Wi-Fi Router Attack Only Requires a Single PIN Guess

An anonymous reader writes: New research shows that wireless routers are still quite vulnerable to attack if they don't use a good implementation of Wi-Fi Protected Setup. Bad implementations do a poor job of randomizing the key used to authenticate hardware PINs. Because of this, the new attack only requires a single guess at the hardware PIN to collect data necessary to break it. After a few hours to process the data, an attacker can access the router's WPS functionality. Two major router manufacturers are affected: Broadcom, and a manufacturer to be named once they get around to fixing it. "Because many router manufacturers use the reference software implementation as the basis for their customized router software, the problems affected the final products, Bongard said. Broadcom's reference implementation had poor randomization, while the second vendor used a special seed, or nonce, of zero, essentially eliminating any randomness."

WPS shoudn't be used anyways... (First!)

[ComputersKai]

WiFi Protected Setup shouldn't be used anyways for security, especially since its problems have already been mentioned many times already in quite a few articles.

Re:WPS shoudn't be used anyways... (First!)

true, except every router makes uses it and only almost all routers don't have the option to turn it off. I blame this on business marketing department (ie whitey).

Re:WPS shoudn't be used anyways... (First!)

[afaiktoit]

and the ones you think you're turning it off it really isnt.

Re:WPS shoudn't be used anyways... (First!)

[The+Larch]

Thanks captain! This is real insightful! Also women should not wear dresses, and people should not buy consumer goods.

Re:WPS shoudn't be used anyways... (First!)

And how many routers have you used to be able to make up these claims? Every single router I have seen has a way to disable WPS.

Time to throw that generic piece of shit you are using in the trash and buy a real router.

Re:WPS shoudn't be used anyways... (First!)

Have you verified that it's actually off, not just shown as such in the web interface? Quite a lot of name brand Wifi routers had a dummy switch in the web interface that did nothing. IMHO WPS is a back door. The protocol specification for WPS PIN is ambiguous, and suggestively written to favor an exploitable implementation. And there's no good reason for the split response which makes the exploitable implementation possible either. It feels like somebody went out of their way to put this pitfall there.

Re:WPS shoudn't be used anyways... (First!)

Have you verified that it's actually off, not just shown as such in the web interface?

Fair argument. To be honest with you, I have not verified if it is actually off.

Wireless security

[ledow]

Is it just me that hates shit on my router?

- WPS (a.k.a. turn your massive password into a four-digit number): turned off on every router I've ever used, since day one of installation.

- UPnP (a.k.a. let anything open any port to anywhere without authentication): turned off on every router I've ever used, since day one of installation.

- WPA/WEP (a.k.a. half-arsed encryption that we never really thought through): turned off on every router I've ever used, since day one of installation.

- Guest networks (a.k.a. let random strangers use your Internet connection without you knowing): turned off on every router I've ever used, since day one of installation.

- Remote administration (a.k.a. let random strangers on the Internet sit and brute-force your passwords with no way to tell it's happening): turned off on every router I've ever used, since day one of installation.

And, in fact, on anything BUT my actual wireless router of choice (e.g. any Internet router supplied by my ISP):

- wireless (a.k.a. give people another way into my network and hinder all my other - wanted - wifi connections by flooding the airwaves): turned off on every router I've ever used, since day one of installation.

Seriously, people, just turn this shit off. And layer VPN over the top of it, if you can. Seriously. There's zero impact on always VPN'ing over your wireless connection to a machine that has a fixed line to your actual Internet connection. Then even if WPA2 is broken, you're still secure. And yes, you can game. I've done it with OpenVPN over my wireless for years - for EVERY packet - that goes over the wireless.

Wireless is the leaky, draughty hole of your network. Seal that fucker up and treat it like an Internet connection, even to your local network.

Re:Wireless security

[arbiter1]

Sadly Some routers even if you turn it off, its not really off.

Re:Wireless security

you proof read that so many times you duplicated it.

Re:Wireless security

Hah. You're stressing over every little thing.

The part that really bothers me though is your turning off guest networks. I've always turned off the automatic kind (NAME OF ROUTER -GUEST NETWORK), but then gone on to set one up as a virtual access point properly on ddwrt. At home and at work I've shared my internet connection with the apartment block across the street, the corrections institute, gay bar, fitness center and mortgage company and any random stranger that passes by. Even the homeless or just plain poor people.

You know what I have learned? People aren't the pieces of shit that people like you think that they are.

