Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attack Tool Released For WPS Setup Flaw

Posted by samzenpus on from the choose-your-weapon dept.

Trailrunner7 writes "Just a day after security researcher Stefan Viehbock released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on a given router and then recover the WPA passphrase for the router, as well. Tactical Network Solutions has released the tool as an open-source project on Google Code, but also is selling a more advanced commercial version."

30 of 164 comments (clear)

  1. WTF is WPS? by Anonymous Coward · · Score: 5, Insightful

    Oh, I see. It's a tool for retards.

    Seriously, if you can't admin your router and at least setup a WPA2 protected network without resorting to some sort of giant "easy button", then you have absolutely no right to complain when someone breaks into your network and does whatever it is script kiddies do these days.

    This dumbing down of consumer electronics needs to stop. Dilbert said something to the effect of "If you idiot proof something, someone invents a better idiot" (Scott Adams may not have come up with that quote, but that's where I first read it). Therefore, by trying to produce equipment that targets the stupidest of the stupid, we're only dooming everyone to greater depths of stupidity.

    It will not end until we literally take a stand against stupidity- draw a line in the sand, and say "If you can't comprehend this stuff, you don't deserve to use it". This "black box" user thing has gone too far. Especially when I read about retarded things like WPS that serve no useful purpose then to let idiots use gear that they would not normally be able to- either because the manufacture fucked up the design and turned it into some obfuscated piece of crap, or because the user simply has no desire to understand things that must surely seem magical to them.

    -AC

    1. Re:WTF is WPS? by errandum · · Score: 5, Informative

      The problem is not the need for the giant button, it's that it is on by default in some routers.

      I own a D-Link and I did set up everything by hand, but since I didn't want to use this, I simply didn't touch the option - assuming that, by default, this would be off.

      I was wrong, and corrected that, but I wonder how many of those people that use the setup wizard know enough to even get to the advanced features, much less turning this off because it is a security risk.

    2. Re:WTF is WPS? by gnasher719 · · Score: 5, Insightful

      Oh, I see. It's a tool for retards.

      A quote from Billy Joel, after being ripped off by his manager (and I think he is one of few people who successfully sued their lawyer): "I know many excellent businessmen who can't sing."

      Just because you find it entertaining to know who to admin a router and set up a protected network, most people have a lot better things to do in their lives. Someone who wants a giant "easy button" isn't a retard, but someone who has better things to do in their life.

      And guess what, it isn't the people you call "retards" who messed it up. It's the real retards who designed a system where an eight digit PIN number can be cracked in at most 11,000 tries.

    3. Re:WTF is WPS? by Penguinshit · · Score: 4, Interesting

      That is the crux of the problem: The solution was (pathetically) poorly implemented.

      --

      I have something in common with Stephen Hawking...

    4. Re:WTF is WPS? by jamesh · · Score: 5, Insightful

      It will not end until we literally take a stand against stupidity- draw a line in the sand, and say "If you can't comprehend this stuff, you don't deserve to use it"

      I see this attitude more and more. I wonder if people had to put up with the same elitist bullshit after the car become affordable to masses... or even the printed book. You might know how to use a computer but I wonder if you'd know how a transistor works and how to build one, or what an IRQL is, or a DPC. And even if you do, there will be someone else that knows more than you who will look down their nose at you and tell you you have no right to use a computer without understanding how it works.

      WPS isn't that bad an idea really... it just turns out it has a bug, and unfortunately that bug is going to be unfixable in a lot of cases (end-of-life model AP with no firmware update available)... hopefully those AP's at least have a way to turn it off. If you are pointing the finger of blame at anyone, point it at the people who implemented it - they're the ones who screwed up.

      If i'm feeding the trolls... i might as well give them a good meal.

    5. Re:WTF is WPS? by neokushan · · Score: 3, Informative

      The reason such a thing exists is because the good ol' secure password was too complicated for average-joe users to deal with. The precursor to this is Wireless routers that don't actually have a password set. To this day, you can still find unsecured wireless routers nearby and we all know what that leads to. The "easy" solution was put there so that routers could have security set by default, yet not confuse average-joe to the point where he just disabled it because it was the easiest thing to do.

      And believe me, I worked for an ISP up until a few months ago - our Router/Modems (or Hubs, as they called them) now come with wireless security enabled. The default password (unique per hub) is written on the side of the device - and people still get confused and don't know what to do to connect their wireless.

      Unfortunately, the implementation of the "easy" solution is the issue, not the solution itself. I mean, what's the point in having a secure PIN if you tell the user when they got the first half of it right? Especially if you don't prevent people from attempting thousands of connections.

      --
      +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
    6. Re:WTF is WPS? by h00manist · · Score: 5, Insightful

      much less turning this off because it is a security risk.

