this post was modded "Insightful" instead of "Funny". Even slashdotters don't understand this stuff?

Doesn't compile on OS X

If you were thinking of downloading it to give it a go on a mac, it doesn't seem to compile. (It may say more in the docs, I wasn't interested enough to read them.)

Re:Doesn't compile on OS X

[93+Escort+Wagon]

Docs state reaver only compiles on Linux - but on my 64-bit RHEL6 box it fails to find libpcap (even though it's installed, and even when I explicitly pointed ./configure to it).

I'm going to see if I can get it installed on a Mac with some fink voodoo...

Re:Doesn't compile on OS X

It is common nowadays, that developer forget to have placeholders in the makefiles to actually make use of the configure output.

Re:Doesn't compile on OS X

[93+Escort+Wagon]

It is common nowadays, that developer forget to have placeholders in the makefiles to actually make use of the configure output.

In the linked blog post it is claimed that "This is a capability that we at TNS have been testing, perfecting and using for nearly a year." You'd think they'd have written better code if they've been working on it that long...

Re:Doesn't compile on OS X

[buchanmilne]

yum install libpcap-devel

No, it's not on the RHEL6 installation media, you have to have registered the box for RHN.

(RH is really pathetic this way, lots of useful packages are left off the installation media, seems they are forcing you towards satellite, but if you don't have the bandwidth for satellite, or need to setup a box without internet access, sorry for you if you want to something like use oscap - they give you openscap, but not openscap-utils). Oracle is better in this regard, with a public yum repo for release packages (not updates). Of course, CentOS gives you everything, as do all other community-oriented distros.

Re:Doesn't compile on OS X

[hcs_$reboot]

On Linux you have to install the libpcap-dev (look into the synapsis packages tool).

On the Mac, you'll miss the <linux/types.h> include - not sure that's all, but if it is, you should be able to find a patch easily.

Re:Doesn't compile on OS X

[Mojo66]

This project uses the Wireless Extensions Library to interact with the Wifi hardware, i.e. iwconfig and stuff, which is completely incompatible with OS X.

Re:Doesn't compile on OS X

Responsible security researchers modify the code they release so that it needs an intelligent human to compile it. This decreases the amount of script kiddies using their code but still allows for full disclosure to fellow researchers.

Re:Doesn't compile on OS X

[93+Escort+Wagon]

yum install libpcap-devel

Yeah, that's what I would've thought too - but it appears that package isn't in either RHEL or EPEL (for 64-bit EL6 anyway).

And yeah, the box has an honest-to-goodness subscription... as part of a campus license.

Re:Doesn't compile on OS X

[Grishnakh]

On Linux, the Wireless Extensions library is deprecated. They really should be using cfg80211/nl82011 for that stuff.

Re:Doesn't compile on OS X

[Freultwah]

A few ioctls have been hardcoded for Linux, and there are some other includes and typedefs missing, too. Well, they're just starting out. Maybe they'll make it usable across the board eventually.

Re:Doesn't compile on OS X

[buchanmilne]

It (libpcap-devel-1.0.0-6.20091201git117cb5.el6.x86_64.rpm) is there, in the RHEL Server Optional channel.

Thanks

[hcs_$reboot]

I really didn't want to be doing any programming during new year's holiday.

What purpose?

[gnasher719]

Seriously, what non-malicious purpose would this tool have? Anybody who read about the vulnerability knows how it works; there is no need to have a sample attack because it is obvious how this works; having an exploit tool cannot have any legitimate uses.

Re:What purpose?

Maybe it's handy for verifying you are vulnerable?

Although I'd have to admit anyone actually using WPS probably isn't interested enough to even know such a tool exists...

Re:What purpose?

[93+Escort+Wagon]

Maybe it's handy for verifying you are vulnerable?

Although I'd have to admit anyone actually using WPS probably isn't interested enough to even know such a tool exists...

Well, since the claim is most routers are vulnerable by default, I can see value in using this as a test tool - both against your router's current configuration and after you've supposedly disabled WPS.

And, speaking as an owner of an Apple router, I'd like to verify whether my belief that the Airport Extreme doesn't enable a PIN by default is correct.

Re:What purpose?

[subreality]

End users and vendors alike will dismiss any threat as merely theoretical until it's actively being exploited. The real question is when to release, not if.

Re:What purpose?

[jamesh]

Seriously, what non-malicious purpose would this tool have? Anybody who read about the vulnerability knows how it works; there is no need to have a sample attack because it is obvious how this works; having an exploit tool cannot have any legitimate uses.

