Attack Tool Released For WPS Setup Flaw 164
Trailrunner7 writes "Just a day after security researcher Stefan Viehbock released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on a given router and then recover the WPA passphrase for the router, as well. Tactical Network Solutions has released the tool as an open-source project on Google Code, but also is selling a more advanced commercial version."
WTF is WPS? (Score:5, Insightful)
Oh, I see. It's a tool for retards.
Seriously, if you can't admin your router and at least setup a WPA2 protected network without resorting to some sort of giant "easy button", then you have absolutely no right to complain when someone breaks into your network and does whatever it is script kiddies do these days.
This dumbing down of consumer electronics needs to stop. Dilbert said something to the effect of "If you idiot proof something, someone invents a better idiot" (Scott Adams may not have come up with that quote, but that's where I first read it). Therefore, by trying to produce equipment that targets the stupidest of the stupid, we're only dooming everyone to greater depths of stupidity.
It will not end until we literally take a stand against stupidity- draw a line in the sand, and say "If you can't comprehend this stuff, you don't deserve to use it". This "black box" user thing has gone too far. Especially when I read about retarded things like WPS that serve no useful purpose then to let idiots use gear that they would not normally be able to- either because the manufacture fucked up the design and turned it into some obfuscated piece of crap, or because the user simply has no desire to understand things that must surely seem magical to them.
-AC
Re:WTF is WPS? (Score:5, Informative)
The problem is not the need for the giant button, it's that it is on by default in some routers.
I own a D-Link and I did set up everything by hand, but since I didn't want to use this, I simply didn't touch the option - assuming that, by default, this would be off.
I was wrong, and corrected that, but I wonder how many of those people that use the setup wizard know enough to even get to the advanced features, much less turning this off because it is a security risk.
Re:WTF is WPS? (Score:5, Insightful)
much less turning this off because it is a security risk.
...but it's a security *feature*! See it's called "wifi protected setup". No way I'm disabling that, and then what, my wifi setup won't be protected? Are you kidding me? These hacker guys are trying to fool you into turning it off!
Re:WTF is WPS? (Score:5, Informative)
I've been using and administering Windows since the 3.0 days, and not only do I leave UAC on, but I turn it up to the highest level (7 has variable levels, where the highest level corresponds to the only one available on Vista). I agree it can be a nuisance, and 95% of the time I just click through it (knowing what I did beforehand to trigger it). But every once in a while, it pops up when I know it shouldn't, and that tells me right away that something is doing something it's not supposed to be doing. Not only that, but I can decline to allow it to continue, which to me is UAC's most useful property: the ability to say no. Then it's much easier to locate the problem and remove it. I practice safe browsing and safe e-mail reading as much as possible, and I have a router with a drop-all-unknown-packets (ghost? stealth?) firewall, but I know that I'm not perfect--and neither are the other people who use the computers. YMMV but I've found it to be one of the best improvements over Windows XP.
Re: (Score:2)
Dammit, meant to reply to post above.
Re: (Score:3)
There is one thing I don't understand why they don't do. Why not store a hash of an executable and allow storage of the approval? If the same program, in an unaltered state wants to run again later, it should be allowed to without prompting. (If the user chose to approve it for future use.) Personally, I'm willing to use it even if I have to click every time, but this would be more convenient without noticeably impacting security. (Technically there are executable stuffing approaches that could match t
Re: (Score:2)
The main reason you don't want auto-re-auth is that you don't want those pre-authorized programs to become attack vectors of any sort......annoying, but for your own safety.
And I take it one more level.....I have an Admin account and a Limited account (not the actual account names). I use the Limited account, so when UAC pops up, I can't just click "yes"....I have to actually type my Admin password. I've done the same with every other computer I've set up for friends and family.
Admin/Limited Accounts (Score:2)
Same here. I've configured an Admin PW with a standard/limited user account for day2day ops. Works fine as the only time I really need admin access is installing/removing software or changing a critical system setting.
Another thing I've done is enabled DEP for all apps except those I've been forced to exclude such as the only game I've had to exclude (Call To Power 2). I haven't seen any issues from any program written for XP-SP2 or later as DEP was an introduced then. It's just one more layer of security.