  I've never seen a pedophile, or a hacker.I've always monitored network traffic and I do keep logs. I've seen one or two people who look at porn and two fucking rokus. (you can afford netflix and you're using my connection across the street? wtf? sorry about the stutters....durrr) out of hundreds of people I have found most people are pretty endearing and normal. most people look at their facebook, or they ask google personal questions. Like where to find a job, or get a date or how to solve/fix something. or they research stuff.. That's all.

I'm probably giving internet access to some of the people that block my parking spot now that I think about it. *laughs*.

in short, sharing has made things better for those around me and I haven't been harmed by it at all.

captcha: bragged

Re:Wireless security

[Ingenium13]

Many devices don't support VPNs (Chromecast for example), and the ones that do don't usually have openvpn as a built in option. Not to mention the increase in battery usage on mobile devices due to keepalives. This mostly restricts your wireless devices to laptops and select tablets or smartphones. If you really don't trust WPA then just make some LAN resources accessible by VPN only (over WPA), but allow internet access without it. Any sites with sensitive data should be using TLS anyway.

Also, WPA2-Enterprise is pretty secure if you only use TLS auth, not TTLS where you use a username/password combo (too easy for a MITM), but regular TLS auth that uses client certificates. It's less effort to setup than a VPN, and you get VPN level authentication, plus support on a much wider range of devices out of the box. This is what I use, and I have a second SSID that uses WPA2-PSK for the few devices that don't support WPA2-Enterprise.

Re:Wireless security

[LiENUS]

not TTLS where you use a username/password combo (too easy for a MITM)

TTLS properly configured is no easier to MITM than properly configured TLS, you should be using server cert validation with either.

Re: Wireless security

[David+Jao]

The idea is defense in depth. If server cert validation fails for any reason and you're using passwords, the enemy learns all your secrets. With client certs your master secret remains safe even if a single session is compromised.

Re:Wireless security

> - UPnP (a.k.a. let anything open any port to anywhere without authentication)

miniupnpd (the UPnP daemon of choice for every router software I've been able to look at) has a configuration setting that only permits a machine to forwards ports to itself. This configuration setting defaults to "on". This means that a LAN with a running miniupnpd is no less secure than a LAN with a globally-routable IPv6 address allocation.

Additionally, on any non-shit router software (why would you advocate securing your LAN while using shit router software?), admin-specified firewall rules will be processed before UPnP-inserted forwards. This means that if -for example- you decide to disallow port-forwarding for an IP or port range, you can do that, and still keep UPnP on for the rest of your network.

> - WPA/WEP (a.k.a. half-arsed encryption that we never really thought through)

It *was* thought through. There was a subtle bug in the crypto that made it far weaker than expected.

Re:Wireless security

Ignore the hate man, keep doing what you're doing :) I'm the same, XXXX_ST_FREE_WIFI has been up most of the last 3 years, and similar at units before this. I set up an old wireless router and RaspberryPi to provide an isolated network with an internet connection for anyone who wants to stop within range (the bus stop across the road is the main source of traffic).

I have around 6 unique connections a day, and several regulars from the surrounding units or daily commute. I redirect "google.com*" to a local splash page (with the google search page in a frame below) that has a couple lines saying this is my personal connection, feel free to use but I'll shut down any time if I need the bandwidth, or think people are being suss. I highlight that it is essentially a public network, so advise against anything personal / private, so I think people assume they're being watched and stay on their best behaviour anyway :P

I originally started with some strict firewall rules (port 80 / 443 outbound only), but found people just never tried anything else really. I think I've seen a couple dozen POP / IMAP requests which were probably from auto sync, and a couple bittorrent users, but noone's ever tried to even probe at the guest network, let alone look for my (isolated) home network.

I also have a file share that I let people dump to / from which I clear daily, and one that serves a bunch of free software and my local distro mirror. I've _never_ had anyone put anything I disapproved of on there. I've had a couple people dump a movie or music on there, but I've removed and replaced with a note saying that's not what its for (in case they check back). Some others have started chats back and forth with simple text files, most people just posted pics with a thumbs up to say thank you :) (my suggestion in the landing page)

All in all, its been a great experience. I liken it to running a small social media site that's location based, rather than internet facing. I'm thinking of adding a persistent page with a guest book / wall, just to reach out a little more personally.

