WPS pin system vulnerability found.

[Rydian]

But by including a flag in the EAP-NACK message, the standard unwittingly left a gaping hole that can be exploited by hackers to subvert your router. The message tells the user if the first half of the pin they typed was right. Thus it drastically reduces the time needed to crack the PIN using a brute force attack. Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster.
[...]
The U.S. Department of Homeland Security (DHS) has issued a warning to the public about the flaw. It advises disabling WPS.

Source

Can't really say I'm surprised. I mean when you try to make security like this easy for normal users, it tends to backfire.

 

[Ace]

Who the heck does use WPS? I thought everyone just used WPA2 by now

 

[Tom Bombadildo]

Who the heck does use WPS? I thought everyone just used WPA2 by now

This. Been using WPA2 for such a long time this won't be a problem for me or many people I know.

 

[Rydian]

Tons of people use WPS because they don't know shit about computers and "press this button then type in the code" is easier than "Find your local gateway, enter it in the browser, log in with these credentials, navigate to the wireless security section, select the type that's supported by all the devices you want to use, set up a pass/key, then type it in on the computers".

 

[nl255]

Who the heck does use WPS? I thought everyone just used WPA2 by now

You are thinking of WEP, which few people use unless they want to play DS games online. This new hole is in WPS (Wireless Protected Setup) which is a method used to more easily set up a router's security settings such as WPA. So unless you went into your router and disabled WPS yourself you are probably still using it. Even worse, some of the cheaper routers might not let you disable it which means you might need to go as far as installing custom firmware (such as DD-WRT) or even buying a new router to fix this.

 

[Ace]

Who the heck does use WPS? I thought everyone just used WPA2 by now

You are thinking of WEP, which few people use unless they want to play DS games online. This new hole is in WPS (Wireless Protected Setup) which is a method used to more easily set up a router's security settings such as WPA. So unless you went into your router and disabled WPS yourself you are probably still using it. Even worse, some of the cheaper routers might not let you disable it which means you might need to go as far as installing custom firmware (such as DD-WRT) or even buying a new router to fix this.

No, I know the difference between WEP, WPA/2 and WPS.
And with my router, there's a physical switch to turn WPS on and off, and we prefer passwords (since we can change those pretty quickly and never have hackers easily).
I just didn't think WPS was so widely used, is what I referred to. From some wardriving experience, most people use WPA2 protections here in Sweden, so that's where I'm coming from

 

[Izzy011]

I use WEP. Is that a bad thing ?

 

[notmeanymore]

Tons of people use WPS because they don't know shit about computers and "press this button then type in the code" is easier than "Find your local gateway, enter it in the browser, log in with these credentials, navigate to the wireless security section, select the type that's supported by all the devices you want to use, set up a pass/key, then type it in on the computers".

But no password at all is even easier.

Anyone who cares about security knows how to remember a password. Your grandma isn't going to set up WPS on their wifi, if they have wifi at all.

Regardless, this seems like the type of flaw that could be resolved in a firmware update. Disable the flag, done?

 

[Rydian]

I use WEP. Is that a bad thing ?

WEP's broken, anybody can crack it by running some programs they can google or look on youtube for.

But no password at all is even easier.

Anyone who cares about security knows how to remember a password. Your grandma isn't going to set up WPS on their wifi, if they have wifi at all.

Regardless, this seems like the type of flaw that could be resolved in a firmware update. Disable the flag, done?

Assuming that people who want to be secure know enough about computers?

 

[Nimbus]

I never use that POS excuse for a feature that is WPS anyway. I dont even advise anyone else to use it either.

The best way IMHO is to set it up manually, and to never take the easy route when setting up any wireless device.

Also sorry for my long absense, work and Second Life

 

[notmeanymore]

I use WEP. Is that a bad thing ?

WEP's broken, anybody can crack it by running some programs they can google or look on youtube for.

But no password at all is even easier.

Anyone who cares about security knows how to remember a password. Your grandma isn't going to set up WPS on their wifi, if they have wifi at all.

Regardless, this seems like the type of flaw that could be resolved in a firmware update. Disable the flag, done?

Assuming that people who want to be secure know enough about computers?

Yes. That is exactly my assumption. Someone who feels insecure will usually spend time to make themselves feel secure. That's how man is.

 

[raulpica]

And that's why I always disable WPS on my routers.

 

[Maikel Steneker]

This new hole is in WPS (Wireless Protected Setup) which is a method used to more easily set up a router's security settings such as WPA. So unless you went into your router and disabled WPS yourself you are probably still using it. Even worse, some of the cheaper routers might not let you disable it which means you might need to go as far as installing custom firmware (such as DD-WRT) or even buying a new router to fix this.

Alright, I know nothing about network security. I'm using a Linksys WRT54G with DD-WRT micro running on it. Do I need to manually disable WPS? I've never used it or changed the settings for it.

 

[Rydian]

Yes. That is exactly my assumption. Someone who feels insecure will usually spend time to make themselves feel secure. That's how man is.

The issue is that most people don't know what's what when it comes to computers, so what makes them feel secure isn't always what's actually secure.

See: Fake AVs.

 

[1NOOB]

disabling wps is the first thing i did when i connected my new router o.0 good to know

 

[Tom Bombadildo]

Yes. That is exactly my assumption. Someone who feels insecure will usually spend time to make themselves feel secure. That's how man is.

The issue is that most people don't know what's what when it comes to computers, so what makes them feel secure isn't always what's actually secure.

See: Fake AVs.

But when you have someone who doesn't know anything about computers they generally have some professional (read Geeksquad) come in and set everything up for them. Whether or not they disable WPS is up to them, personally if it were me setting up someones router I would disable the shit out of WPS every time.

 

[Rydian]

But when you have someone who doesn't know anything about computers they generally have some professional (read Geeksquad) come in and set everything up for them. Whether or not they disable WPS is up to them, personally if it were me setting up someones router I would disable the shit out of WPS every time.

Geek squad is only "professional" in the technical sense of the word (that it's their job), their actual practices and such aren't always the best.

WPS is often used as an alternative to the manual setup anyways.

 

[notmeanymore]

Yes. That is exactly my assumption. Someone who feels insecure will usually spend time to make themselves feel secure. That's how man is.

The issue is that most people don't know what's what when it comes to computers, so what makes them feel secure isn't always what's actually secure.

See: Fake AVs.

Those fake antiviruses work by first making the user feel insecure by saying their computer is loaded with viruses, and, to be honest, if you don't have an antivirus and you're foolish enough to fall for an ad like that, you probably have a virus anyway. They then suddenly have a solution for you.

If you honestly felt insecure without an advertisement telling you that you should, time would be invested in finding some sort of antivirus.
There's still the (high) chance that they'll get stuck with a bad one though. Many a time have I had to fix a computer where all it took was to uninstall their old AV and install Avast.

And back to the topic at hand, I've never met anyone who uses WPS nor can I even think of a time where a device offered to connect via WPS.

 

[Rydian]

Fake AVs are most often NOT installed with user consent, they come in through browser/plugin exploits.

I see tons of people that use WPS, because tons of people don't know shit about computers.

 

[Izzy011]

So what's better than WEP? I don't want my neighbors stealing my internet.