Forgot your password?
typodupeerror
Security Wireless Networking

Attack Tool Released For WPS Setup Flaw 164

Posted by samzenpus
from the choose-your-weapon dept.
Trailrunner7 writes "Just a day after security researcher Stefan Viehbock released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on a given router and then recover the WPA passphrase for the router, as well. Tactical Network Solutions has released the tool as an open-source project on Google Code, but also is selling a more advanced commercial version."
This discussion has been archived. No new comments can be posted.

Attack Tool Released For WPS Setup Flaw

Comments Filter:
  • WTF is WPS? (Score:5, Insightful)

    by Anonymous Coward on Friday December 30, 2011 @06:15AM (#38536750)

    Oh, I see. It's a tool for retards.

    Seriously, if you can't admin your router and at least setup a WPA2 protected network without resorting to some sort of giant "easy button", then you have absolutely no right to complain when someone breaks into your network and does whatever it is script kiddies do these days.

    This dumbing down of consumer electronics needs to stop. Dilbert said something to the effect of "If you idiot proof something, someone invents a better idiot" (Scott Adams may not have come up with that quote, but that's where I first read it). Therefore, by trying to produce equipment that targets the stupidest of the stupid, we're only dooming everyone to greater depths of stupidity.

    It will not end until we literally take a stand against stupidity- draw a line in the sand, and say "If you can't comprehend this stuff, you don't deserve to use it". This "black box" user thing has gone too far. Especially when I read about retarded things like WPS that serve no useful purpose then to let idiots use gear that they would not normally be able to- either because the manufacture fucked up the design and turned it into some obfuscated piece of crap, or because the user simply has no desire to understand things that must surely seem magical to them.

    -AC

    • Re:WTF is WPS? (Score:5, Informative)

      by errandum (2014454) on Friday December 30, 2011 @06:29AM (#38536798)

      The problem is not the need for the giant button, it's that it is on by default in some routers.

      I own a D-Link and I did set up everything by hand, but since I didn't want to use this, I simply didn't touch the option - assuming that, by default, this would be off.

      I was wrong, and corrected that, but I wonder how many of those people that use the setup wizard know enough to even get to the advanced features, much less turning this off because it is a security risk.

      • Re:WTF is WPS? (Score:5, Insightful)

        by h00manist (800926) on Friday December 30, 2011 @07:11AM (#38536926) Journal

        much less turning this off because it is a security risk.

        ...but it's a security *feature*! See it's called "wifi protected setup". No way I'm disabling that, and then what, my wifi setup won't be protected? Are you kidding me? These hacker guys are trying to fool you into turning it off!

        • Re:WTF is WPS? (Score:5, Informative)

          by kbolino (920292) on Friday December 30, 2011 @08:53AM (#38537222)

          I've been using and administering Windows since the 3.0 days, and not only do I leave UAC on, but I turn it up to the highest level (7 has variable levels, where the highest level corresponds to the only one available on Vista). I agree it can be a nuisance, and 95% of the time I just click through it (knowing what I did beforehand to trigger it). But every once in a while, it pops up when I know it shouldn't, and that tells me right away that something is doing something it's not supposed to be doing. Not only that, but I can decline to allow it to continue, which to me is UAC's most useful property: the ability to say no. Then it's much easier to locate the problem and remove it. I practice safe browsing and safe e-mail reading as much as possible, and I have a router with a drop-all-unknown-packets (ghost? stealth?) firewall, but I know that I'm not perfect--and neither are the other people who use the computers. YMMV but I've found it to be one of the best improvements over Windows XP.

          • by kbolino (920292)

            Dammit, meant to reply to post above.

          • by AJH16 (940784)

            There is one thing I don't understand why they don't do. Why not store a hash of an executable and allow storage of the approval? If the same program, in an unaltered state wants to run again later, it should be allowed to without prompting. (If the user chose to approve it for future use.) Personally, I'm willing to use it even if I have to click every time, but this would be more convenient without noticeably impacting security. (Technically there are executable stuffing approaches that could match t

            • by SQLGuru (980662)

              The main reason you don't want auto-re-auth is that you don't want those pre-authorized programs to become attack vectors of any sort......annoying, but for your own safety.

