Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wi-Fi Router Attack Only Requires a Single PIN Guess

Posted by Soulskill on from the one-two-three-four dept.

An anonymous reader writes: New research shows that wireless routers are still quite vulnerable to attack if they don't use a good implementation of Wi-Fi Protected Setup. Bad implementations do a poor job of randomizing the key used to authenticate hardware PINs. Because of this, the new attack only requires a single guess at the hardware PIN to collect data necessary to break it. After a few hours to process the data, an attacker can access the router's WPS functionality. Two major router manufacturers are affected: Broadcom, and a manufacturer to be named once they get around to fixing it. "Because many router manufacturers use the reference software implementation as the basis for their customized router software, the problems affected the final products, Bongard said. Broadcom's reference implementation had poor randomization, while the second vendor used a special seed, or nonce, of zero, essentially eliminating any randomness."

12 of 84 comments (clear)

  1. WPS shoudn't be used anyways... (First!) by ComputersKai · · Score: 2

    WiFi Protected Setup shouldn't be used anyways for security, especially since its problems have already been mentioned many times already in quite a few articles.

    1. Re:WPS shoudn't be used anyways... (First!) by afaiktoit · · Score: 2

      and the ones you think you're turning it off it really isnt.

  2. Wireless security by ledow · · Score: 5, Informative

    Is it just me that hates shit on my router?

    - WPS (a.k.a. turn your massive password into a four-digit number): turned off on every router I've ever used, since day one of installation.

    - UPnP (a.k.a. let anything open any port to anywhere without authentication): turned off on every router I've ever used, since day one of installation.

    - WPA/WEP (a.k.a. half-arsed encryption that we never really thought through): turned off on every router I've ever used, since day one of installation.

    - Guest networks (a.k.a. let random strangers use your Internet connection without you knowing): turned off on every router I've ever used, since day one of installation.

    - Remote administration (a.k.a. let random strangers on the Internet sit and brute-force your passwords with no way to tell it's happening): turned off on every router I've ever used, since day one of installation.

    And, in fact, on anything BUT my actual wireless router of choice (e.g. any Internet router supplied by my ISP):

    - wireless (a.k.a. give people another way into my network and hinder all my other - wanted - wifi connections by flooding the airwaves): turned off on every router I've ever used, since day one of installation.

    Seriously, people, just turn this shit off. And layer VPN over the top of it, if you can. Seriously. There's zero impact on always VPN'ing over your wireless connection to a machine that has a fixed line to your actual Internet connection. Then even if WPA2 is broken, you're still secure. And yes, you can game. I've done it with OpenVPN over my wireless for years - for EVERY packet - that goes over the wireless.

    Wireless is the leaky, draughty hole of your network. Seal that fucker up and treat it like an Internet connection, even to your local network.

    1. Re:Wireless security by arbiter1 · · Score: 5, Informative

      Sadly Some routers even if you turn it off, its not really off.

    2. Re:Wireless security by Anonymous Coward · · Score: 5, Interesting

      Hah. You're stressing over every little thing.

      The part that really bothers me though is your turning off guest networks. I've always turned off the automatic kind (NAME OF ROUTER -GUEST NETWORK), but then gone on to set one up as a virtual access point properly on ddwrt. At home and at work I've shared my internet connection with the apartment block across the street, the corrections institute, gay bar, fitness center and mortgage company and any random stranger that passes by. Even the homeless or just plain poor people.

      You know what I have learned? People aren't the pieces of shit that people like you think that they are.

        I've never seen a pedophile, or a hacker.I've always monitored network traffic and I do keep logs. I've seen one or two people who look at porn and two fucking rokus. (you can afford netflix and you're using my connection across the street? wtf? sorry about the stutters....durrr) out of hundreds of people I have found most people are pretty endearing and normal. most people look at their facebook, or they ask google personal questions. Like where to find a job, or get a date or how to solve/fix something. or they research stuff.. That's all.

      I'm probably giving internet access to some of the people that block my parking spot now that I think about it. *laughs*.

      in short, sharing has made things better for those around me and I haven't been harmed by it at all.

      captcha: bragged

    3. Re:Wireless security by Anonymous Coward · · Score: 5, Interesting

      Ignore the hate man, keep doing what you're doing :) I'm the same, XXXX_ST_FREE_WIFI has been up most of the last 3 years, and similar at units before this. I set up an old wireless router and RaspberryPi to provide an isolated network with an internet connection for anyone who wants to stop within range (the bus stop across the road is the main source of traffic).