Like you said, people aren't the pieces of shit people think. Those that are generally have shittier things to do than mess with a random wifi network.

captcha: intercom

Re:Wireless security

lol, I upped my data cap (yes, providing a public connection on a _metered_ plan!) to make sure I wouldn't hit my quota. Cost an extra $15 / month (though I use most of the increase personally), that's the cost of a movie ticket and I'm sure I get 2 hours of entertainment a month checking logs or messing with the setup.

Re:Wireless security

[thegarbz]

Errr right. Your security theory boils down to wireless has no physical barriers so we need to avoid it at all costs regardless of it's benefits?

No thanks. While I agree with some of your sentiment like WPS being a colossal piece of shit and remote admin just being a bad idea:

- UPnP - I am not going to manually configure every internet facing service every time I want to use a piece of software.
- WPA - While WEP is proven weak and breakable, WPA hasn't been broken without some serious conditions (knowing what most of the packet looks like, MITM attacks etc).
- Guest Network - Quite useful, most routers are able to provide QoS and limits, also it's usually a separate logical network so much better than giving someone your WPA key, and why the hell not share it, internet is effectively a commodity!
- Wireless - erm yeah the 90s were definitely not as fun technology wise.

You are right about one thing, I do treat wireless like my internet connection. Feel free to come over and use it. I won't mind.

Re: Wireless security

[LiENUS]

If server cert validation has failed chances are your CA was compromised, in which case the attacker could just generate client certs at will anyway....

Re: Wireless security

[LiENUS]

Actually for that matter wouldnt a compromised server certificate leave you vulnerable to a proxy attack anyway where you would use the compromised server cert to pretend to be the access point communicating with the proper radius server thus giving MITM on TLS or TTLS the same? You might not get the actual client cert on TLS but you would have their traffic all the same.

Re:Wireless security

Do what this guy says. He knows how to internet properly.

Re:Wireless security

[mlts]

The ironic thing is that WPA2-PSK is decently secure. I've not read of any significant breaks, assuming the key is of a decent length.

The problem is that there are shortcuts given (WPS) which make having a solid shared key pointless.

UPnP? Just asking for trouble. If a game has to have ports open, I'll manually open them myself. Otherwise, they should remain closed.

WEP? This shouldn't even be present in any router made in recent years. My HTC Wizard, circa 2006, had an application (before the word "app" was in common use on smartphones) to break WEP-protected Wi-Fi access points.

Open guest networks? No thanks. Guest networks with a WPA2 password that is turned off after a gathering? Possibly.

Remote admin? Nope. If I want this functionality, I'll have some sort of port knocking, a DMZ machine, and SSH with 2FA or via RSA keys to an inside machine to access the router.

MAC locking? Too much trouble than it is worth, especially when you get a new device. It adds little to security, but is a hassle. With a decent, 63 character, passphrase for the WEP key, assuming no device gets compromised, that will provide decent security, as far as I know.

DHCP is probably the only service I bother enabling because so many devices don't have the option for a static IP, or if configured, they can't be used on another SSID unless one manually flips the config back to dynamic IP addresses.

What would be nice would be a cross between WPA2-Enterprise and WPA2-PSK. This way, each device can have its own preshared key, without needing the complexity of RADIUS. Done right, the key can be shared to the device by typing it in, snapping a QR code, or many other ways, and if one device is sold, no need to change the key and have to reconfigure all the wireless devices on the segment.

Re: Wireless security

[David+Jao]

Having all their traffic to and from one server is not as devastating an attack as having their password. For one thing, users tend to re-use passwords across multiple sites. I'm sure you can think of plenty of other reasons why client certs are at least *slightly* safer than username/passwords.

Re:Wireless security

[tlhIngan]

Well, it's to make life simpler for users.

WPS - the alternative to this for "regular users" is no security. Great for those who need a hotspot in a hurry, not so great in general. Instead, all users need to is hit a button and enter a code.and they have encrypted WiFi working. It's just like TouchID on the iPhone - Apple realized people should use passcodes for security, but many don't because it's )@*#&%*(@ annoying to enter it (especially if you have "complex passcodes" on) 1,000 times a day.

WPA is still good, as long as you're using AES. TKIP is worthless, but that was designed for a time when WiFi chips had WEP accelerators and TKIP took advantage of that. These days everyone has AES accelerators and guess what? There have been no attacks on those running WPA-AES. And there is VERY little difference between WPA and WPA2 running in AES mode.

Guest networks - they're not open hotspots. You can lock them down as much as you want. But they allow you to have guests over and give them WiFi without letting them all over your network. You know, perhaps you have friends over and they want WiFi. You can be the crappy friend who doesn't let anyone on WiFi (use your data plan!) or just give them access to your guest network and know traffic is isolated.