              And I take it one more level.....I have an Admin account and a Limited account (not the actual account names). I use the Limited account, so when UAC pops up, I can't just click "yes"....I have to actually type my Admin password. I've done the same with every other computer I've set up for friends and family.

              • Same here. I've configured an Admin PW with a standard/limited user account for day2day ops. Works fine as the only time I really need admin access is installing/removing software or changing a critical system setting.

                Another thing I've done is enabled DEP for all apps except those I've been forced to exclude such as the only game I've had to exclude (Call To Power 2). I haven't seen any issues from any program written for XP-SP2 or later as DEP was an introduced then. It's just one more layer of security.

              • by AJH16 (940784)

                Not that that is a bad approach, but if something manages to compromise the integrity of the UAC screen to be able to click the approve button, couldn't it also then compromise the integrity of the password entry and log your password off of a legitimate authentication? It is still another hurdle to overcome, but I'm not sure that it is significantly more or a hurdle than managing to somehow interface with the accept button to bypass UAC.

              • by AJH16 (940784)

                Sorry for two posts, but also, how would they become an attack vector. That's the point of having a hash. If you could compromise the system, then sure it would be a viable vector, but if you can do that, why not simply have your malware sit waiting for you to launch the app and when the app launches, exploit your legitimate authorization? It might delay the exploit, but wouldn't prevent it from eventually occurring. It just slows it down a little. Granted in a small number of cases, that might make a

            • by AmiMoJo (196126)

              It is a security feature. If the app is not in a protected storage area (such as the Program Files directory) it is vulnerable to being modified by other apps. Hashing the executable won't help because chances are the first thing it does is open some DLLs and trusted data files, any of which could be modified too.

              • by AJH16 (940784)

                That's a fair point, though wouldn't that really still be a problem with UAC? If the application is a known good executable that can be compromised, by altering a library, then when someone legitimately uses it, it would still be compromised. If you are worried about automatic exploits that would compromise and then self launch, I suppose those would be a concern, though you could also probably check hash values from anything getting loaded in to a privileged state (program and dll atleast). It would sti

                • by AmiMoJo (196126)

                  If the application is a known good executable that can be compromised, by altering a library, then when someone legitimately uses it, it would still be compromised.

                  Only if the library can be modified. The point is that programs installed in Program Files normally only use DLLs that are either in their own Program Files subfolder or the Windows directory, both of which are protected. Some stupid apps will load DLLs from other locations (usually plug-ins) but really they shouldn't do that.

                  • by AJH16 (940784)

                    Perhaps I misunderstood your original post then. You mentioned that a hash of the executable wouldn't help because it opens some dlls or trusted data files, but for those files to be an issue, they must be able to be modified without elevated privileges which would mean that you are compromised as soon as you legitimatly launch the app the next time. In fact, if you were to store hashes of the files, it would offer additional protection as such tampering would be detected and a prompt would be given. If

                    • by AmiMoJo (196126)

                      There are three problems with what you suggest.

                      1) How do you know which files you need to hash? Many apps have hundreds of even thousands of files in their program directories. Do you want to check the hash of every single one every time the app opens? That wouldn't protect you against an attacker simply waiting for the hash check to complete and the main executable to load and then modifying some of the DLL/data files, which again you would have to waste resources trying to detect and then potentially have

            • They do this with GPOs. You can set paths where prorgam execution is permitted / denied (denied on desktop and downloads, allowed in %programfiles%), and can even use hash-thumbprints to identify whitelisted apps.

              Ive never used the thumbprint feature, but I have seen a sneaky virus use it.

              • by AJH16 (940784)

                Hmm, I'll have to look in to that, I don't mind the risks of certain apps having attack vectors utilize them if I use them frequently anyway (since it could compromise and simply wait for me to launch anyway).

            • Sorry for double reply: to answer your question, imagine the situation where you are installing an Explorer extension which loads a DLL or some such. Explorer UAC prompt goes off, you authorize it. Later, you get a nasty virus that tries to alter the Explorer process, and then from that process initiate some file changes. The wrong thing to do would be for UAC to see explorer.exe, technically unmodified on disk, requesting changes and being pre-authorized. The right thing to do, as with sudo / su, is to

              • by AJH16 (940784)

                It would have to check hashes on everything being loaded in to execution and maybe even memory, not just the original EXE. Sorry if I was overly simplistic in my original explanation. I can see how it might reduce security slightly, but I think the majority of what UAC is designed to do would still be preserved.

