WPS pin system vulnerability found.

Discussion in 'User Submitted News' started by Rydian, Dec 30, 2011.

  1. Rydian
    OP

    Rydian Resident Furvert™

    Member
    27,883
    8,108
    Feb 4, 2010
    United States
    Cave Entrance, Watching Cyan Write Letters
    [​IMG]

    But by including a flag in the EAP-NACK message, the standard unwittingly left a gaping hole that can be exploited by hackers to subvert your router. The message tells the user if the first half of the pin they typed was right. Thus it drastically reduces the time needed to crack the PIN using a brute force attack. Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster.
    [...]
    The U.S. Department of Homeland Security (DHS) has issued a warning to the public about the flaw. It advises disabling WPS.


    [​IMG] Source

    Can't really say I'm surprised. I mean when you try to make security like this easy for normal users, it tends to backfire.
     


  2. Ace

    Ace GBATemp's Patrick Bateman

    Member
    1,035
    178
    Apr 8, 2009
    Manhattan
    Who the heck does use WPS? I thought everyone just used WPA2 by now :mellow:
     
  3. Tom Bombadildo

    Tom Bombadildo Honk!

    pip Contributor
    GBAtemp Patron
    Tom Bombadildo is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    10,550
    10,481
    Jul 11, 2009
    United States
    I forgot
    This. Been using WPA2 for such a long time this won't be a problem for me or many people I know.
     
  4. Rydian
    OP

    Rydian Resident Furvert™

    Member
    27,883
    8,108
    Feb 4, 2010
    United States
    Cave Entrance, Watching Cyan Write Letters
    Tons of people use WPS because they don't know shit about computers and "press this button then type in the code" is easier than "Find your local gateway, enter it in the browser, log in with these credentials, navigate to the wireless security section, select the type that's supported by all the devices you want to use, set up a pass/key, then type it in on the computers".
     
    1 person likes this.
  5. nl255

    nl255 GBAtemp Addict

    Member
    2,568
    360
    Apr 9, 2004
    You are thinking of WEP, which few people use unless they want to play DS games online. This new hole is in WPS (Wireless Protected Setup) which is a method used to more easily set up a router's security settings such as WPA. So unless you went into your router and disabled WPS yourself you are probably still using it. Even worse, some of the cheaper routers might not let you disable it which means you might need to go as far as installing custom firmware (such as DD-WRT) or even buying a new router to fix this.
     
  6. Ace

    Ace GBATemp's Patrick Bateman

    Member
    1,035
    178
    Apr 8, 2009
    Manhattan
    No, I know the difference between WEP, WPA/2 and WPS.
    And with my router, there's a physical switch to turn WPS on and off, and we prefer passwords (since we can change those pretty quickly and never have hackers easily).
    I just didn't think WPS was so widely used, is what I referred to. From some wardriving experience, most people use WPA2 protections here in Sweden, so that's where I'm coming from ;)
     
  7. Izzy011

    Izzy011 The Business Bitch

    Member
    247
    33
    Jun 13, 2008
    United States
    I use WEP. Is that a bad thing ? :blink:
     
  8. TehSkull

    TehSkull Living the life

    Member
    2,700
    388
    Nov 29, 2009
    United States
    Louisiana
    But no password at all is even easier.

    Anyone who cares about security knows how to remember a password. Your grandma isn't going to set up WPS on their wifi, if they have wifi at all.

    Regardless, this seems like the type of flaw that could be resolved in a firmware update. Disable the flag, done?
     
  9. Rydian
    OP

    Rydian Resident Furvert™

    Member
    27,883
    8,108
    Feb 4, 2010
    United States
    Cave Entrance, Watching Cyan Write Letters
    WEP's broken, anybody can crack it by running some programs they can google or look on youtube for.

    Assuming that people who want to be secure know enough about computers?
     
