Wi-Fi Router Attack Only Requires a Single PIN Guess 84
An anonymous reader writes: New research shows that wireless routers are still quite vulnerable to attack if they don't use a good implementation of Wi-Fi Protected Setup. Bad implementations do a poor job of randomizing the key used to authenticate hardware PINs. Because of this, the new attack only requires a single guess at the hardware PIN to collect data necessary to break it. After a few hours to process the data, an attacker can access the router's WPS functionality. Two major router manufacturers are affected: Broadcom, and a manufacturer to be named once they get around to fixing it. "Because many router manufacturers use the reference software implementation as the basis for their customized router software, the problems affected the final products, Bongard said. Broadcom's reference implementation had poor randomization, while the second vendor used a special seed, or nonce, of zero, essentially eliminating any randomness."
WPS shoudn't be used anyways... (First!) (Score:2)
Re: (Score:1)
true, except every router makes uses it and only almost all routers don't have the option to turn it off. I blame this on business marketing department (ie whitey).
Re: (Score:2)
Re: (Score:1)
Have you verified that it's actually off, not just shown as such in the web interface? Quite a lot of name brand Wifi routers had a dummy switch in the web interface that did nothing. IMHO WPS is a back door. The protocol specification for WPS PIN is ambiguous, and suggestively written to favor an exploitable implementation. And there's no good reason for the split response which makes the exploitable implementation possible either. It feels like somebody went out of their way to put this pitfall there.
Re: (Score:1, Informative)
Wireless security (Score:5, Informative)
Is it just me that hates shit on my router?
- WPS (a.k.a. turn your massive password into a four-digit number): turned off on every router I've ever used, since day one of installation.
- UPnP (a.k.a. let anything open any port to anywhere without authentication): turned off on every router I've ever used, since day one of installation.
- WPA/WEP (a.k.a. half-arsed encryption that we never really thought through): turned off on every router I've ever used, since day one of installation.
- Guest networks (a.k.a. let random strangers use your Internet connection without you knowing): turned off on every router I've ever used, since day one of installation.
- Remote administration (a.k.a. let random strangers on the Internet sit and brute-force your passwords with no way to tell it's happening): turned off on every router I've ever used, since day one of installation.
And, in fact, on anything BUT my actual wireless router of choice (e.g. any Internet router supplied by my ISP):
- wireless (a.k.a. give people another way into my network and hinder all my other - wanted - wifi connections by flooding the airwaves): turned off on every router I've ever used, since day one of installation.
Seriously, people, just turn this shit off. And layer VPN over the top of it, if you can. Seriously. There's zero impact on always VPN'ing over your wireless connection to a machine that has a fixed line to your actual Internet connection. Then even if WPA2 is broken, you're still secure. And yes, you can game. I've done it with OpenVPN over my wireless for years - for EVERY packet - that goes over the wireless.
Wireless is the leaky, draughty hole of your network. Seal that fucker up and treat it like an Internet connection, even to your local network.
Re:Wireless security (Score:5, Informative)
Re:Wireless security (Score:5, Interesting)
Hah. You're stressing over every little thing.
The part that really bothers me though is your turning off guest networks. I've always turned off the automatic kind (NAME OF ROUTER -GUEST NETWORK), but then gone on to set one up as a virtual access point properly on ddwrt. At home and at work I've shared my internet connection with the apartment block across the street, the corrections institute, gay bar, fitness center and mortgage company and any random stranger that passes by. Even the homeless or just plain poor people.
You know what I have learned? People aren't the pieces of shit that people like you think that they are.
I've never seen a pedophile, or a hacker.I've always monitored network traffic and I do keep logs. I've seen one or two people who look at porn and two fucking rokus. (you can afford netflix and you're using my connection across the street? wtf? sorry about the stutters....durrr) out of hundreds of people I have found most people are pretty endearing and normal. most people look at their facebook, or they ask google personal questions. Like where to find a job, or get a date or how to solve/fix something. or they research stuff.. That's all.
I'm probably giving internet access to some of the people that block my parking spot now that I think about it. *laughs*.
in short, sharing has made things better for those around me and I haven't been harmed by it at all.
captcha: bragged
Re: (Score:3)
How many hours of your time do you waste in a week trying to hunt down people you figure owe you $0.01 for the time you spent exchanging nods in the elevator?
Re:Wireless security (Score:5, Interesting)
Ignore the hate man, keep doing what you're doing :) I'm the same, XXXX_ST_FREE_WIFI has been up most of the last 3 years, and similar at units before this. I set up an old wireless router and RaspberryPi to provide an isolated network with an internet connection for anyone who wants to stop within range (the bus stop across the road is the main source of traffic).