      ...but it's a security *feature*! See it's called "wifi protected setup". No way I'm disabling that, and then what, my wifi setup won't be protected? Are you kidding me? These hacker guys are trying to fool you into turning it off!

      --
      Build your own energy sources from scratch. http://otherpower.com/
    7. Re:WTF is WPS? by neokushan · · Score: 4, Informative

      It's on by default because it's there for the average user to easily connect their equipment. If it was off by default, it would require connecting (either via password or cable) and enabling it manually via the setup page - and by that point, you'd just connect the usual way.
      In a similar vein, it'd be like UAC being disabled by default - average user won't turn it on, even if it does help them.

      --
      +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
    8. Re:WTF is WPS? by Nertskull · · Score: 2

      I don't totally buy that. I do to a small degree. But its kind of like saying we should give people cars without making them learn how to drive.

      We live in a day and age where everyone wants the quick fix, and the easy solution. But to use a tool properly, you need to understand some things about that tool. And when you try to make it overly simple, bad things (as we are seeing here) can happen.

      I'm not by any means saying people need a perfect understanding of wifi or networks or security. But I don't think its unfair to require people to do a little bit of reading of a manual to set something up. Having "better things to do in life" is not an excuse for getting out of everything we find complicated. Its narcissistic to think that the ONLY things that are worthwile are the things ONLY oneself is interested in.

      Sometimes we have better things to do, absolutely. But sometimes life requires we dig into projects we find boring to get things done correctly.

      Simply setup for networks? Absolutely. But at the cost of security for the benefit of ease? Not what I would call ideal.

    9. Re:WTF is WPS? by ACE209 · · Score: 2, Insightful

      Luckily the European Union likes car analogies too ;)
      http://en.wikipedia.org/wiki/European_Computer_Driving_Licence

      --
      "we are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further."
    10. Re:WTF is WPS? by kbolino · · Score: 4, Informative

      I've been using and administering Windows since the 3.0 days, and not only do I leave UAC on, but I turn it up to the highest level (7 has variable levels, where the highest level corresponds to the only one available on Vista). I agree it can be a nuisance, and 95% of the time I just click through it (knowing what I did beforehand to trigger it). But every once in a while, it pops up when I know it shouldn't, and that tells me right away that something is doing something it's not supposed to be doing. Not only that, but I can decline to allow it to continue, which to me is UAC's most useful property: the ability to say no. Then it's much easier to locate the problem and remove it. I practice safe browsing and safe e-mail reading as much as possible, and I have a router with a drop-all-unknown-packets (ghost? stealth?) firewall, but I know that I'm not perfect--and neither are the other people who use the computers. YMMV but I've found it to be one of the best improvements over Windows XP.

    11. Re:WTF is WPS? by gnasher719 · · Score: 4, Informative

      Erm, 8 digit PIN is fine. Routers can limit PIN guesses y'know...

      You didn't read the article, did you? The routers tell you that the pin is wrong after four digits. So you need 10,000 tries at most to get the first four digits. The last digit is a checksum, so you need at most another 1000 tries to get the complete number.

      Of all the routers tested, only _one_ model limited PIN guesses (you can't turn PIN guesses off obviously because that would just enable a DOS attack) to about one guess every 20 seconds, which means it is cracked within a few days.

    12. Re:WTF is WPS? by Anonymous Coward · · Score: 2, Insightful

      UAC isn't useless. It's like having to sudo before doing something. A regular user will just always hit yes. An experienced user will know that this should be happening or not.

    13. Re:WTF is WPS? by thegarbz · · Score: 4, Funny

      HA you should have bought a Linksys. I turned on WPS, I typed in my router PIN and I even pushed the button and my devices are still unable to connect.

      Secure by design?

    14. Re:WTF is WPS? by flimflammer · · Score: 2, Insightful

      Er, what? UAC a "waste of time for experienced people"? It's about useless for anyone but experienced people.

      Or are you of the belief that applications should just automatically have admin privileges without user consent?

    15. Re:WTF is WPS? by lucidlyTwisted · · Score: 2

      Not that I agree with GP point-of-view, but you usually (in most country) need a driving licence in order to be allowed to drive a car.

      And guess what is not covered in getting a license? Checking the oil, changing a tyre, finding and replacing a blown fuse, changing a bulb, correctly inflating tyres or any number of other actions which could be considered "administration" of the car.
      If there were an equivalent driving test to routers/Internet it would be thus:
      Can you
      1) plug the router in?
      2) press the shiny button?
      3) connect your PC to the router (cable or wireless)?
      4) find the router's administration page (no actual use of page is required)?
      5) get teh download codez?
      Depressing.