Sure it does. If a customer questions why this should be audited and fixed on their network immediately I can tell them that there is exploit code publicly available that anyone can download and use and have access to the network in 4-10 hours instead of talking about theoretical bad guys who might have obtained a theoretical exploit from somewhere. It makes it a "fix this now" problem with a known risk instead of being put off and treated as a low risk security issue and never fixed. In my case hopefully it's just a quick audit to make sure nobody else has put a WPS enabled AP onto the network, but it still needs to be done.

Maybe you don't remember Slammer/Nimda/Code Red, and a few others of that era. The exploits used were well known and patches were available for a while beforehand but a lot of people never bothered patching because of the perceived low risk and "doesn't apply to me". Ditto for a few Linux ssh and ftp exploits.

Re:What purpose?

How about keeping your neighbors from having someone malicious use this exploit against them. I can see someone using and expanding this tool to automatically disable WPS.

Mac version

We need a Mac OS X/Freebsd version of this tool.

Re:Mac version

It is open source! Go on and compile it yourself. If it does not work on Mac OS X then feel free to fiddle around and fix the code and submit a patch.

A year huh?

from: http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.htm

This is a capability that we at TNS have been testing, perfecting and using for nearly a year. But now that this vulnerability has been discussed publicly we have decided to announce and release Reaver

Very nice way to make a profit there guys and ignore responsible disclosure.

Turn off WPS

[shione]

Looks like it might be a good idea to turn off the WPS service if you can.

In my Billion 7800n I did this: http://screenshots.portforward.com/Billion/BiPAC_7800N/WPS.htm

If your router doesnt allow you to do that then in the LAN settings, block all ips not being used by your devices.

incredible

[Njovich]

From the product page:

WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network."

And they thought that was a good idea to implement without even substantial rate limiting or such? What the hell were they thinking?

Re:incredible

What the hell were they thinking?

They wanted to make easy targets for law enforcement wiretapping? They wanted to let people use each other's routers for better anonymity?

Re:incredible

[Njovich]

Err, sorry, guess I was wrong, there is some rate limiting, just they have this other insanity (from el reg):
 

Eight digits should produce 100,000,000 possible combinations, and testing various routers Viehböck found it took an average of around two seconds to test each combination. So brute forcing should take several years unless the router was particularly responsive.

But the protocol used by Wi-Fi Protected Setup reports back after the first four digits have been entered, and indicates if they are right, which means they can be attacked separately. The last of the eight digits is just a checksum, so having got the first four the attacker only then has to try another 1,000 combinations (identifying the other three digits) and the entire PIN is known.

That combination means that our attacker only has to try 11,000 different combinations to find the right PIN, reducing the attack time to a couple of hours.

Re:incredible

[AHuxley]

The same thinking that went into the 56 bit Data Encryption Standard as been "free of any statistical or mathematical weaknesses"?
http://cryptome.org/nsa-v-all.htm
If its crypto and many people use it - expect it to be weak, carrieriqed ect.
The real trick is getting so many very very smart people to buy into wifi and use it around the world as usable.... safe....

Re:incredible

[TheSpoom]

But the protocol used by Wi-Fi Protected Setup reports back after the first four digits have been entered, and indicates if they are right, which means they can be attacked separately. The last of the eight digits is just a checksum, so having got the first four the attacker only then has to try another 1,000 combinations (identifying the other three digits) and the entire PIN is known.

Wow, that's dumb. I hope this wasn't put together by someone who considers themselves a cryptography professional.

Re:incredible

[Carnildo]

The calculations involved in a WPS conversation are non-trivial, so the cheap CPU in the typical router inherently rate-limits you to about 30 guesses a minute. If WPS had been correctly implemented, that works out to an average brute-forcing time of three years, and a worst-case time of around six years.

US gov't only?

[wandernauta]

Tactical Network Solutions' site mentions that they only sell to "U.S. federal, state, and local government agencies". What on earth would gov't institutions do with something that's essentially the digital equivalent of a crowbar? Isn't it much easier and more ethical for governments to get a court order to get the information they want, instead of breaking into WiFi networks? What on earth is going on here?

Re:US gov't only?

[zefrer]

What's going on is that supposedly white hat 'security' firms are actually writing cracking software for assorted goverments. Meanwhile cracking software is illegal in many countries unless you happen to be the goverment or aforementioned 'security' firms.

Nothing to see here, move along now and so on..

Re:US gov't only?

They also want to protect themselves from crowbars, so they hire people to make crowbars so that they know what kind of anti-Gordon technology to acquire.

Re:US gov't only?

[geekmux]

Tactical Network Solutions' site mentions that they only sell to "U.S. federal, state, and local government agencies". What on earth would gov't institutions do with something that's essentially the digital equivalent of a crowbar? Isn't it much easier and more ethical for governments to get a court order to get the information they want, instead of breaking into WiFi networks? What on earth is going on here?