Re: (Score:2)
Not that that is a bad approach, but if something manages to compromise the integrity of the UAC screen to be able to click the approve button, couldn't it also then compromise the integrity of the password entry and log your password off of a legitimate authentication? It is still another hurdle to overcome, but I'm not sure that it is significantly more or a hurdle than managing to somehow interface with the accept button to bypass UAC.
Re: (Score:2)
Sorry for two posts, but also, how would they become an attack vector. That's the point of having a hash. If you could compromise the system, then sure it would be a viable vector, but if you can do that, why not simply have your malware sit waiting for you to launch the app and when the app launches, exploit your legitimate authorization? It might delay the exploit, but wouldn't prevent it from eventually occurring. It just slows it down a little. Granted in a small number of cases, that might make a
Re: (Score:2)
It is a security feature. If the app is not in a protected storage area (such as the Program Files directory) it is vulnerable to being modified by other apps. Hashing the executable won't help because chances are the first thing it does is open some DLLs and trusted data files, any of which could be modified too.
Re: (Score:2)
That's a fair point, though wouldn't that really still be a problem with UAC? If the application is a known good executable that can be compromised, by altering a library, then when someone legitimately uses it, it would still be compromised. If you are worried about automatic exploits that would compromise and then self launch, I suppose those would be a concern, though you could also probably check hash values from anything getting loaded in to a privileged state (program and dll atleast). It would sti
Re: (Score:2)
If the application is a known good executable that can be compromised, by altering a library, then when someone legitimately uses it, it would still be compromised.
Only if the library can be modified. The point is that programs installed in Program Files normally only use DLLs that are either in their own Program Files subfolder or the Windows directory, both of which are protected. Some stupid apps will load DLLs from other locations (usually plug-ins) but really they shouldn't do that.
Re: (Score:2)
Perhaps I misunderstood your original post then. You mentioned that a hash of the executable wouldn't help because it opens some dlls or trusted data files, but for those files to be an issue, they must be able to be modified without elevated privileges which would mean that you are compromised as soon as you legitimatly launch the app the next time. In fact, if you were to store hashes of the files, it would offer additional protection as such tampering would be detected and a prompt would be given. If
Re: (Score:2)
There are three problems with what you suggest.
1) How do you know which files you need to hash? Many apps have hundreds of even thousands of files in their program directories. Do you want to check the hash of every single one every time the app opens? That wouldn't protect you against an attacker simply waiting for the hash check to complete and the main executable to load and then modifying some of the DLL/data files, which again you would have to waste resources trying to detect and then potentially have
Re: (Score:2)
They do this with GPOs. You can set paths where prorgam execution is permitted / denied (denied on desktop and downloads, allowed in %programfiles%), and can even use hash-thumbprints to identify whitelisted apps.
Ive never used the thumbprint feature, but I have seen a sneaky virus use it.
Re: (Score:2)
Hmm, I'll have to look in to that, I don't mind the risks of certain apps having attack vectors utilize them if I use them frequently anyway (since it could compromise and simply wait for me to launch anyway).
Re: (Score:2)
Sorry for double reply: to answer your question, imagine the situation where you are installing an Explorer extension which loads a DLL or some such. Explorer UAC prompt goes off, you authorize it. Later, you get a nasty virus that tries to alter the Explorer process, and then from that process initiate some file changes. The wrong thing to do would be for UAC to see explorer.exe, technically unmodified on disk, requesting changes and being pre-authorized. The right thing to do, as with sudo / su, is to
Re: (Score:2)
It would have to check hashes on everything being loaded in to execution and maybe even memory, not just the original EXE. Sorry if I was overly simplistic in my original explanation. I can see how it might reduce security slightly, but I think the majority of what UAC is designed to do would still be preserved.
Re: (Score:2)
what about command options passed to a cmd.exe shell?
What you consider to be a "minor reduction in security" would be the one and only hole exploiters would care about to bypass it.