      I just checked my re-bradged Netgear router and WPS was on by default (it's now off). Why is it so hard to have these things off by default and a clear explanation of what they are? The "help" on the Netgear is useless. For WPS it tells me "An external registrar can only configure the Super Hub's wireless settings through WPS when the Super Hub's PIN is enabled. When it's disabled, users still can add a wireless client through WPS with either Push Button or PIN Number method." Eh? So if I disable the PIN I can still use the PIN? That makes no fucking sense. WTF is WPS? Oh, not going to tell me.
      And the push button...what push button? There's no button on the router. Oh, wait, do they mean one of the buttons on the web page? Which one? Is it beyond their wit to tell me? Seems it is.
      Then there is this gem "Keep Existing Wireless Settings - This option shows whether the Super Hub is in the WPS configured state." How does the explanation relate to the topic? The two seem totally unrelated. Which wireless setting? My own wireless? if I uncheck that will my wireless access be disabled?
      The same repeats for WPA vs WEP - there is nothing about what these actually are and it contains stuff like this as an explanation: "Primary Radius Server IP Address - This field is required. Enter the IP address of the Radius Server on either WAN side or LAN side. "
      Really? Wow. The "help" for the techno-babble contains yet more techno-babble with no further explanation. I have an understanding of what all the above means, but only because I have a passing interest in tech and not being cyber-raped by the script kiddies. Joe Average won't and the use of techno-babble will just freak them out on making changes, thus they are likely to leave everything at the insecure defaults.

      I'm not asking for the above to be explained (my router is configured and works correctly), I am just pointing out that what precious little documentation is provided is utterly pathetic and totally useless. The little 12 page leaflet I got with the new washing machine contained lots of pertinent information on how it works, how to install it (which I did, the clear instructions made it really easy) and basic trouble shooting. If they can do it for a washing machine, they can do it for a router. There is no excuse.

    16. Re:WTF is WPS? by AJH16 · · Score: 2

      There is one thing I don't understand why they don't do. Why not store a hash of an executable and allow storage of the approval? If the same program, in an unaltered state wants to run again later, it should be allowed to without prompting. (If the user chose to approve it for future use.) Personally, I'm willing to use it even if I have to click every time, but this would be more convenient without noticeably impacting security. (Technically there are executable stuffing approaches that could match the hash, but that would seem to be tricky, particularly if rewriting the file became a protected operation itself.)

      --
      AJ Henderson
    17. Re:WTF is WPS? by BrokenHalo · · Score: 2

      WPS is the sort of thing that we need more of - simple to set up, and until now, quite secure.

      Hmmm. I heard of WPS for the first time not quite a week ago: I was given a Sony PRS-T1 ebook reader for Christmas, and the little leaflet that came with it said something about WPS, so I looked it up.

      Having found out what it was (and ascertained that my WAP doesn't support it), I discarded the guide and just followed my nose in the usual way for a WiFi setup. I see no reason why we need WPS at all: if we are incapable of typing a password when our device already recognises the network and protocol, then we have no business being attached to the internet at all.

    18. Re:WTF is WPS? by LordLimecat · · Score: 3, Insightful

      You have to give some credit to the cleverness of Cisco / Linksys. After the debacle of the WRT54G being the most wildly popular router ever and the basis for DD-WRT (which got tons of people buying those routers), they realized their mistakes of making a great router OS based on proven work. They vowed that NEVER AGAIN would a router be so popular that people would give two craps about the OS on it.

      Hence the lowering of the RAM and flash on subsequent WRT54G generations. But it didnt work! People kept buying them, and using DD-WRT! This was unacceptable, and so they moved to a new OS written in India that NOONE could possibly love (as its interface didnt even work right in IE), and changed to the WRT54G2.

      Since then, phenomenal progress has been made in curbing enthusiasm for Linksys products. There are still those who care about their products, but Cisco Indian engineers are working feverishly to tidy up even those loose ends.

    19. Re:WTF is WPS? by Anonymous Coward · · Score: 2, Insightful

      A novice user in the presence of experienced users will ask what they should do about a UAC question they don't understand, especially if it's not their computer and they know they're novices.

      An experienced user who gets a UAC question when they weren't trying to do what UAC asked for permission for, will conclude that something funny is going on and act appropriately. In the "bad old days", it wouldn't have even asked, it would've just done whatever malicious administration the web page called for.

  2. What purpose? by gnasher719 · · Score: 2

    Seriously, what non-malicious purpose would this tool have? Anybody who read about the vulnerability knows how it works; there is no need to have a sample attack because it is obvious how this works; having an exploit tool cannot have any legitimate uses.

    1. Re:What purpose? by 93+Escort+Wagon · · Score: 4, Interesting

      Maybe it's handy for verifying you are vulnerable?

      Although I'd have to admit anyone actually using WPS probably isn't interested enough to even know such a tool exists...