Very useful if you have siblings who are less than technically skilled and come from from college with laptops loaded with spyware, worms, trojans and other nasties designed to infect other PCs. Well, give Sis guest access and keep your network safe. OR use that network while you're cleaning the crap off it.

Re:Wireless security

[Opportunist]

I take it a step further, I buy appliances with exactly the feature set that I need. I admit it gets harder and harder. The usual dialogue in the store:

"I want to buy a $device without $feature"
"Sir, we'd have $device here, you can disable $feature in it"
"Where? I don't see the switch to turn it off."
"You can disable it in the configuration"
"So... I can turn it off in the config and anyone who can get into the configuration page of the device can turn it back on?"
"Umm... yeah, but you'd be the only one who can"
"Says who?"
"You need a password to access it"
"Want to bet that I do?"

Chances are that I have an exploit for the device in question ready. It's kinda scary what amount of information you can get as part of a CERT. There is virtually no router/ap in existence that is actually bulletproof (and no, price is BY NO STRETCH any way to measure security here), with no exploits and no leaks that allow an attacker access to some, or maybe even all, of its functions.

At the same time, featuritis creeps into our appliances. Everything needs to have all sort of "features", whether they make any sense or whether they don't. I can see where that comes from, on one hand it doesn't really cost anything extra to give the router UPnP capability, on the other hand it's something you can write on the feature card. And that card is what the clueless home user takes to pick his router. "This one has 5 features, that other one has 7, they cost the same, I take the one with 7 features". Does he need them? Heck, he doesn't even know what those features are!

It's ok if the device has a hardware switch that turns such features off. Of course only if that "turn off" really means that the switch enables and disables the power flow to the key component for the feature, not that this switch sends a signal to the CPU that the user wants to disable something. That's easy to ignore.

But of course, that would cost a few cents. So you won't find it on too many devices...

Re:Wireless security

Let me get this straight: you refuse to buy a wireless router with WPS that can be disabled in the administration console for the router because if someone pwns your router administration console they might be able to turn WPS back on?

Really? I bet you also refuse to use ATM cards because if someone stole your identity, got issued a fake driver's license, stole all your passwords, etc, they might be able to contact the bank and change your PIN!

Re:Wireless security

[Ingenium13]

I've actually found that a lot of devices just ignore an invalid (ie not from a trusted CA) certificate for this. Android in particular will happily continue with no prompt to the user that the cert is not trusted. I even had it somehow forget the CA that I specified with the network credentials. I'm not 100% certain on this, but I vaguely remember having an issue with Network Manager also not validating the server certificate with TTLS.

It's just too risky where a device could decide either for "convenience" or incompetence not to notify about an invalid server certificate and go on to divulge that device's login credentials to the MITM. Or a user not configuring a device properly. I don't have to worry about that with regular TLS, it's enforced on the server and if it's invalid it won't connect, period.

Re:Wireless security

It probably depends on the location. I wouldn't recommend doing that in the vicinity of a railway station or some other place with a lot of out-of-area people passing through (places that would also attract "real world" crime.) Anyways, kudos for sticking your head out.

Re:Wireless security

[sjames]

How many hours of your time do you waste in a week trying to hunt down people you figure owe you $0.01 for the time you spent exchanging nods in the elevator?

Re:Wireless security

Buy enterprise quality (for example Cisco) hardware if you are that worried.

Re:Wireless security

[tepples]

If I want [remote administration] functionality, I'll have some sort of port knocking, a DMZ machine, and SSH with 2FA or via RSA keys to an inside machine to access the router.

That's a lot of electric power to waste on leaving two computers on 24/7 just so that you can troubleshoot problems with a router belonging to a not-so-technically-inclined relative who lives far from you.

Re:Wireless security

- networking (a.k.a. allow another computer to snoop into my hardware and software): turned off on every computer I ever used, since day one of installation.

Re:Wireless security

[mjwalshe]

if I want remote admin ill use a proper cisco router with an out of band modem with call back thank you very much

Re:Wireless security

Would you share the technical details of what you do? For example, how do you handle file sharing. I want to do the same.

Re:Wireless security

- WPA/WEP (a.k.a. half-arsed encryption that we never really thought through): turned off on every router I've ever used, since day one of installation.

You mean there wasn't a time before wpa2/aes? Le gasp! How could I have been so foolish to use only what was available at the time. As soon as I saw the error of my ways, and when technology had advanced to allow it, I did upgrade!