Re: (Score:2)
Make the command line parameters used for calling part of the hash then, perhaps part of the salt of it. My argument is simply that if you can be reasonably certain that the activity being performed is the same (exactly) as an action done in the past that was permitted, then it is likely still permitted (if the user choose to say they wanted that action to be permitted in the future.) If any part of the process is different or has not been previously authorized for future privileged access then the prompt
Re: (Score:2)
You should check the descriptions next to those levels on the options window. It explains quite clearly that by default settings changes you initiate usually don't create a UAC prompt - there is no need as you clicking on it is authentication enough. When a program tries to make a change then you get the prompt, which seems to be what you and most other people want.
Note that it doesn't affect things like prompts when opening unapproved software and the like, just the really annoying and security wise pointl
Re:WTF is WPS? (Score:5, Informative)
It's on by default because it's there for the average user to easily connect their equipment. If it was off by default, it would require connecting (either via password or cable) and enabling it manually via the setup page - and by that point, you'd just connect the usual way.
In a similar vein, it'd be like UAC being disabled by default - average user won't turn it on, even if it does help them.
Re: (Score:2)
They could just have a hardware switch on the box and a flashing red light next to a sticker explaining that once your laptop is set up you should flip it. They could even have a warning sound like when you leave your car's lights on after removing the key. The fact that they don't make any real effort to even tell people about this important option (e.g. the way printers always come with huge warning stickers telling you to install the software before attaching the USB cable) is simply down to reducing sup
Re: (Score:2)
And there are off brand routers and AP's that dont have a function to turn it off.
Unless that is what the "more happy fun" setting is. the Engrish in some of these products is getting silly.
Re:WTF is WPS? (Score:5, Funny)
HA you should have bought a Linksys. I turned on WPS, I typed in my router PIN and I even pushed the button and my devices are still unable to connect.
Secure by design?
Re: (Score:2)
That's like my Cisco/Linksys E4200 that has a buggy Reserved DHCP implementation.
After buying an older E1000 router on Ebay and installing DD-WRT on it so I could set up a wireless bridge to one of my printers, I think the best course of action is to buy a DD-WRT-supported router and use that firmware instead (or openWRT or Tomato). The tricky part is finding a router that supports one of these alternative firmwares; even with the same model number, one of the revisions may not be supported as they'll comp
Re:WTF is WPS? (Score:4, Insightful)
You have to give some credit to the cleverness of Cisco / Linksys. After the debacle of the WRT54G being the most wildly popular router ever and the basis for DD-WRT (which got tons of people buying those routers), they realized their mistakes of making a great router OS based on proven work. They vowed that NEVER AGAIN would a router be so popular that people would give two craps about the OS on it.
Hence the lowering of the RAM and flash on subsequent WRT54G generations. But it didnt work! People kept buying them, and using DD-WRT! This was unacceptable, and so they moved to a new OS written in India that NOONE could possibly love (as its interface didnt even work right in IE), and changed to the WRT54G2.
Since then, phenomenal progress has been made in curbing enthusiasm for Linksys products. There are still those who care about their products, but Cisco Indian engineers are working feverishly to tidy up even those loose ends.
Re: (Score:2)
I have no WPS.
Re: (Score:2)
And a larger electrical bill comes with that.
Be green man !
Re: (Score:2, Insightful)
UAC isn't useless. It's like having to sudo before doing something. A regular user will just always hit yes. An experienced user will know that this should be happening or not.
Re: (Score:2)
Re: (Score:2, Insightful)
A novice user in the presence of experienced users will ask what they should do about a UAC question they don't understand, especially if it's not their computer and they know they're novices.
An experienced user who gets a UAC question when they weren't trying to do what UAC asked for permission for, will conclude that something funny is going on and act appropriately. In the "bad old days", it wouldn't have even asked, it would've just done whatever malicious administration the web page called for.
Re: (Score:3, Insightful)
Er, what? UAC a "waste of time for experienced people"? It's about useless for anyone but experienced people.
Or are you of the belief that applications should just automatically have admin privileges without user consent?
Re: (Score:2)
UAC is not useless at all. Without UAC, there are many types of installer that simply would not work on Windows 7 due to missing permissions; UAC allows those programs, instead of silently failing, to request permissions to do so.
And turning off UAC basically says "yes, please abandon the principle of least privilege!"