      Well, since the claim is most routers are vulnerable by default, I can see value in using this as a test tool - both against your router's current configuration and after you've supposedly disabled WPS.

      And, speaking as an owner of an Apple router, I'd like to verify whether my belief that the Airport Extreme doesn't enable a PIN by default is correct.

      --
      #DeleteChrome
    2. Re:What purpose? by jamesh · · Score: 4, Insightful

      Seriously, what non-malicious purpose would this tool have? Anybody who read about the vulnerability knows how it works; there is no need to have a sample attack because it is obvious how this works; having an exploit tool cannot have any legitimate uses.

      Sure it does. If a customer questions why this should be audited and fixed on their network immediately I can tell them that there is exploit code publicly available that anyone can download and use and have access to the network in 4-10 hours instead of talking about theoretical bad guys who might have obtained a theoretical exploit from somewhere. It makes it a "fix this now" problem with a known risk instead of being put off and treated as a low risk security issue and never fixed. In my case hopefully it's just a quick audit to make sure nobody else has put a WPS enabled AP onto the network, but it still needs to be done.

      Maybe you don't remember Slammer/Nimda/Code Red, and a few others of that era. The exploits used were well known and patches were available for a while beforehand but a lot of people never bothered patching because of the perceived low risk and "doesn't apply to me". Ditto for a few Linux ssh and ftp exploits.

  3. A year huh? by Anonymous Coward · · Score: 2, Insightful

    from: http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.htm

    This is a capability that we at TNS have been testing, perfecting and using for nearly a year. But now that this vulnerability has been discussed publicly we have decided to announce and release Reaver

    Very nice way to make a profit there guys and ignore responsible disclosure.

  4. Re:Doesn't compile on OS X by buchanmilne · · Score: 4, Informative

    yum install libpcap-devel

    No, it's not on the RHEL6 installation media, you have to have registered the box for RHN.

    (RH is really pathetic this way, lots of useful packages are left off the installation media, seems they are forcing you towards satellite, but if you don't have the bandwidth for satellite, or need to setup a box without internet access, sorry for you if you want to something like use oscap - they give you openscap, but not openscap-utils). Oracle is better in this regard, with a public yum repo for release packages (not updates). Of course, CentOS gives you everything, as do all other community-oriented distros.

  5. incredible by Njovich · · Score: 2

    From the product page:

    WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network."

    And they thought that was a good idea to implement without even substantial rate limiting or such? What the hell were they thinking?

    1. Re:incredible by Njovich · · Score: 4, Informative

      Err, sorry, guess I was wrong, there is some rate limiting, just they have this other insanity (from el reg):
       

      Eight digits should produce 100,000,000 possible combinations, and testing various routers Viehböck found it took an average of around two seconds to test each combination. So brute forcing should take several years unless the router was particularly responsive.

      But the protocol used by Wi-Fi Protected Setup reports back after the first four digits have been entered, and indicates if they are right, which means they can be attacked separately. The last of the eight digits is just a checksum, so having got the first four the attacker only then has to try another 1,000 combinations (identifying the other three digits) and the entire PIN is known.

      That combination means that our attacker only has to try 11,000 different combinations to find the right PIN, reducing the attack time to a couple of hours.

  6. Deniability by Bengie · · Score: 2

    I wonder if people will use this as an excuse for in court cases and claim they didn't do something and blame it on someone "Hacking" their network.

  7. Re:US gov't only? by geekmux · · Score: 2

    Tactical Network Solutions' site mentions that they only sell to "U.S. federal, state, and local government agencies". What on earth would gov't institutions do with something that's essentially the digital equivalent of a crowbar? Isn't it much easier and more ethical for governments to get a court order to get the information they want, instead of breaking into WiFi networks? What on earth is going on here?

    I sincerely hope you're joking with this. If you, I or anyone else only knew of the millions many three-letter agencies have spent on shit like this over the years...and in this day and age of warrantless wiretapping and eavesdropping, do you really have to wonder what any "U.S. federal, state, and local government agencies" would do with a "digital crowbar"? Please.

    And remember, only Black Hats write "cracking software". White Hats offer "security affirmation solutions". There's a difference, although it's usually isolated around the price tag.

  8. Re:It's All Stupid by am+2k · · Score: 2

    Coming from embedded device development, I can tell you that adding an LCD display is waaaay too expensive for these kind of devices to be considered. It's not only the LCD display itself, you also need the controller and the software to control it.

    As a contrast, in the company I worked there was a bounty on reducing the BOM price. One employee won it with a 10 cents/piece reduction by using cheaper rubber material for the printer unit's paper transport system. The result was that the device was completely unusable (I had one of them on my workplace there), you had to supply the sheets manually one by one so it didn't mess up. But hey, it was 10 cents cheaper, so they went right ahead.