Please forgive me for being so far beneath you.

Re:Wireless security

[ledow]

No.

I didn't personally use Wifi until it had been in place, with an encryption system that had proven itself, for a number of years before I trusted my networks and data to it.

WEP was broken, so I reset the clock. WPA was compromised so I reset the clock. It was only WPA2 that has proved difficult to "simplify" the problem by using real, proven encryption schemes rather than making-one-up-as-we-go-along.

Common bloody sense.

Re: Wireless security

[LiENUS]

Aha, so you missed the original quote, i'll try bolding the relevant parts this time.

Also, WPA2-Enterprise is pretty secure if you only use TLS auth, not TTLS where you use a username/password combo (too easy for a MITM)

I was specifically replying to that part, as TLS and TTLS both have the same degree of mitm vulnerability with properly configured clients.
If the server cert fails in TLS or TTLS then MITM is a possibility, you dont need the username/password or client cert to mitm a TLS connection, just the server cert.

Re: Wireless security

[David+Jao]

If you're using client certificates for authentication, and an attacker obtains the server cert, then the attacker can successfully fool you into thinking that you have connected to the real server, but the attacker cannot successfully fool the real server into thinking that you have connected to it. This kind of "half-MITM" attack is not usually thought of as a full MITM. The authentication protocol uses a challenge/response protocol which incorporates ephemeral keys and hence is not portable even between two entities both holding the same server cert. That is, if A and B both have the server cert, and A challenges C, and B obtains C's response to A's challenge, B cannot then impersonate C to A, since B does not know either C or A's ephemeral DH keys. Even if the attacker just blindly proxies between the real server and the real client, it won't work; in this case the communication would just be a real connection that the attacker can't decrypt or alter in any way thanks to forward secrecy.

Re:Wireless security

[deroby]

Although I think you severely overestimate the value of your pr0n-collection, I'd simply would like to point out that while you were spending all your time securing your networks and data it seems your homepage was reduced to 404's... which in a way is more secure too off course.

Re:Wireless security

[Jack+Griffin]

But you don't get it, you're supposed to be afraid so that you feel better about buying whatever product the fear-mongers are selling. I have open Wi-Fi too. For fun I monitored it to see who was connecting and what type of traffic I'd get, but after a month or so I gave up because no-one connected to it. Even years later I've never gone over my quota so what do I care if someone gets some free internet?

Re:Wireless security

[antdude]

Or better, don't use wireless at all!

Re:Wireless security

Your a bit over-paranoid I must say, and I have been actively studying security for 10+ years...

WPA: Put a 63-character random password and not even a super computer would be getting into that.

Guest Network: If you have company over, why not let them connect with a password that will not compromise your main networked computers and can be changed easily after they are finished using it.

One thing that truly is over-looked about sharing is the fact that airwaves are limited. Too much wifi use will cause connection trouble no matter how fast your connection to your ISP actually is, there is the RF bottleneck that can be what limits your connection speeds. But then again, you can always set a guest network to operate on a different channel and with some routers you can set Quality Of Service or limitations on maximum transfer speeds.

As far as VPN's; there is impact without a doubt, it is an increased ping time by having to make additional hops on it's way out over the internet. For gaming, this can be a killer. For HD movies, this may appear to have no difference, maybe a half a second longer before it starts to load up.

Re:Wireless security

[ledow]

Sorry, but maybe it would pay to Google things and keep on security news sites occasionally. Sure, I'm a home user for the most part, my home connections aren't liable to be attacked.

But WPA-TKIP is fatally flawed and allows - while not password revelation - replay-attacks that allow packet injection and all kinds of other nasties. Some of this has been known about since 2008. Some of this is because WPA still uses the RC4 stream cipher (which is dead nowadays) in some situations too, whereas WPA2 uses AES.

Services such as CloudCracker also mean that anything not already a seriously complex passphrase is only a couple of hundred dollars away from complete compromise - and NOBODY at home has a passphrase that complex, as you normally have to give it to people (yourself included!).

WPA / TKIP are thus dead. WPA2 / AES have measures against such things. And WPA2 hardware is old-hat now and it's been available for years. There's no excuse to still be lingering on WPA, and WEP is just asking for it - it's actually quicker to crack WEP even casually than it is to piss about asking people for their passphrase (have done it to several friends who told me they were "secure"). WPA's life is, to put it bluntly, limited at best.