I have seen a number of computers running 7 that Ive seen get viruses, but the user did not have the admin password for the UAC prompt that appeared. This meant that the virus couldnt do jac
Re: (Score:2)
WPS is the sort of thing that we need more of - simple to set up, and until now, quite secure.
Hmmm. I heard of WPS for the first time not quite a week ago: I was given a Sony PRS-T1 ebook reader for Christmas, and the little leaflet that came with it said something about WPS, so I looked it up.
Having found out what it was (and ascertained that my WAP doesn't support it), I discarded the guide and just followed my nose in the usual way for a WiFi setup. I see no reason why we need WPS at all: if we are incapable of typing a password when our device already recognises the network and protocol, then
Re: (Score:2)
So what would you do if you got your eReader, but didn't have a computer to establish a wired connection to your router?
WPS in theory gives a built-in password that you can use to boot-strap the process with only wireless devices.
This exploit in WPS isn't due to a conceptual defect, it's an implementation defect that made the built-in PINs pretty much useless. So assuming that router vendors add in some rate-limiting, a proper-length PIN, or lock-outs for incorrect guesses (with a physical button to clea
Re: (Score:2)
So what would you do if you got your eReader, but didn't have a computer to establish a wired connection to your router?
WPS in theory gives a built-in password that you can use to boot-strap the process with only wireless devices.
This exploit in WPS isn't due to a conceptual defect, it's an implementation defect that made the built-in PINs pretty much useless. So assuming that router vendors add in some rate-limiting, a proper-length PIN, or lock-outs for incorrect guesses (with a physical button to clear the lockout), the concept can be more secure than the average WPA password. It's ridiculous to suggest that only computer-savvy people should be able to use WIFI, and it's no longer an option to have the routers default to open access points.
There are that many people with eReaders and WiFi routers but not computers? Not only that, every wireless router I ever had came with a default SSID and admin password, and could be configured wirelessly.
Re:WTF is WPS? (Score:5, Insightful)
Oh, I see. It's a tool for retards.
A quote from Billy Joel, after being ripped off by his manager (and I think he is one of few people who successfully sued their lawyer): "I know many excellent businessmen who can't sing."
Just because you find it entertaining to know who to admin a router and set up a protected network, most people have a lot better things to do in their lives. Someone who wants a giant "easy button" isn't a retard, but someone who has better things to do in their life.
And guess what, it isn't the people you call "retards" who messed it up. It's the real retards who designed a system where an eight digit PIN number can be cracked in at most 11,000 tries.
Re:WTF is WPS? (Score:5, Interesting)
Re: (Score:2)
I don't totally buy that. I do to a small degree. But its kind of like saying we should give people cars without making them learn how to drive.
We live in a day and age where everyone wants the quick fix, and the easy solution. But to use a tool properly, you need to understand some things about that tool. And when you try to make it overly simple, bad things (as we are seeing here) can happen.
I'm not by any means saying people need a perfect understanding of wifi or networks or security. But I don't
Re: (Score:2)
On the flip side, if the car could drive itself, would people need to know how to drive? Initially, yeah, they probably would in case things don't work right, but eventually it wouldn't really be necessary. I'm not saying that your point doesn't have validity either, but trying to point out that that line is constantly moving. The average consumer doesn't know how to hook up their TV either and buys $40 3 ft monster cable HDMI cables and thinks they got a good deal cause it was 20% off. At the end of th
Re: (Score:2)
Just because you find it entertaining to know who to admin a router and set up a protected network, most people have a lot better things to do in their lives. Someone who wants a giant "easy button" isn't a retard, but someone who has better things to do in their life.
I have better things to do with my life than to sit around in bumper-to-bumper traffic and deal with the annoyances of driving. However, since Personal Rapid Transit doesn't exist yet, and I can't afford a limo and chauffeur to relieve mysel
Re: (Score:2)
It would be okay if there actually was an "easy button" that turned on WPS for say 1 minute. The problem is that many routers have it on all the time so you are free to sit around brute forcing it at your leisure, rather than having to wait for the victim to activate it and trying to guess it in under a minute.
Re: (Score:2)
"most people have a lot better things to do in their lives."
Such as taking the 5 minutes it would require to learn how to set up WPA2 and get your computers connected and ensuring nobody else could (theoretically) get on your network and fuck with your property, identity, or worse?