I have around 6 unique connections a day, and several regulars from the surrounding units or daily commute. I redirect "google.com*" to a local splash page (with the google search page in a frame below) that has a couple lines saying this is my personal connection, feel free to use but I'll shut down any time if I need the bandwidth, or think people are being suss. I highlight that it is essentially a public network, so advise against anything personal / private, so I think people assume they're being watched and stay on their best behaviour anyway :P
I originally started with some strict firewall rules (port 80 / 443 outbound only), but found people just never tried anything else really. I think I've seen a couple dozen POP / IMAP requests which were probably from auto sync, and a couple bittorrent users, but noone's ever tried to even probe at the guest network, let alone look for my (isolated) home network.
I also have a file share that I let people dump to / from which I clear daily, and one that serves a bunch of free software and my local distro mirror. I've _never_ had anyone put anything I disapproved of on there. I've had a couple people dump a movie or music on there, but I've removed and replaced with a note saying that's not what its for (in case they check back). Some others have started chats back and forth with simple text files, most people just posted pics with a thumbs up to say thank you :) (my suggestion in the landing page)
All in all, its been a great experience. I liken it to running a small social media site that's location based, rather than internet facing. I'm thinking of adding a persistent page with a guest book / wall, just to reach out a little more personally.
Like you said, people aren't the pieces of shit people think. Those that are generally have shittier things to do than mess with a random wifi network.
captcha: intercom
Re: (Score:1)
It probably depends on the location. I wouldn't recommend doing that in the vicinity of a railway station or some other place with a lot of out-of-area people passing through (places that would also attract "real world" crime.) Anyways, kudos for sticking your head out.
The price of Netflix vs. unbundled broadband (Score:4, Insightful)
you can afford netflix and you're using my connection across the street? wtf?
Being able to afford Netflix ($120 per year) doesn't always imply being able to afford the inflated prices that cable providers charge for high-speed Internet access without a subscription to multichannel pay TV at the same address (often $700 or more per year).
Re: (Score:2)
Re: (Score:2)
Many devices don't support VPNs (Chromecast for example), and the ones that do don't usually have openvpn as a built in option. Not to mention the increase in battery usage on mobile devices due to keepalives. This mostly restricts your wireless devices to laptops and select tablets or smartphones. If you really don't trust WPA then just make some LAN resources accessible by VPN only (over WPA), but allow internet access without it. Any sites with sensitive data should be using TLS anyway.
Also, WPA2-Enterpr
Re: (Score:1)
not TTLS where you use a username/password combo (too easy for a MITM)
TTLS properly configured is no easier to MITM than properly configured TLS, you should be using server cert validation with either.
Re: Wireless security (Score:2)
Re: (Score:1)
If server cert validation has failed chances are your CA was compromised, in which case the attacker could just generate client certs at will anyway....
Re: (Score:1)
Actually for that matter wouldnt a compromised server certificate leave you vulnerable to a proxy attack anyway where you would use the compromised server cert to pretend to be the access point communicating with the proper radius server thus giving MITM on TLS or TTLS the same? You might not get the actual client cert on TLS but you would have their traffic all the same.
Re: (Score:2)
Re: (Score:1)
Aha, so you missed the original quote, i'll try bolding the relevant parts this time.
Also, WPA2-Enterprise is pretty secure if you only use TLS auth, not TTLS where you use a username/password combo (too easy for a MITM)
I was specifically replying to that part, as TLS and TTLS both have the same degree of mitm vulnerability with properly configured clients.
If the server cert fails in TLS or TTLS then MITM is a possibility, you dont need the username/password or client cert to mitm a TLS connection, just the server cert.
Re: (Score:2)
Re: (Score:2)
I've actually found that a lot of devices just ignore an invalid (ie not from a trusted CA) certificate for this. Android in particular will happily continue with no prompt to the user that the cert is not trusted. I even had it somehow forget the CA that I specified with the network credentials. I'm not 100% certain on this, but I vaguely remember having an issue with Network Manager also not validating the server certificate with TTLS.
It's just too risky where a device could decide either for "convenience
Re: (Score:1)
> - UPnP (a.k.a. let anything open any port to anywhere without authentication)
miniupnpd (the UPnP daemon of choice for every router software I've been able to look at) has a configuration setting that only permits a machine to forwards ports to itself. This configuration setting defaults to "on". This means that a LAN with a running miniupnpd is no less secure than a LAN with a globally-routable IPv6 address allocation.
Additionally, on any non-shit router software (why would you advocate securing your L
Re: (Score:2)
Errr right. Your security theory boils down to wireless has no physical barriers so we need to avoid it at all costs regardless of it's benefits?
