New WiFi Setup Flaw Allows Easy Router PIN Guessing

Trailrunner7 writes "There is a newly discovered vulnerability in the WiFi Protected Setup standard that reduces the number of attempts it would take an attacker to brute-force the PIN for a wireless router's setup process. The flaw results in too much information about the PIN being returned to an attacker and makes the PIN quite weak, affecting the security of millions of WiFi routers and access points. Security researcher Stefan Viehbock discovered the vulnerability (PDF) and reported it to US-CERT. The problem affects a number of vendors' products, including D-Link, Netgear, Linksys and Buffalo. 'I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide,' Viehbock said."

Bad Security = Bad Security big surprise

[Anonymous Coward]

I've never trusted the WiFi protected setup scheme because if it seems too easy to be secure, well then it probably is. If you don't use Tomato or DD-WRT on your router you obviously don't really care about security anyway so who cares? The OOB ROMs on most consumer routers are full of more holes than a breadboard.

Does it matter?

[wbr1]

Since most people (home consumers) can't be bothered to change a default name/password/ssid on damn things anyway about 80% or more are unsecure as it it. If you want a secure connection, don't use the air, use a wire, and better yet, make sure you own and monitor its entire length.

Re:Nothing new

[gadzook33]

I guess. Except that shouldn't be (isn't?) true. Is the default mode I use SSL in bad? Is Amazon's security bad?

I just can't believe how incredibly poor this implementation was. For that matter, I can't believe no one noticed it up until now. This just seems like security 101 stuff. If nothing else it shouldn't have passed the you-don't-get-something-for-nothing common sense check.

Immune. I use Tomato Linux on my guest WIFI router

[VortexCortex]

I use OpenWRT on my private router. As can be said of ALL default installed software: SCREW the firmware that comes with the routers.

It's just like my Laptop, Servers, Workstations, and Phone: If I can't install MY OS on it, it's not worth any of my time. If I haven't installed my OS on it, I DON'T USE IT.

That "easy setup" button on my router now gives me a minimal window of time during which I can SSH in to the router itself -- I have to be connected to the router already to do so over Ethernet or WPA2 w/ AES.

If you don't know how to drive GET THE HELL OUT from behind the steering wheel! The same can be said for networks, security, computers in general. If you can't configure your network, get someone who can to do so. Otherwise, expect to lose control and have a horrible accident when you brake instead of clutch, or WPS or WEP instead of WPA PSK w/ custom firmware.

Re:Does it matter?

[LordLimecat]

WPA2-PSK is, I would argue, more secure than bog-standard wired ethernet. Wired ethernet is trivial to tap with a laptop with a USB-ethernet port bridged to its internal NIC. Its also possible to tap by simply capturing the EM emissions from the line. ARP poisoning could also trivially reveal plaintext passwords, and what sites you visit.

With properly set up wifi, on the other hand, every communication is encrypted, HTTPS or not. Im not sure as Ive never tried, but I do not believe that you can arp-poison a wifi connection that has been secured with WPA2.

Of course you can throw in IPsec, but you can do that regardless of the physical layer involved.