Instant gratification no longer fast enough.... (Score:2)
Someone who wants a giant "easy button" isn't a retard, but someone who has better things to do in their life.
Well then, I would suggest you should get on with your 'better tings to do in life', and quit wasting your time with WPS and the like.
"If something is worth doing, then it is worth doing right."
Take a few minutes to learn a little about the tools you are using; if you don't have time to learn about them, then you don't have the time to be messing with them in the first place.
There is no free lunch....
Re:WTF is WPS? (Score:5, Informative)
Erm, 8 digit PIN is fine. Routers can limit PIN guesses y'know...
You didn't read the article, did you? The routers tell you that the pin is wrong after four digits. So you need 10,000 tries at most to get the first four digits. The last digit is a checksum, so you need at most another 1000 tries to get the complete number.
Of all the routers tested, only _one_ model limited PIN guesses (you can't turn PIN guesses off obviously because that would just enable a DOS attack) to about one guess every 20 seconds, which means it is cracked within a few days.
Re: (Score:2)
(you can't turn PIN guesses off obviously because that would just enable a DOS attack)
I'm not so sure that's true. The PIN is only used during the setup process. If someone DOS'd you out of pin guesses, you could always PUSH THE BIG SETUP BUTTON AGAIN ON YOUR ROUTER.
Re: (Score:2)
Of all the routers tested, only _one_ model limited PIN guesses (you can't turn PIN guesses off obviously because that would just enable a DOS attack) to about one guess every 20 seconds
Rate limiting won't prevent a DOS attack. The attacker can just set there sending a continuous stream of wrong PIN numbers and the millisecond the rate limiting timer expires it will be reset. Generally speaking there is little you can do to prevent DOS attacks on WiFi, e.g. by sending de-auth packets or just flooding a channel with noise, so it isn't worth worrying about unless the attack doesn't require the attacker to stick around (e.g. causing the router to lock up until power cycled).
Re:WTF is WPS? (Score:5, Insightful)
It will not end until we literally take a stand against stupidity- draw a line in the sand, and say "If you can't comprehend this stuff, you don't deserve to use it"
I see this attitude more and more. I wonder if people had to put up with the same elitist bullshit after the car become affordable to masses... or even the printed book. You might know how to use a computer but I wonder if you'd know how a transistor works and how to build one, or what an IRQL is, or a DPC. And even if you do, there will be someone else that knows more than you who will look down their nose at you and tell you you have no right to use a computer without understanding how it works.
WPS isn't that bad an idea really... it just turns out it has a bug, and unfortunately that bug is going to be unfixable in a lot of cases (end-of-life model AP with no firmware update available)... hopefully those AP's at least have a way to turn it off. If you are pointing the finger of blame at anyone, point it at the people who implemented it - they're the ones who screwed up.
If i'm feeding the trolls... i might as well give them a good meal.
Re: (Score:2)
It's not a bug. It's a bad design that somebody thought was a feature and it was purely intentional.
Re: (Score:2)
This attitude is also very short sighted. An "idiot" to one person is a potential customer / client to someone else. We live in an age where there so much specialized knowledge out there, it is impossible for anyone to know it all. Therefore we can make money from helping each other.
A molecular biologist might not know anything about how an OS works, but they probably understand more about the body than the average computer geek. Does that mean that the geeks are not worthy of living because they do not
Re: (Score:2)
You don't need to know exact implementations to understand the basics. If you're good at analytical thinking, you can understand about anything. The fun thing about computer is you can learn about almost anything for home use in a short amount of time or even asking in forums.
Re: (Score:2, Insightful)
http://en.wikipedia.org/wiki/European_Computer_Driving_Licence [wikipedia.org]
Re: (Score:2)
Bad comparison... think about it.
The test for a drivers license just shows you can use the basics... no different than using the WPS button.
If you wanted something comparable that would apply with this article, it would be like requiring knowing how to change the spark plugs, change the oil, when to flush and fill the transmission fluid and how to do it (and change the transmission filter etc), *none* of which is required for a drivers license (at least not in any area I know of)
Using the turn signals, how
Re: (Score:2)
So I take it your drivers licence test explains exactly how to find and fix a problem in your car when the check engine light comes on? They explain the engine management systems too I guess?