                • what about command options passed to a cmd.exe shell?

                  What you consider to be a "minor reduction in security" would be the one and only hole exploiters would care about to bypass it.

                  • by AJH16 (940784)

                    Make the command line parameters used for calling part of the hash then, perhaps part of the salt of it. My argument is simply that if you can be reasonably certain that the activity being performed is the same (exactly) as an action done in the past that was permitted, then it is likely still permitted (if the user choose to say they wanted that action to be permitted in the future.) If any part of the process is different or has not been previously authorized for future privileged access then the prompt

          • by AmiMoJo (196126)

            You should check the descriptions next to those levels on the options window. It explains quite clearly that by default settings changes you initiate usually don't create a UAC prompt - there is no need as you clicking on it is authentication enough. When a program tries to make a change then you get the prompt, which seems to be what you and most other people want.

            Note that it doesn't affect things like prompts when opening unapproved software and the like, just the really annoying and security wise pointl

      • Re:WTF is WPS? (Score:5, Informative)

        by neokushan (932374) on Friday December 30, 2011 @07:12AM (#38536932)

        It's on by default because it's there for the average user to easily connect their equipment. If it was off by default, it would require connecting (either via password or cable) and enabling it manually via the setup page - and by that point, you'd just connect the usual way.
        In a similar vein, it'd be like UAC being disabled by default - average user won't turn it on, even if it does help them.

        • by AmiMoJo (196126)

          They could just have a hardware switch on the box and a flashing red light next to a sticker explaining that once your laptop is set up you should flip it. They could even have a warning sound like when you leave your car's lights on after removing the key. The fact that they don't make any real effort to even tell people about this important option (e.g. the way printers always come with huge warning stickers telling you to install the software before attaching the USB cable) is simply down to reducing sup

      • by Lumpy (12016)

        And there are off brand routers and AP's that dont have a function to turn it off.

        Unless that is what the "more happy fun" setting is. the Engrish in some of these products is getting silly.

      • by thegarbz (1787294) on Friday December 30, 2011 @09:08AM (#38537292)

        HA you should have bought a Linksys. I turned on WPS, I typed in my router PIN and I even pushed the button and my devices are still unable to connect.

        Secure by design?

        • by Grishnakh (216268)

          That's like my Cisco/Linksys E4200 that has a buggy Reserved DHCP implementation.

          After buying an older E1000 router on Ebay and installing DD-WRT on it so I could set up a wireless bridge to one of my printers, I think the best course of action is to buy a DD-WRT-supported router and use that firmware instead (or openWRT or Tomato). The tricky part is finding a router that supports one of these alternative firmwares; even with the same model number, one of the revisions may not be supported as they'll comp

        • Re:WTF is WPS? (Score:4, Insightful)

          by LordLimecat (1103839) on Friday December 30, 2011 @12:56PM (#38539510)

          You have to give some credit to the cleverness of Cisco / Linksys. After the debacle of the WRT54G being the most wildly popular router ever and the basis for DD-WRT (which got tons of people buying those routers), they realized their mistakes of making a great router OS based on proven work. They vowed that NEVER AGAIN would a router be so popular that people would give two craps about the OS on it.

          Hence the lowering of the RAM and flash on subsequent WRT54G generations. But it didnt work! People kept buying them, and using DD-WRT! This was unacceptable, and so they moved to a new OS written in India that NOONE could possibly love (as its interface didnt even work right in IE), and changed to the WRT54G2.

          Since then, phenomenal progress has been made in curbing enthusiasm for Linksys products. There are still those who care about their products, but Cisco Indian engineers are working feverishly to tidy up even those loose ends.

      • by g0bshiTe (596213)
        This is why my router is an older computer with two nics using IPTABLES.