No thanks. While I agree with some of your sentiment like WPS being a colossal piece of shit and remote admin just being a bad idea:
- UPnP - I am not going to manually configure every internet facing service every time I want to use a piece of software.
- WPA - While WEP is proven weak and breakable, WPA hasn't been broken without some serious conditions (knowing wh
Choose CGNAT-compatible apps instead of UPnP (Score:2)
UPnP - I am not going to manually configure every internet facing service every time I want to use a piece of software.
In the era of IPv4 address exhaustion and IPv6 foot-dragging, more and more users end up behind carrier-grade NAT. To serve these users, more and more applications are being written to bounce traffic off a server so that the client can get away with making only outbound connections.
Re: (Score:2)
That's great from an end user perspective, but then you're advocating applications tied to a specific internet service? I'm surprised you haven't been nodded into oblivion by the trust no corporation crowd on slashdot.
But they definitely have a point. Connectivity between two clients should not depend on a third party server, especially since many of us not only have real IPs but static ones too.
Re: (Score:2)
Re: (Score:2)
The presence of a static IP address (which I get by signing up to the cheapest ISP in the country, not by paying extra) has nothing to do with not wanting to dedicate effort to manage a home network. It is not at all hard to open ports. You don't need to be some technical whiz, and while I am that whiz I have no interest in managing applications in my home network when a perfectly good system allows me to do it.
As far as I am concerned my network is designed to be leaky. Internal applications should have co
Re: (Score:2)
The ironic thing is that WPA2-PSK is decently secure. I've not read of any significant breaks, assuming the key is of a decent length.
The problem is that there are shortcuts given (WPS) which make having a solid shared key pointless.
UPnP? Just asking for trouble. If a game has to have ports open, I'll manually open them myself. Otherwise, they should remain closed.
WEP? This shouldn't even be present in any router made in recent years. My HTC Wizard, circa 2006, had an application (before the word "app
Re: (Score:2)
If I want [remote administration] functionality, I'll have some sort of port knocking, a DMZ machine, and SSH with 2FA or via RSA keys to an inside machine to access the router.
That's a lot of electric power to waste on leaving two computers on 24/7 just so that you can troubleshoot problems with a router belonging to a not-so-technically-inclined relative who lives far from you.
Re: (Score:2)
Re: (Score:3)
Well, it's to make life simpler for users.
WPS - the alternative to this for "regular users" is no security. Great for those who need a hotspot in a hurry, not so great in general. Instead, all users need to is hit a button and enter a code.and they have encrypted WiFi working. It's just like TouchID on the iPhone - Apple realized people should use passcodes for security, but many don't because it's )@*#&%*(@ annoying to enter it (especially if you have "complex passcodes" on) 1,000 times a day.
WPA is st
You forgot one thing (Score:2)
Re: (Score:2)
Re: (Score:2)
I take it a step further, I buy appliances with exactly the feature set that I need. I admit it gets harder and harder. The usual dialogue in the store:
"I want to buy a $device without $feature"
"Sir, we'd have $device here, you can disable $feature in it"
"Where? I don't see the switch to turn it off."
"You can disable it in the configuration"
"So... I can turn it off in the config and anyone who can get into the configuration page of the device can turn it back on?"
"Umm... yeah, but you'd be the only one who
Re:Wireless security (Score:5, Funny)
Let me get this straight: you refuse to buy a wireless router with WPS that can be disabled in the administration console for the router because if someone pwns your router administration console they might be able to turn WPS back on?
Really? I bet you also refuse to use ATM cards because if someone stole your identity, got issued a fake driver's license, stole all your passwords, etc, they might be able to contact the bank and change your PIN!
During the days of Nintendo DS online play (Score:2)
WPA/WEP (a.k.a. half-arsed encryption that we never really thought through): turned off on every router I've ever used, since day one of installation.
Was this true even during the days of Nintendo Wi-Fi Connection, when the Nintendo DS couldn't use anything but WEP? Or did you just skip the DS?
Remote administration (a.k.a. let random strangers on the Internet sit and brute-force your passwords with no way to tell it's happening): turned off on every router I've ever used, since day one of installation.
So when you're setting up a home network for a relative who lives far away and is not technically inclined, and you have to troubleshoot it, do you make plans to get on an airplane whenever something goes wrong?
Seriously. There's zero impact on always VPN'ing over your wireless connection to a machine that has a fixed line to your actual Internet connection.
Except on machines that do not support OpenVPN, such as a video game console.
Re: (Score:1)
- networking (a.k.a. allow another computer to snoop into my hardware and software): turned off on every computer I ever used, since day one of installation.
Re: (Score:2)
No.
I didn't personally use Wifi until it had been in place, with an encryption system that had proven itself, for a number of years before I trusted my networks and data to it.