My guess is you take your car to a mechanic to do anything more than change a tyre. But while we're on that topic, explain to me how a transistor works because you shouldn't be allowed to use any electronics until you can explain the pie model properly.
Re: (Score:3)
Not that I agree with GP point-of-view, but you usually (in most country) need a driving licence in order to be allowed to drive a car.
And guess what is not covered in getting a license? Checking the oil, changing a tyre, finding and replacing a blown fuse, changing a bulb, correctly inflating tyres or any number of other actions which could be considered "administration" of the car.
If there were an equivalent driving test to routers/Internet it would be thus:
Can you
1) plug the router in?
2) press the shiny button?
3) connect your PC to the router (cable or wireless)?
4) find the router's administration page (no actual use of page is require
Re: (Score:2)
Why is it so hard to have these things off by default and a clear explanation of what they are?
I'm no fan of WPS, but if it were off by default, then it'd be unusable. It only exists for morons who can't figure out how (or are too lazy) to log into their router's admin webpage and type in a passphrase. If someone figures out how to log into their router's admin webpage to turn WPS on, then there's little point bothering with the WPS any more because the passphrase part is right there.
Maybe they should put
Re: (Score:2)
Christ. This.
Can't somebody at Netgear find a native English speaker who can write clear, non technical documentation and maybe do it at least once? Or make it simple enough that you don't need documentation (the Apple Approach).
Happy fun ball, indeed!
Re:WTF is WPS? (Score:4, Informative)
The reason such a thing exists is because the good ol' secure password was too complicated for average-joe users to deal with. The precursor to this is Wireless routers that don't actually have a password set. To this day, you can still find unsecured wireless routers nearby and we all know what that leads to. The "easy" solution was put there so that routers could have security set by default, yet not confuse average-joe to the point where he just disabled it because it was the easiest thing to do.
And believe me, I worked for an ISP up until a few months ago - our Router/Modems (or Hubs, as they called them) now come with wireless security enabled. The default password (unique per hub) is written on the side of the device - and people still get confused and don't know what to do to connect their wireless.
Unfortunately, the implementation of the "easy" solution is the issue, not the solution itself. I mean, what's the point in having a secure PIN if you tell the user when they got the first half of it right? Especially if you don't prevent people from attempting thousands of connections.
Re: (Score:2)
Not near me, but there are plenty of secured access points with names similar to "fOffUbastard".
As for passwords, something along the lines of the XKCD "correct horse battery staple" goes a long way - they laugh but they remember.
Re: (Score:2)
It will not end until we literally take a stand against stupidity- draw a line in the sand, and say "If you can't comprehend this stuff, you don't deserve to use it".
-AC
No, actually it won't stop until people are running around with small computers comprised of nothing but a touch-screen, no keyboard, no mouse, and one large button that starts....er, oh wait...nevermind.
Re: (Score:2)
Re: (Score:2)
I agree!
Im also of the opinion that the 1040 EZ Tax form needs to be gotten rid of, and that companies like HR Block need to disappear. If youre too stupid to understand the intracacies of the tax system, why, you have no business making money in the US.
And I think going to a doctor is practically cheating. If you cant suture your own injuries, you really have no room to complain when you get an injury at all.
Life sure is good for those of us who are experts in every field.
Re: (Score:2)
FFS, I don't agree with David Gelertner's infantilization wish.
Convenience: Would you do it for me? I'm busy getting my rocks off.
Thanks (Score:2)
What purpose? (Score:3)
Re: (Score:2)
End users and vendors alike will dismiss any threat as merely theoretical until it's actively being exploited. The real question is when to release, not if.
Re:What purpose? (Score:5, Insightful)
Seriously, what non-malicious purpose would this tool have? Anybody who read about the vulnerability knows how it works; there is no need to have a sample attack because it is obvious how this works; having an exploit tool cannot have any legitimate uses.