I sincerely hope you're joking with this. If you, I or anyone else only knew of the millions many three-letter agencies have spent on shit like this over the years...and in this day and age of warrantless wiretapping and eavesdropping, do you really have to wonder what any "U.S. federal, state, and local government agencies" would do with a "digital crowbar"? Please.

And remember, only Black Hats write "cracking software". White Hats offer "security affirmation solutions". There's a difference, although it's usually isolated around the price tag.

Re:US gov't only?

[Artifex]

And remember, only Black Hats write "cracking software". White Hats offer "security affirmation solutions". There's a difference, although it's usually isolated around the price tag.

Costs a lot to keep a hat purty white. You can't just throw it in the laundry.

Deniability

[Bengie]

I wonder if people will use this as an excuse for in court cases and claim they didn't do something and blame it on someone "Hacking" their network.

Re:Deniability

You say Deniability. I say Reasonable Doubt.

Wi-Fi–Hacking Neighbor From Hell Sentenced to 18 Years

A Minnesota hacker prosecutors described as a “depraved criminal” was handed an 18-year prison term Tuesday for unleashing a vendetta of cyberterror that turned his neighbors’ lives into a living nightmare.

Barry Ardolf, 46, repeatedly hacked into his next-door neighbors’ Wi-Fi network in 2009, and used it to try and frame them for child pornography, sexual harassment, various kinds of professional misconduct and to send threatening e-mail to politicians, including Vice President Joe Biden.

shooting crackers...

Where's my DAMN ice cream???

Nerd points and internets if you follow.

Also... first thought was that shooting crackers won't matter since all the tech jobs are going to Asia.

Anyone know how this should be running?

[atari2600a]

I have it going in verbose mode it waits on a beacon when there's no current connection then when I have it connected to my router already it just cycles through all the channels (even the ones I legally shouldn't be able to connect to, so it's nice to know I don't have a hardware cap on that)

Re:Anyone know how this should be running?

[rduke15]

http://code.google.com/p/reaver-wps/wiki/HintsAndTips

So it takes 4 to 10 hours....

[rrossman2]

As they state (or 1-5), but correct me if I'm wrong (I've done it with WEP so I *know* I'm right on that one).... it takes less time to just crack WEP and WPA.

At least I believe so on the WPA, never did it before but I recall there being a vulnerability that made it fairly trivial to crack. Sad thing is if you drive around scanning, you'll still find a ton of people using WEP.

Basically this is no real worry if you're using WPA (or WEP even though it does apply here) because WPA is just as flawed as WPS, or maybe even more so since higher traffic = less time to crack when it comes to WPA (and WEP). So the only real concern is for those using WPA2

Re:So it takes 4 to 10 hours....

You are *NOT* right for WPA (at least if the password is strong enough).
http://www.smallnetbuilder.com/wireless/wireless-howto/30278-how-to-crack-wpa--wpa2

Can you guess 2 4 digit numbers?

[sgt+scrub]

At first glance I thought the error was something along the line of letting the attacker know the user names so they only have to guess the password. I was mistaken. It literally helps the attacker figure out the PIN so instead of guessing 8 digits you guess two 4's.

Re:Can you guess 2 4 digit numbers?

[spydir31]

Worse than than, you guess 4 digits, then guess 3 (as the last digit is a checksum)

just leave the wlan unencrypted

but only accept connections to a openvpn-server. So everyone who wants to can use your AP to connect devices to each other, but only people with the right openvpn-certificates can go online.

It's All Stupid

Yes, WiFi security setup is too complicated for retail routers. No, we don't need another vulnerable or otherwise method of facilitating the security setup.

WiFi routers should have two things. A button, not easily pressed almost like the reset button, and a LCD screen. The router should, by default, generate a random WPA2 pass phrase. The button should cause a new one to be generated. The WPA pass phrase should be displayed on the LCD screen.

This way, security is on by default and the user simply has to look at the router to see the pass phrase in use. Those that are willing to do the work can perform manual configurations and even complete neophytes can fairly easily change the pass phrase by pressing a single button. But the button is sufficiently hard to press that they will not accidentally press it and "break" an existing setup. Cisco!

This way it is secure by default without the need for different protocols, setup discs, manual configuration, it just works. For those that take issue with the pass phrase being displayed on the router, there are few cases where this is a legitimate concern. And in those few cases, the risk can be mitigated by covering the LCD with tape or manually turning off the display in the configuration.

Re:It's All Stupid

[am+2k]

Coming from embedded device development, I can tell you that adding an LCD display is waaaay too expensive for these kind of devices to be considered. It's not only the LCD display itself, you also need the controller and the software to control it.