Guest network - I have no need of one. I certainly have no need of one I have to turn on and off all the time. So it stays off. With modern 3G, the chances of anyone wanting to join your wireless are entirely minimal, but a lot of home routers that offer guest Wifi have associated vulnerabilities or are commercial services I have no desire to offer (BT-FON etc.).

And there are three channels on 802.11g. Three. Ignore the 13 that you might claim to be given on the router config, they overlap. And, thus, chances are that in any suburban environment, you are already picking up a ton of other networks that overlap yours. Kill off the guest networks, whatever the channel, or move to 5GHz (which is still pretty dead, but liable to get a lot busier over time).

And I VPN all my wireless. The extraneous ping is 1ms on normal hardware (and, no, I don't have particularly high-end equipment on the VPN side - usually some old crappy desktop running Linux). You can test this quite simply with even the simplest ping to Google using the Linux tools that will show sub-ms pings as proper floats. VPN costs are extremely minimal. Gaming is NOT affected any more than anything else. In fact, bulk download/uploads are liable to have more of a delay than tiny regular packets.

need a job.

rubbish.
we want cheap devices ..like printers. if we can talk to them via tcp/ip or even wifi this is agood thing(tm).
in my case the printer was tcp/ip AND wifi but no display/menu to speak of.
the one with a display would have printed the same quality but would have cost more.
so how the swiss cheese was i to setup the printer via wifi if i could not access it to setup the passphrase and ip address etc.etc?
wifi protected setup to the rescue.
once it was paired to the router automagically i could access the printer via its built-in website to set all the details and then DISABLE the protected wifi again ...

Re:need a job.

Why should the rest give up basic security in our networks just so you can avoid reading the manual? the passphrase ands/or ip information required to connect is printed is there, hell its probably even on a label on the AP itself. But yeah, the lowest common denominators like you always drag us down. Also want a second handle on the door to override the locked one? sure sounds convenient.

Re: need a job.

Instead of blaming the non savy end user perhaps smart ass(es) people like yourself could design these things so they are secure and able to be operated by any person who knows how to turn on a computer. All they require it to do is give them easy access to the internet.

A smart person (ass?) Like yourself should be able to handle writing the code for such a device right? Right??

Re: need a job.

Compared to the functionality that modern computers have, they are incredibly easy to use. However, the gap between the know-how which an average user has and the know-how which is required to properly use a computer is not shrinking, no matter how simple we make user interfaces. That only results in users learning less about their computers. I know people who would gladly pay me to press WPS buttons for them. I get called to "fix" audio systems where someone connected inputs to inputs (the plug fits, so...). Until we have Do-What-I-Mean buttons that are always-on, computer users' aptitude will remain insufficient.

Re: need a job.

sure i know the aps name and passphrase but how do i teach/tell it to a wifi printer? it has no menu and display where i can navigate around to emter the values.
the only was is to use a more expensive printer with a display menu or with wps.

Re:need a job.

WTF? How can you configure it without a display? Easy, out of the box it has a certain IP address. You configure a laptop for the same subnet and connect to its configuration page. I've done it dozens of times and just did it yesterday with a ethernet to wifi bridge.

Consumers harder than technical design

I still marvel that Broadcom designs everything about the router, and could, with a little bit extra work, have Foxconn manufacture millions of working routers.

I guess that knowing which features consumers will pay for, the cosmetic design of the router, the web UI, and customer warranties is a very big deal. I still marvel that it is more difficult to do that, than design the actual product.

Re:A "nonce"? WTF?

[plover]

In cryptography, it means a number that is only used once -- n-once. However, it is actually the wrong word to use here, as a cryptographic seed's most important attribute is unpredictability.

This is old news.

Reaver has been around for a long time. It makes exploiting this trivial.

Re:This is old news.

Wrong.
Reaver is simply a on-line bruteforce, and is in fact mentioned explicitly in TFA.
This is a new attack exploiting the fact that in certain implementations, the "random" ephemeral key used to encrypt the pin halves comes from a weak PRNG with guessable state.

protection?

well, you can always use Huawei routers, they are too cheap to follow standards (a.k.a. be vulnerable to wps)

WiFi intrusion

What is the big deal, if I lose anything on my computer all I need to do is contact the NSA for a copy of my hard drive.

Someone got paid off

[Nyder]

...a manufacturer to be named once they get around to fixing it...

Someone got paid off not to name the manufacture. Doing a great injustice to their customers by not letting them know their routers can easily be compromised.