      I have around 6 unique connections a day, and several regulars from the surrounding units or daily commute. I redirect "google.com*" to a local splash page (with the google search page in a frame below) that has a couple lines saying this is my personal connection, feel free to use but I'll shut down any time if I need the bandwidth, or think people are being suss. I highlight that it is essentially a public network, so advise against anything personal / private, so I think people assume they're being watched and stay on their best behaviour anyway :P

      I originally started with some strict firewall rules (port 80 / 443 outbound only), but found people just never tried anything else really. I think I've seen a couple dozen POP / IMAP requests which were probably from auto sync, and a couple bittorrent users, but noone's ever tried to even probe at the guest network, let alone look for my (isolated) home network.

      I also have a file share that I let people dump to / from which I clear daily, and one that serves a bunch of free software and my local distro mirror. I've _never_ had anyone put anything I disapproved of on there. I've had a couple people dump a movie or music on there, but I've removed and replaced with a note saying that's not what its for (in case they check back). Some others have started chats back and forth with simple text files, most people just posted pics with a thumbs up to say thank you :) (my suggestion in the landing page)

      All in all, its been a great experience. I liken it to running a small social media site that's location based, rather than internet facing. I'm thinking of adding a persistent page with a guest book / wall, just to reach out a little more personally.

      Like you said, people aren't the pieces of shit people think. Those that are generally have shittier things to do than mess with a random wifi network.

      captcha: intercom

    4. Re:Wireless security by tlhIngan · · Score: 2

      Well, it's to make life simpler for users.

      WPS - the alternative to this for "regular users" is no security. Great for those who need a hotspot in a hurry, not so great in general. Instead, all users need to is hit a button and enter a code.and they have encrypted WiFi working. It's just like TouchID on the iPhone - Apple realized people should use passcodes for security, but many don't because it's )@*#&%*(@ annoying to enter it (especially if you have "complex passcodes" on) 1,000 times a day.

      WPA is still good, as long as you're using AES. TKIP is worthless, but that was designed for a time when WiFi chips had WEP accelerators and TKIP took advantage of that. These days everyone has AES accelerators and guess what? There have been no attacks on those running WPA-AES. And there is VERY little difference between WPA and WPA2 running in AES mode.

      Guest networks - they're not open hotspots. You can lock them down as much as you want. But they allow you to have guests over and give them WiFi without letting them all over your network. You know, perhaps you have friends over and they want WiFi. You can be the crappy friend who doesn't let anyone on WiFi (use your data plan!) or just give them access to your guest network and know traffic is isolated.

      Very useful if you have siblings who are less than technically skilled and come from from college with laptops loaded with spyware, worms, trojans and other nasties designed to infect other PCs. Well, give Sis guest access and keep your network safe. OR use that network while you're cleaning the crap off it.

    5. Re:Wireless security by Anonymous Coward · · Score: 5, Funny

      Let me get this straight: you refuse to buy a wireless router with WPS that can be disabled in the administration console for the router because if someone pwns your router administration console they might be able to turn WPS back on?

      Really? I bet you also refuse to use ATM cards because if someone stole your identity, got issued a fake driver's license, stole all your passwords, etc, they might be able to contact the bank and change your PIN!

    6. Re:Wireless security by sjames · · Score: 2

      How many hours of your time do you waste in a week trying to hunt down people you figure owe you $0.01 for the time you spent exchanging nods in the elevator?

  3. Re:Someone got paid off by roady · · Score: 2

    Nobody got paid. We call this responsible disclosure. Only thing is the Broadcom flaw was found before the second flaw and so they has a heads up.

      http://en.wikipedia.org/wiki/R...

  4. Re:Someone got paid off by Antique+Geekmeister · · Score: 2

    It can also protect profits to make sure that the announcement of the vulnerability smears all vendors and thus includes your competitors tools, not merely your own company's flawed products. This is called "sponsoring more research before publication". I'm afraid that it's a noticeable source of funding for security researchers, and can also buy valuable time to sell off as much of the flawed inventory as possible while or until the fix is provided for newer products.

    I'm afraid that there are people who think this way, putting their short term corporate sales well before customer safety or product quality. And their ability to preserve profits, and to _hide their failures_, can often lead them to positions of great corporate power.

  5. The price of Netflix vs. unbundled broadband by tepples · · Score: 3, Insightful

    you can afford netflix and you're using my connection across the street? wtf?

    Being able to afford Netflix ($120 per year) doesn't always imply being able to afford the inflated prices that cable providers charge for high-speed Internet access without a subscription to multichannel pay TV at the same address (often $700 or more per year).