        I have no WPS.
    • Re:WTF is WPS? (Score:5, Insightful)

      by gnasher719 (869701) on Friday December 30, 2011 @06:38AM (#38536830)

      Oh, I see. It's a tool for retards.

      A quote from Billy Joel, after being ripped off by his manager (and I think he is one of few people who successfully sued their lawyer): "I know many excellent businessmen who can't sing."

      Just because you find it entertaining to know who to admin a router and set up a protected network, most people have a lot better things to do in their lives. Someone who wants a giant "easy button" isn't a retard, but someone who has better things to do in their life.

      And guess what, it isn't the people you call "retards" who messed it up. It's the real retards who designed a system where an eight digit PIN number can be cracked in at most 11,000 tries.

      • Re:WTF is WPS? (Score:5, Interesting)

        by Penguinshit (591885) on Friday December 30, 2011 @06:40AM (#38536838) Homepage Journal
        That is the crux of the problem: The solution was (pathetically) poorly implemented.
      • I don't totally buy that. I do to a small degree. But its kind of like saying we should give people cars without making them learn how to drive.

        We live in a day and age where everyone wants the quick fix, and the easy solution. But to use a tool properly, you need to understand some things about that tool. And when you try to make it overly simple, bad things (as we are seeing here) can happen.

        I'm not by any means saying people need a perfect understanding of wifi or networks or security. But I don't

        • by AJH16 (940784)

          On the flip side, if the car could drive itself, would people need to know how to drive? Initially, yeah, they probably would in case things don't work right, but eventually it wouldn't really be necessary. I'm not saying that your point doesn't have validity either, but trying to point out that that line is constantly moving. The average consumer doesn't know how to hook up their TV either and buys $40 3 ft monster cable HDMI cables and thinks they got a good deal cause it was 20% off. At the end of th

      • by Grishnakh (216268)

        Just because you find it entertaining to know who to admin a router and set up a protected network, most people have a lot better things to do in their lives. Someone who wants a giant "easy button" isn't a retard, but someone who has better things to do in their life.

        I have better things to do with my life than to sit around in bumper-to-bumper traffic and deal with the annoyances of driving. However, since Personal Rapid Transit doesn't exist yet, and I can't afford a limo and chauffeur to relieve mysel

      • by AmiMoJo (196126)

        It would be okay if there actually was an "easy button" that turned on WPS for say 1 minute. The problem is that many routers have it on all the time so you are free to sit around brute forcing it at your leisure, rather than having to wait for the victim to activate it and trying to guess it in under a minute.

      • by Khyber (864651)

        "most people have a lot better things to do in their lives."

        Such as taking the 5 minutes it would require to learn how to set up WPA2 and get your computers connected and ensuring nobody else could (theoretically) get on your network and fuck with your property, identity, or worse?

      • Someone who wants a giant "easy button" isn't a retard, but someone who has better things to do in their life.

        Well then, I would suggest you should get on with your 'better tings to do in life', and quit wasting your time with WPS and the like.

        "If something is worth doing, then it is worth doing right."
        Take a few minutes to learn a little about the tools you are using; if you don't have time to learn about them, then you don't have the time to be messing with them in the first place.

        There is no free lunch....

    • Re:WTF is WPS? (Score:5, Insightful)

      by jamesh (87723) on Friday December 30, 2011 @07:10AM (#38536914)

      It will not end until we literally take a stand against stupidity- draw a line in the sand, and say "If you can't comprehend this stuff, you don't deserve to use it"

      I see this attitude more and more. I wonder if people had to put up with the same elitist bullshit after the car become affordable to masses... or even the printed book. You might know how to use a computer but I wonder if you'd know how a transistor works and how to build one, or what an IRQL is, or a DPC. And even if you do, there will be someone else that knows more than you who will look down their nose at you and tell you you have no right to use a computer without understanding how it works.

      WPS isn't that bad an idea really... it just turns out it has a bug, and unfortunately that bug is going to be unfixable in a lot of cases (end-of-life model AP with no firmware update available)... hopefully those AP's at least have a way to turn it off. If you are pointing the finger of blame at anyone, point it at the people who implemented it - they're the ones who screwed up.

      If i'm feeding the trolls... i might as well give them a good meal.