Sure, maybe not letting the criminals know which manufacture might seem like a smart idea, but in the same process, they don't need to know, they can just start checking them all. Your customers aren't safe that way. At least if you tell them there is a problem, they can use secondary measures, like turning off their router when they aren't using it. Maybe change their password every hour or so, or maybe pay attention to anything connecting to it. At least that way you can do something about it.

Going to boycott which ever manufacture that is because they don't have my security in mind when they do stuff like this.

Re:Someone got paid off

[roady]

Nobody got paid. We call this responsible disclosure. Only thing is the Broadcom flaw was found before the second flaw and so they has a heads up.

  http://en.wikipedia.org/wiki/R...

Re:Someone got paid off

[Antique+Geekmeister]

It can also protect profits to make sure that the announcement of the vulnerability smears all vendors and thus includes your competitors tools, not merely your own company's flawed products. This is called "sponsoring more research before publication". I'm afraid that it's a noticeable source of funding for security researchers, and can also buy valuable time to sell off as much of the flawed inventory as possible while or until the fix is provided for newer products.

I'm afraid that there are people who think this way, putting their short term corporate sales well before customer safety or product quality. And their ability to preserve profits, and to _hide their failures_, can often lead them to positions of great corporate power.

Re:Someone got paid off

[roady]

So to be crystal clear, are you accusing me of being a liar and having accepted money from a vendor?

Re:Someone got paid off

[Antique+Geekmeister]

>> We call this responsible disclosure.

> are you accusing me of being a liar

I'd not done so. I don't discount responsible disclosure as existing: I'd certainly want to see a zero-day exploit reported to the authors, first, so that they can get a chance to publish a patch before the flaw spreads in the wild, and I _report_ flaws directly to vendors and authors when I encounter them.

I've explained other, more selfish reasons that a vendor or a security researcher might decline to publish full details, reasons that could be and often are hidden behind the explanation of "responsible disclosure". Ignoring such motives would be naive. Vendors can, and do, hide behind rubrics of "responsible disclosure" to avoid the effort, especially significant redesign efforts, to actually fix the problem. Microsoft and CERT are the classic example of this. Microsoft product flaws are reported to CERT and remain undisclosed, for years, under "responsible disclosure" policies that provide little incentive to actually fix the dangerous, longstanding flaws..

I've certainly seen the problem personally when reporting or trying to fix security flaws. Given the length of my career, I've even seen architectural security flaws that have never been fixed because they would force a change in workflow, and that was unacceptable to the vendor or to the users. And I've had numerous business partners I've worked with get upset when I disclosed their security vulnerabilities to their own engineering staff, who'd not reviewed the consequences of their choices or had been deliberately kept out of the loop by their own supervisors.

Your immediate response of "are you accusing me of being a liar" is.... well, it seems based on my thinking that you actually work in security. I'm afraid that based on your apparent naivete, I can't conclude that. The idea that claimed "responsible disclosure" is always just that would be frankly naive.

Re:Someone got paid off

[roady]

I am the guy who did the research in this article actually.

Re:Someone got paid off

[Antique+Geekmeister]

Good for you, then, that you are doing real work in the field. I'll applaud your technical work in discovering and publishing this vulnerability, and I hope you'll feel able to publish more details ASAP{.

As you are actually doing security work I'll urge that you be aware of why and how people might use your practice of genuinely responsible disclosure against their own customers or clients. There often comes a time when you have to make choices about whistle-blowing: exposing the flaws more widely to force change, or to protect potential victims. It can cost you business to do so, as well, which is a real financial incentive not to publish even if no one actually pays you for your silence. I'm afraid that I'm often bound by contracts and NDA's from disclosing security problems even to other departments of the same company: they're not part of the group I'm contractually working with, so I can't notify them directly of the problem.

There are often legal, ethical, business and technical issues that I face regularly that can distort 'responsible disclosure', so I do hope you're more aware of them in the future for your own work.

keep it as your get you jail free card

keep it as your get you jail free card as when you get sued for download and or barking the law just say my router got hacked and I did not do that.

Which routers are affected?

[rsborg]

I know for example that Apple uses broadcom chipsets and supports WPS (through Airport Utility) - are they vulnerable?

A known list of vulnerable routers would be very interesting.

Re:Which routers are affected?

[roady]

Yes, of course, but it's unfortunately very complicated.

1. Showing a router is vulnerable is easy. Proving one is not is hard.

2. Buying and reversing each and every router is mighty expensive.

This sounds like genius-Free Wifi days again?