Sure it does. If a customer questions why this should be audited and fixed on their network immediately I can tell them that there is exploit code publicly available that anyone can download and use and have access to the network in 4-10 hours instead of talking about theoretical bad guys who might have obtained a theoretical exploit from somewhere. It makes it a "fix this now" problem with a known risk instead of being put off and treated as a low risk security issue and never fixed. In my case hopefully it's just a quick audit to make sure nobody else has put a WPS enabled AP onto the network, but it still needs to be done.
Maybe you don't remember Slammer/Nimda/Code Red, and a few others of that era. The exploits used were well known and patches were available for a while beforehand but a lot of people never bothered patching because of the perceived low risk and "doesn't apply to me". Ditto for a few Linux ssh and ftp exploits.
Re:What purpose? (Score:5, Interesting)
Maybe it's handy for verifying you are vulnerable?
Although I'd have to admit anyone actually using WPS probably isn't interested enough to even know such a tool exists...
Well, since the claim is most routers are vulnerable by default, I can see value in using this as a test tool - both against your router's current configuration and after you've supposedly disabled WPS.
And, speaking as an owner of an Apple router, I'd like to verify whether my belief that the Airport Extreme doesn't enable a PIN by default is correct.
A year huh? (Score:2, Insightful)
from: http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.htm [tacnetsol.com]
Very nice way to make a profit there guys and ignore responsible disclosure.
Turn off WPS (Score:2)
Looks like it might be a good idea to turn off the WPS service if you can.
In my Billion 7800n I did this: http://screenshots.portforward.com/Billion/BiPAC_7800N/WPS.htm [portforward.com]
If your router doesnt allow you to do that then in the LAN settings, block all ips not being used by your devices.
incredible (Score:3)
From the product page:
And they thought that was a good idea to implement without even substantial rate limiting or such? What the hell were they thinking?
Re:incredible (Score:5, Informative)
Err, sorry, guess I was wrong, there is some rate limiting, just they have this other insanity (from el reg):
Re: (Score:2)
But the protocol used by Wi-Fi Protected Setup reports back after the first four digits have been entered, and indicates if they are right, which means they can be attacked separately. The last of the eight digits is just a checksum, so having got the first four the attacker only then has to try another 1,000 combinations (identifying the other three digits) and the entire PIN is known.
Wow, that's dumb. I hope this wasn't put together by someone who considers themselves a cryptography professional.
Re: (Score:2)
The calculations involved in a WPS conversation are non-trivial, so the cheap CPU in the typical router inherently rate-limits you to about 30 guesses a minute. If WPS had been correctly implemented, that works out to an average brute-forcing time of three years, and a worst-case time of around six years.
Re: (Score:2)
http://cryptome.org/nsa-v-all.htm [cryptome.org]
If its crypto and many people use it - expect it to be weak, carrieriqed ect.
The real trick is getting so many very very smart people to buy into wifi and use it around the world as usable.... safe....
Deniability (Score:3)
I wonder if people will use this as an excuse for in court cases and claim they didn't do something and blame it on someone "Hacking" their network.
Can you guess 2 4 digit numbers? (Score:2)
At first glance I thought the error was something along the line of letting the attacker know the user names so they only have to guess the password. I was mistaken. It literally helps the attacker figure out the PIN so instead of guessing 8 digits you guess two 4's.
Re: (Score:2)
My AP is too old.. (Score:2)
My AP predates WPS, but after reading about it, I can't believe they designed it as an ongoing capability. Once used, it should have defaulted to disabling it until some factory reset button was pressed to resurrect it. When I first heard of it, I thought it would simply be an improvement over the old days of unprotected wifi to start, but clearly they messed up..
The tool... (Score:2)
Am I the only one that thinks this is shiny?
WPS = SES ? (Score:2)
is WPS the same a cisco's/linksys SES (secured easy setup)?
SES seems to be disabled by default on a WRT54g I have
Re: (Score:2)
is WPS the same a cisco's/linksys SES (secured easy setup)?
No, SES predates WPS. It addresses the same issue, but it is a different implementation. See the note [google.com] section of this page for more detail
Re: (Score:2)
Docs state reaver only compiles on Linux - but on my 64-bit RHEL6 box it fails to find libpcap (even though it's installed, and even when I explicitly pointed ./configure to it).
I'm going to see if I can get it installed on a Mac with some fink voodoo...