As a contrast, in the company I worked there was a bounty on reducing the BOM price. One employee won it with a 10 cents/piece reduction by using cheaper rubber material for the printer unit's paper transport system. The result was that the device was completely unusable (I had one of them on my workplace there), you had to supply the sheets manually one by one so it didn't mess up. But hey, it was 10 cents cheaper, so they went right ahead.

Re:It's All Stupid

I disagree. LCD screens are cheap, though more than ten cents. Some manufacturers already have LCDs on the devices, but they use the screens to display useless stats("but it looks cool"). The software is trivial and widely available. Most of these devices already use Linux anyway.

What's the cost of implementing a totally new protocol and then having to reissue firmware because the protocol has been compromised?

Re:It's All Stupid

[gl4ss]

I disagree. LCD screens are cheap, though more than ten cents. Some manufacturers already have LCDs on the devices, but they use the screens to display useless stats("but it looks cool"). The software is trivial and widely available. Most of these devices already use Linux anyway.

What's the cost of implementing a totally new protocol and then having to reissue firmware because the protocol has been compromised?

cost? you mean profit. the cost is on the consumer, not on the company.

Re:It's All Stupid

[Grishnakh]

Citation needed. I'm sorry, I've never seen a wireless router with an LCD screen. I'm surprised they even spring for the LED status and activity lights, these things are made so cheaply.

Re:It's All Stupid

How about 'expense'? Companies certainly don't always turn a profit. Profit on a single transaction, yeah, usually. But expense is there even if you take a loss on a single transaction.

Re:It's All Stupid

[FrankSchwab]

On our products, our latest ASIC spin involved bringing three external resistors on board to reduce BOM costs. Three resistors, at generously $0.01 apiece (once procurement, PC board space, and assembly costs are tallied up). And someone wants an LCD?

Re:It's All Stupid

[micsaund]

They aren't that hard to find:

http://www.belkin.com/IWCatProductPage.process?Product_Id=377018

http://www.dlink.com/products/?pid=643

http://www.trendnet.com/products/proddetail.asp?prod=160_TEW-673GRU&cat=137

They just aren't the el cheapo models...

My AP is too old..

[Junta]

My AP predates WPS, but after reading about it, I can't believe they designed it as an ongoing capability. Once used, it should have defaulted to disabling it until some factory reset button was pressed to resurrect it. When I first heard of it, I thought it would simply be an improvement over the old days of unprotected wifi to start, but clearly they messed up..

Admin/Limited Accounts

[fast+turtle]

Same here. I've configured an Admin PW with a standard/limited user account for day2day ops. Works fine as the only time I really need admin access is installing/removing software or changing a critical system setting.

Another thing I've done is enabled DEP for all apps except those I've been forced to exclude such as the only game I've had to exclude (Call To Power 2). I haven't seen any issues from any program written for XP-SP2 or later as DEP was an introduced then. It's just one more layer of security.

The tool...

[g0bshiTe]

known as Reaver

Am I the only one that thinks this is shiny?

WPS = SES ?

[brenddie]

is WPS the same a cisco's/linksys SES (secured easy setup)?

SES seems to be disabled by default on a WRT54g I have

Re:WPS = SES ?

[Fnord666]

is WPS the same a cisco's/linksys SES (secured easy setup)?

No, SES predates WPS. It addresses the same issue, but it is a different implementation. See the note section of this page for more detail

Re:ALL YOUR BASES ARE BELONG TO US !!

That's

All your bases are belong to WE

you ignorant slut!

Instant gratification no longer fast enough....

[rts008]

Someone who wants a giant "easy button" isn't a retard, but someone who has better things to do in their life.

Well then, I would suggest you should get on with your 'better tings to do in life', and quit wasting your time with WPS and the like.

"If something is worth doing, then it is worth doing right."
Take a few minutes to learn a little about the tools you are using; if you don't have time to learn about them, then you don't have the time to be messing with them in the first place.

There is no free lunch....

Goram Reaver.

[flux4]

They say the Reaver exploit is a campfire tale, a bedtime story. Well I'm here to tell you it ain't. Code out there on the edge of memory space, just staring into /dev/null until it goes insane. Look, if it takes the printer, Reaver will hack it to death, burn its paper, and sew the entire network into spaghetti. And if you're very, very lucky, it'll do it in that order.

Re:Goram Reaver.

[flux4]

Hmm, I think I'm mixing threats here... Goram multitasking.
http://boingboing.net/2011/12/30/printer-malware-print-a-malic.html

Escort Bayan

Escort Bayan First, let's alpha dating Escort Bayan astrometry personality. Virgo dating the woman's arch moves and the added cheerful, well-intentioned,. This affectionate of able personality of the woman dating a man happy. If they did, abject a man Virgo dating Escort Bayan her admiration can accomplish specific requests. http://www.marjinalescort.com/