WEP was broken, so I reset the clock. WPA was compromised so I reset the clock. It was only WPA2 that has proved difficult to "simplify" the problem by using real, proven encryption schemes rather than making-one-up-as-we-go-along.
Common bloody sense.
Re: (Score:2)
Although I think you severely overestimate the value of your pr0n-collection, I'd simply would like to point out that while you were spending all your time securing your networks and data it seems your homepage was reduced to 404's... which in a way is more secure too off course.
Re: (Score:2)
Or better, don't use wireless at all!
Re: (Score:2)
Sorry, but maybe it would pay to Google things and keep on security news sites occasionally. Sure, I'm a home user for the most part, my home connections aren't liable to be attacked.
But WPA-TKIP is fatally flawed and allows - while not password revelation - replay-attacks that allow packet injection and all kinds of other nasties. Some of this has been known about since 2008. Some of this is because WPA still uses the RC4 stream cipher (which is dead nowadays) in some situations too, whereas WPA2 uses A
Re: (Score:2)
In cryptography, it means a number that is only used once -- n-once. However, it is actually the wrong word to use here, as a cryptographic seed's most important attribute is unpredictability.
Re: (Score:2)
Yeah, the resulting articles are always pretty far away from what you told the reporters. Better look at the slides.
need a job. (Score:1)
rubbish. ..like printers. if we can talk to them via tcp/ip or even wifi this is agood thing(tm).
we want cheap devices
in my case the printer was tcp/ip AND wifi but no display/menu to speak of.
the one with a display would have printed the same quality but would have cost more.
so how the swiss cheese was i to setup the printer via wifi if i could not access it to setup the passphrase and ip address etc.etc?
wifi protected setup to the rescue.
once it was paired to the router automagically i could access the pr
protection? (Score:1)
well, you can always use Huawei routers, they are too cheap to follow standards (a.k.a. be vulnerable to wps)
Someone got paid off (Score:2)
...a manufacturer to be named once they get around to fixing it...
Someone got paid off not to name the manufacture. Doing a great injustice to their customers by not letting them know their routers can easily be compromised.
Sure, maybe not letting the criminals know which manufacture might seem like a smart idea, but in the same process, they don't need to know, they can just start checking them all. Your customers aren't safe that way. At least if you tell them there is a problem, they can use secondary measures, like turning off their router when they aren't using it. Maybe change their password every hour or so, or maybe pay attention to anything connecting to it. At least that way you can do something about it.
Going to boycott which ever manufacture that is because they don't have my security in mind when they do stuff like this.
Re: (Score:3)
Nobody got paid. We call this responsible disclosure. Only thing is the Broadcom flaw was found before the second flaw and so they has a heads up.
http://en.wikipedia.org/wiki/R... [wikipedia.org]
Re: (Score:3)
It can also protect profits to make sure that the announcement of the vulnerability smears all vendors and thus includes your competitors tools, not merely your own company's flawed products. This is called "sponsoring more research before publication". I'm afraid that it's a noticeable source of funding for security researchers, and can also buy valuable time to sell off as much of the flawed inventory as possible while or until the fix is provided for newer products.
I'm afraid that there are people who th
Re: (Score:1)
So to be crystal clear, are you accusing me of being a liar and having accepted money from a vendor?
Re: (Score:2)
>> We call this responsible disclosure.
> are you accusing me of being a liar
I'd not done so. I don't discount responsible disclosure as existing: I'd certainly want to see a zero-day exploit reported to the authors, first, so that they can get a chance to publish a patch before the flaw spreads in the wild, and I _report_ flaws directly to vendors and authors when I encounter them.
I've explained other, more selfish reasons that a vendor or a security researcher might decline to publish full detail
Re: (Score:2)
I am the guy who did the research in this article actually.
Re: (Score:2)
Good for you, then, that you are doing real work in the field. I'll applaud your technical work in discovering and publishing this vulnerability, and I hope you'll feel able to publish more details ASAP{.
As you are actually doing security work I'll urge that you be aware of why and how people might use your practice of genuinely responsible disclosure against their own customers or clients. There often comes a time when you have to make choices about whistle-blowing: exposing the flaws more widely to force
Which routers are affected? (Score:2)
I know for example that Apple uses broadcom chipsets and supports WPS (through Airport Utility) - are they vulnerable?
A known list of vulnerable routers would be very interesting.
Re: (Score:2)
Yes, of course, but it's unfortunately very complicated.
1. Showing a router is vulnerable is easy. Proving one is not is hard.
2. Buying and reversing each and every router is mighty expensive.
Re: (Score:2)
Pin Code and Push Button are two separate WPS modes.
co-worker had an MP3 file allegedly attack the net (Score:1)