Re:Doesn't compile on OS X (Score:5, Informative)
yum install libpcap-devel
No, it's not on the RHEL6 installation media, you have to have registered the box for RHN.
(RH is really pathetic this way, lots of useful packages are left off the installation media, seems they are forcing you towards satellite, but if you don't have the bandwidth for satellite, or need to setup a box without internet access, sorry for you if you want to something like use oscap - they give you openscap, but not openscap-utils). Oracle is better in this regard, with a public yum repo for release packages (not updates). Of course, CentOS gives you everything, as do all other community-oriented distros.
Re: (Score:2)
yum install libpcap-devel
Yeah, that's what I would've thought too - but it appears that package isn't in either RHEL or EPEL (for 64-bit EL6 anyway).
And yeah, the box has an honest-to-goodness subscription... as part of a campus license.
Re: (Score:2)
On the Mac, you'll miss the <linux/types.h> include - not sure that's all, but if it is, you should be able to find a patch easily.
Re: (Score:2)
This project uses the Wireless Extensions Library to interact with the Wifi hardware, i.e. iwconfig and stuff, which is completely incompatible with OS X.
Re: (Score:2)
On Linux, the Wireless Extensions library is deprecated. They really should be using cfg80211/nl82011 for that stuff.
Re: (Score:2)
Re: (Score:2)
It is common nowadays, that developer forget to have placeholders in the makefiles to actually make use of the configure output.
In the linked blog post it is claimed that "This is a capability that we at TNS have been testing, perfecting and using for nearly a year." You'd think they'd have written better code if they've been working on it that long...
Re: (Score:3)
Tactical Network Solutions' site mentions that they only sell to "U.S. federal, state, and local government agencies". What on earth would gov't institutions do with something that's essentially the digital equivalent of a crowbar? Isn't it much easier and more ethical for governments to get a court order to get the information they want, instead of breaking into WiFi networks? What on earth is going on here?
I sincerely hope you're joking with this. If you, I or anyone else only knew of the millions many three-letter agencies have spent on shit like this over the years...and in this day and age of warrantless wiretapping and eavesdropping, do you really have to wonder what any "U.S. federal, state, and local government agencies" would do with a "digital crowbar"? Please.
And remember, only Black Hats write "cracking software". White Hats offer "security affirmation solutions". There's a difference, althoug
Re: (Score:2)
And remember, only Black Hats write "cracking software". White Hats offer "security affirmation solutions". There's a difference, although it's usually isolated around the price tag.
Costs a lot to keep a hat purty white. You can't just throw it in the laundry.
Re: (Score:3)
Coming from embedded device development, I can tell you that adding an LCD display is waaaay too expensive for these kind of devices to be considered. It's not only the LCD display itself, you also need the controller and the software to control it.
As a contrast, in the company I worked there was a bounty on reducing the BOM price. One employee won it with a 10 cents/piece reduction by using cheaper rubber material for the printer unit's paper transport system. The result was that the device was completely
Re: (Score:2)
On our products, our latest ASIC spin involved bringing three external resistors on board to reduce BOM costs. Three resistors, at generously $0.01 apiece (once procurement, PC board space, and assembly costs are tallied up). And someone wants an LCD?
Re: (Score:2)
I disagree. LCD screens are cheap, though more than ten cents. Some manufacturers already have LCDs on the devices, but they use the screens to display useless stats("but it looks cool"). The software is trivial and widely available. Most of these devices already use Linux anyway.
What's the cost of implementing a totally new protocol and then having to reissue firmware because the protocol has been compromised?
cost? you mean profit. the cost is on the consumer, not on the company.
Re: (Score:2)
Citation needed. I'm sorry, I've never seen a wireless router with an LCD screen. I'm surprised they even spring for the LED status and activity lights, these things are made so cheaply.
Re: (Score:2)
They aren't that hard to find:
http://www.belkin.com/IWCatProductPage.process?Product_Id=377018
http://www.dlink.com/products/?pid=643
http://www.trendnet.com/products/proddetail.asp?prod=160_TEW-673GRU&cat=137
They just aren't the el cheapo models...
Re: (Score:2)
http://code.google.com/p/reaver-wps/wiki/HintsAndTips [google.com]