      • by dbIII (701233)

        WPS isn't that bad an idea really... it just turns out it has a bug

        It's not a bug. It's a bad design that somebody thought was a feature and it was purely intentional.

      • by dave562 (969951)

        This attitude is also very short sighted. An "idiot" to one person is a potential customer / client to someone else. We live in an age where there so much specialized knowledge out there, it is impossible for anyone to know it all. Therefore we can make money from helping each other.

        A molecular biologist might not know anything about how an OS works, but they probably understand more about the body than the average computer geek. Does that mean that the geeks are not worthy of living because they do not

        • by Bengie (1121981)

          You don't need to know exact implementations to understand the basics. If you're good at analytical thinking, you can understand about anything. The fun thing about computer is you can learn about almost anything for home use in a short amount of time or even asking in forums.

    • Re:WTF is WPS? (Score:4, Informative)

      by neokushan (932374) on Friday December 30, 2011 @07:10AM (#38536920)

      The reason such a thing exists is because the good ol' secure password was too complicated for average-joe users to deal with. The precursor to this is Wireless routers that don't actually have a password set. To this day, you can still find unsecured wireless routers nearby and we all know what that leads to. The "easy" solution was put there so that routers could have security set by default, yet not confuse average-joe to the point where he just disabled it because it was the easiest thing to do.

      And believe me, I worked for an ISP up until a few months ago - our Router/Modems (or Hubs, as they called them) now come with wireless security enabled. The default password (unique per hub) is written on the side of the device - and people still get confused and don't know what to do to connect their wireless.

      Unfortunately, the implementation of the "easy" solution is the issue, not the solution itself. I mean, what's the point in having a secure PIN if you tell the user when they got the first half of it right? Especially if you don't prevent people from attempting thousands of connections.

      • by dbIII (701233)

        To this day, you can still find unsecured wireless routers nearby

        Not near me, but there are plenty of secured access points with names similar to "fOffUbastard".
        As for passwords, something along the lines of the XKCD "correct horse battery staple" goes a long way - they laugh but they remember.

    • by geekmux (1040042)

      It will not end until we literally take a stand against stupidity- draw a line in the sand, and say "If you can't comprehend this stuff, you don't deserve to use it".

      -AC

      No, actually it won't stop until people are running around with small computers comprised of nothing but a touch-screen, no keyboard, no mouse, and one large button that starts....er, oh wait...nevermind.

    • I'll tell you one thing WPS is, apparently...an excuse for other hardware manufacturers to NOT supply an on-board means of entering a passphrase. The last all in one printer I bought (an HP-B209A) came with wireless, but no wired networking, and NO means to setup the wireless without WPS (which my router, thank God, doesn't have). The only way to set it up otherwise was to first install it as a USB printer solely to have a means of entering the wireless passphrase....can you imagine??
    • I agree!

      Im also of the opinion that the 1040 EZ Tax form needs to be gotten rid of, and that companies like HR Block need to disappear. If youre too stupid to understand the intracacies of the tax system, why, you have no business making money in the US.

      And I think going to a doctor is practically cheating. If you cant suture your own injuries, you really have no room to complain when you get an injury at all.

      Life sure is good for those of us who are experts in every field.

  • I really didn't want to be doing any programming during new year's holiday.
  • by gnasher719 (869701) on Friday December 30, 2011 @06:25AM (#38536792)
    Seriously, what non-malicious purpose would this tool have? Anybody who read about the vulnerability knows how it works; there is no need to have a sample attack because it is obvious how this works; having an exploit tool cannot have any legitimate uses.
    • End users and vendors alike will dismiss any threat as merely theoretical until it's actively being exploited. The real question is when to release, not if.

    • Re:What purpose? (Score:5, Insightful)

      by jamesh (87723) on Friday December 30, 2011 @06:50AM (#38536866)

      Seriously, what non-malicious purpose would this tool have? Anybody who read about the vulnerability knows how it works; there is no need to have a sample attack because it is obvious how this works; having an exploit tool cannot have any legitimate uses.

