Forgot your password?
typodupeerror
Wireless Networking Security Hardware

Wi-Fi Router Attack Only Requires a Single PIN Guess 84

Posted by Soulskill
from the one-two-three-four dept.
An anonymous reader writes: New research shows that wireless routers are still quite vulnerable to attack if they don't use a good implementation of Wi-Fi Protected Setup. Bad implementations do a poor job of randomizing the key used to authenticate hardware PINs. Because of this, the new attack only requires a single guess at the hardware PIN to collect data necessary to break it. After a few hours to process the data, an attacker can access the router's WPS functionality. Two major router manufacturers are affected: Broadcom, and a manufacturer to be named once they get around to fixing it. "Because many router manufacturers use the reference software implementation as the basis for their customized router software, the problems affected the final products, Bongard said. Broadcom's reference implementation had poor randomization, while the second vendor used a special seed, or nonce, of zero, essentially eliminating any randomness."
This discussion has been archived. No new comments can be posted.

Wi-Fi Router Attack Only Requires a Single PIN Guess

Comments Filter:
  • Wireless security (Score:5, Informative)

    by ledow (319597) on Saturday August 30, 2014 @07:08PM (#47792921) Homepage

    Is it just me that hates shit on my router?

    - WPS (a.k.a. turn your massive password into a four-digit number): turned off on every router I've ever used, since day one of installation.

    - UPnP (a.k.a. let anything open any port to anywhere without authentication): turned off on every router I've ever used, since day one of installation.

    - WPA/WEP (a.k.a. half-arsed encryption that we never really thought through): turned off on every router I've ever used, since day one of installation.

    - Guest networks (a.k.a. let random strangers use your Internet connection without you knowing): turned off on every router I've ever used, since day one of installation.

    - Remote administration (a.k.a. let random strangers on the Internet sit and brute-force your passwords with no way to tell it's happening): turned off on every router I've ever used, since day one of installation.

    And, in fact, on anything BUT my actual wireless router of choice (e.g. any Internet router supplied by my ISP):

    - wireless (a.k.a. give people another way into my network and hinder all my other - wanted - wifi connections by flooding the airwaves): turned off on every router I've ever used, since day one of installation.

    Seriously, people, just turn this shit off. And layer VPN over the top of it, if you can. Seriously. There's zero impact on always VPN'ing over your wireless connection to a machine that has a fixed line to your actual Internet connection. Then even if WPA2 is broken, you're still secure. And yes, you can game. I've done it with OpenVPN over my wireless for years - for EVERY packet - that goes over the wireless.

    Wireless is the leaky, draughty hole of your network. Seal that fucker up and treat it like an Internet connection, even to your local network.

  • by The Larch (115962) on Saturday August 30, 2014 @07:50PM (#47793073)
    Thanks captain! This is real insightful! Also women should not wear dresses, and people should not buy consumer goods.
  • Re:Wireless security (Score:5, Informative)

    by arbiter1 (1204146) on Saturday August 30, 2014 @07:52PM (#47793083)
    Sadly Some routers even if you turn it off, its not really off.

Some people carve careers, others chisel them.

Working...