Develop a router that can be hacked easily, present public with an encryption protocol for plausible deniability. This way no one can get sued by the RIAA if someone uses P2P and downloads music.

You forgot one thing

[dutchwhizzman]

You are trusting your ISP to deliver you a router that has all these things properly configurable and not leave back doors for their own remote admin and whatnot still open. ISPs don't do that, they always leave themselves a backdoor and often are lax in upgrading firmware. If at all possible, let your ISPs router do only the minimal required to let your network connect to the internet and do the rest (firewalling, NAT, WiFi) on your own trusted devices.

Re:You forgot one thing

[ruir]

Trust what? I disabled all the routing and wifi functions of my cable modem, only use the bridging mode and placed there my own.

Re:A "nonce"? WTF?

[roady]

Yeah, the resulting articles are always pretty far away from what you told the reporters. Better look at the slides.

The price of Netflix vs. unbundled broadband

[tepples]

you can afford netflix and you're using my connection across the street? wtf?

Being able to afford Netflix ($120 per year) doesn't always imply being able to afford the inflated prices that cable providers charge for high-speed Internet access without a subscription to multichannel pay TV at the same address (often $700 or more per year).

Choose CGNAT-compatible apps instead of UPnP

[tepples]

UPnP - I am not going to manually configure every internet facing service every time I want to use a piece of software.

In the era of IPv4 address exhaustion and IPv6 foot-dragging, more and more users end up behind carrier-grade NAT. To serve these users, more and more applications are being written to bounce traffic off a server so that the client can get away with making only outbound connections.

Re:Choose CGNAT-compatible apps instead of UPnP

[thegarbz]

That's great from an end user perspective, but then you're advocating applications tied to a specific internet service? I'm surprised you haven't been nodded into oblivion by the trust no corporation crowd on slashdot.

But they definitely have a point. Connectivity between two clients should not depend on a third party server, especially since many of us not only have real IPs but static ones too.

Re:Choose CGNAT-compatible apps instead of UPnP

[tepples]

I guess the reasoning is that people behind a static IP probably don't need UPnP. If you pay extra for a static IP, you're probably doing so because you have more computer networking knowledge than the average user of the WWW, and you can just use your Internet gateway's configuration panel to forward incoming port ranges to particular machines.

Re:Choose CGNAT-compatible apps instead of UPnP

[thegarbz]

The presence of a static IP address (which I get by signing up to the cheapest ISP in the country, not by paying extra) has nothing to do with not wanting to dedicate effort to manage a home network. It is not at all hard to open ports. You don't need to be some technical whiz, and while I am that whiz I have no interest in managing applications in my home network when a perfectly good system allows me to do it.

As far as I am concerned my network is designed to be leaky. Internal applications should have connectivity. UPnP isn't important to me in a world where I would happily grant some computer access to the internet via a dedicated port. The protection comes from the computer's own firewall, the design of the software, and by keeping them malware free which is actually quite an easy task for most people with basic computer knowledge (ok grandma doesn't use my internet).

So if I have a philosophy of granting any application access to the internet when it comes up on my firewall, why should I additionally then go through the pains of having to manually configure a port, and also setup applications to use static ports when there's a perfectly good system that does it automatically. What next, manually build a hosts file of servers I want to access because DNS is susceptible to MITM?

During the days of Nintendo DS online play

[tepples]

WPA/WEP (a.k.a. half-arsed encryption that we never really thought through): turned off on every router I've ever used, since day one of installation.

Was this true even during the days of Nintendo Wi-Fi Connection, when the Nintendo DS couldn't use anything but WEP? Or did you just skip the DS?

Remote administration (a.k.a. let random strangers on the Internet sit and brute-force your passwords with no way to tell it's happening): turned off on every router I've ever used, since day one of installation.

So when you're setting up a home network for a relative who lives far away and is not technically inclined, and you have to troubleshoot it, do you make plans to get on an airplane whenever something goes wrong?

Seriously. There's zero impact on always VPN'ing over your wireless connection to a machine that has a fixed line to your actual Internet connection.

Except on machines that do not support OpenVPN, such as a video game console.

Wi-Fi Protected Setup

Doesn't somebody need to press a button on the front of the router to begin the Wi-Fi Protected setup process? So the attack cannot happen until the setup is in session? What is the issue? Or am I missing something?

Re:Wi-Fi Protected Setup

[roady]

Pin Code and Push Button are two separate WPS modes.

co-worker had an MP3 file allegedly attack the net

[nuctm]

Is this even possible??