      Sure it does. If a customer questions why this should be audited and fixed on their network immediately I can tell them that there is exploit code publicly available that anyone can download and use and have access to the network in 4-10 hours instead of talking about theoretical bad guys who might have obtained a theoretical exploit from somewhere. It makes it a "fix this now" problem with a known risk instead of being put off and treated as a low risk security issue and never fixed. In my case hopefully it's just a quick audit to make sure nobody else has put a WPS enabled AP onto the network, but it still needs to be done.

      Maybe you don't remember Slammer/Nimda/Code Red, and a few others of that era. The exploits used were well known and patches were available for a while beforehand but a lot of people never bothered patching because of the perceived low risk and "doesn't apply to me". Ditto for a few Linux ssh and ftp exploits.

  • A year huh? (Score:2, Insightful)

    by Anonymous Coward

    from: http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.htm [tacnetsol.com]

    This is a capability that we at TNS have been testing, perfecting and using for nearly a year. But now that this vulnerability has been discussed publicly we have decided to announce and release Reaver

    Very nice way to make a profit there guys and ignore responsible disclosure.

  • Looks like it might be a good idea to turn off the WPS service if you can.

    In my Billion 7800n I did this: http://screenshots.portforward.com/Billion/BiPAC_7800N/WPS.htm [portforward.com]

    If your router doesnt allow you to do that then in the LAN settings, block all ips not being used by your devices.

  • by Njovich (553857) on Friday December 30, 2011 @07:20AM (#38536948)

    From the product page:

    WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network."

    And they thought that was a good idea to implement without even substantial rate limiting or such? What the hell were they thinking?

    • Re:incredible (Score:5, Informative)

      by Njovich (553857) on Friday December 30, 2011 @08:05AM (#38537076)

      Err, sorry, guess I was wrong, there is some rate limiting, just they have this other insanity (from el reg):
       

      Eight digits should produce 100,000,000 possible combinations, and testing various routers Viehböck found it took an average of around two seconds to test each combination. So brute forcing should take several years unless the router was particularly responsive.

      But the protocol used by Wi-Fi Protected Setup reports back after the first four digits have been entered, and indicates if they are right, which means they can be attacked separately. The last of the eight digits is just a checksum, so having got the first four the attacker only then has to try another 1,000 combinations (identifying the other three digits) and the entire PIN is known.

      That combination means that our attacker only has to try 11,000 different combinations to find the right PIN, reducing the attack time to a couple of hours.

      • by TheSpoom (715771)

        But the protocol used by Wi-Fi Protected Setup reports back after the first four digits have been entered, and indicates if they are right, which means they can be attacked separately. The last of the eight digits is just a checksum, so having got the first four the attacker only then has to try another 1,000 combinations (identifying the other three digits) and the entire PIN is known.

        Wow, that's dumb. I hope this wasn't put together by someone who considers themselves a cryptography professional.

    • by Carnildo (712617)

      The calculations involved in a WPS conversation are non-trivial, so the cheap CPU in the typical router inherently rate-limits you to about 30 guesses a minute. If WPS had been correctly implemented, that works out to an average brute-forcing time of three years, and a worst-case time of around six years.

  • by Bengie (1121981) on Friday December 30, 2011 @08:22AM (#38537124)

    I wonder if people will use this as an excuse for in court cases and claim they didn't do something and blame it on someone "Hacking" their network.

  • At first glance I thought the error was something along the line of letting the attacker know the user names so they only have to guess the password. I was mistaken. It literally helps the attacker figure out the PIN so instead of guessing 8 digits you guess two 4's.

  • My AP predates WPS, but after reading about it, I can't believe they designed it as an ongoing capability. Once used, it should have defaulted to disabling it until some factory reset button was pressed to resurrect it. When I first heard of it, I thought it would simply be an improvement over the old days of unprotected wifi to start, but clearly they messed up..

  • known as Reaver

    Am I the only one that thinks this is shiny?

  • is WPS the same a cisco's/linksys SES (secured easy setup)?

    SES seems to be disabled by default on a WRT54g I have

    • by Fnord666 (889225)

      is WPS the same a cisco's/linksys SES (secured easy setup)?

      No, SES predates WPS. It addresses the same issue, but it is a different implementation. See the note [google.com] section of this page for more detail

Those who can, do; those who can't, simulate.

Working...