    1 person likes this.
  10. Nimbus

    Nimbus sudo /usr/bin make-me-a-coffee --nosugar --cream=1

    Member
    913
    40
    Nov 1, 2009
    Probably being lazy.
    I never use that POS excuse for a feature that is WPS anyway. I dont even advise anyone else to use it either.

    The best way IMHO is to set it up manually, and to never take the easy route when setting up any wireless device.

    Also sorry for my long absense, work and Second Life :P
     
  11. TehSkull

    TehSkull Living the life

    Member
    2,700
    388
    Nov 29, 2009
    United States
    Louisiana
    Yes. That is exactly my assumption. Someone who feels insecure will usually spend time to make themselves feel secure. That's how man is.
     
  12. raulpica

    raulpica With your drill, thrust to the sky!

    Supervisor
    11,025
    7,343
    Oct 23, 2007
    Italy
    PowerLevel: 9001
    And that's why I always disable WPS on my routers.
     
    1 person likes this.
  13. Maikel Steneker

    Maikel Steneker M3 Fanboy

    Member
    3,396
    34
    May 16, 2007
    Netherlands
    Alright, I know nothing about network security. I'm using a Linksys WRT54G with DD-WRT micro running on it. Do I need to manually disable WPS? I've never used it or changed the settings for it.
     
  14. Rydian
    OP

    Rydian Resident Furvert™

    Member
    27,883
    8,108
    Feb 4, 2010
    United States
    Cave Entrance, Watching Cyan Write Letters
    The issue is that most people don't know what's what when it comes to computers, so what makes them feel secure isn't always what's actually secure.

    See: Fake AVs.
     
    1 person likes this.
  15. 1NOOB

    1NOOB GBAtemp Fan

    Member
    379
    24
    Sep 9, 2006
    Canada
    Inside My Head...
    disabling wps is the first thing i did when i connected my new router o.0 good to know
     
  16. Tom Bombadildo

    Tom Bombadildo Honk!

    pip Contributor
    GBAtemp Patron
    Tom Bombadildo is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    10,550
    10,481
    Jul 11, 2009
    United States
    I forgot
    But when you have someone who doesn't know anything about computers they generally have some professional (read Geeksquad) come in and set everything up for them. Whether or not they disable WPS is up to them, personally if it were me setting up someones router I would disable the shit out of WPS every time.
     
  17. Rydian
    OP

    Rydian Resident Furvert™

    Member
    27,883
    8,108
    Feb 4, 2010
    United States
    Cave Entrance, Watching Cyan Write Letters
    Geek squad is only "professional" in the technical sense of the word (that it's their job), their actual practices and such aren't always the best.

    WPS is often used as an alternative to the manual setup anyways.
     
  18. TehSkull

    TehSkull Living the life

    Member
    2,700
    388
    Nov 29, 2009
    United States
    Louisiana
    Those fake antiviruses work by first making the user feel insecure by saying their computer is loaded with viruses, and, to be honest, if you don't have an antivirus and you're foolish enough to fall for an ad like that, you probably have a virus anyway. They then suddenly have a solution for you.

    If you honestly felt insecure without an advertisement telling you that you should, time would be invested in finding some sort of antivirus.
    There's still the (high) chance that they'll get stuck with a bad one though. Many a time have I had to fix a computer where all it took was to uninstall their old AV and install Avast.

    And back to the topic at hand, I've never met anyone who uses WPS nor can I even think of a time where a device offered to connect via WPS.
     
  19. Rydian
    OP

    Rydian Resident Furvert™

    Member
    27,883
    8,108
    Feb 4, 2010
    United States
    Cave Entrance, Watching Cyan Write Letters
    Fake AVs are most often NOT installed with user consent, they come in through browser/plugin exploits.

    I see tons of people that use WPS, because tons of people don't know shit about computers.
     
    1 person likes this.
  20. Izzy011

    Izzy011 The Business Bitch

    Member
    247
    33
    Jun 13, 2008
    United States
    So what's better than WEP? I don't want my neighbors stealing my internet.