WPS pin system vulnerability found.

Discussion in 'User Submitted News' started by Rydian, Dec 30, 2011.

Dec 30, 2011
  1. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    [​IMG]

    But by including a flag in the EAP-NACK message, the standard unwittingly left a gaping hole that can be exploited by hackers to subvert your router. The message tells the user if the first half of the pin they typed was right. Thus it drastically reduces the time needed to crack the PIN using a brute force attack. Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster.
    [...]
    The U.S. Department of Homeland Security (DHS) has issued a warning to the public about the flaw. It advises disabling WPS.


    [​IMG] Source

    Can't really say I'm surprised. I mean when you try to make security like this easy for normal users, it tends to backfire.
     


  2. Ace

    Member Ace GBATemp's Patrick Bateman

    Joined:
    Apr 8, 2009
    Messages:
    1,035
    Location:
    Manhattan
    Country:
    Sweden
    Who the heck does use WPS? I thought everyone just used WPA2 by now :mellow:
     
  3. Tom Bombadildo

    Contributor Tom Bombadildo Honk!

    pip
    Joined:
    Jul 11, 2009
    Messages:
    8,828
    Location:
    I forgot
    Country:
    United States
    This. Been using WPA2 for such a long time this won't be a problem for me or many people I know.
     
  4. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Tons of people use WPS because they don't know shit about computers and "press this button then type in the code" is easier than "Find your local gateway, enter it in the browser, log in with these credentials, navigate to the wireless security section, select the type that's supported by all the devices you want to use, set up a pass/key, then type it in on the computers".
     
    1 person likes this.
  5. nl255

    Member nl255 GBAtemp Advanced Maniac

    Joined:
    Apr 9, 2004
    Messages:
    1,998
    Country:
    You are thinking of WEP, which few people use unless they want to play DS games online. This new hole is in WPS (Wireless Protected Setup) which is a method used to more easily set up a router's security settings such as WPA. So unless you went into your router and disabled WPS yourself you are probably still using it. Even worse, some of the cheaper routers might not let you disable it which means you might need to go as far as installing custom firmware (such as DD-WRT) or even buying a new router to fix this.
     
  6. Ace

    Member Ace GBATemp's Patrick Bateman

    Joined:
    Apr 8, 2009
    Messages:
    1,035
    Location:
    Manhattan
    Country:
    Sweden
    No, I know the difference between WEP, WPA/2 and WPS.
    And with my router, there's a physical switch to turn WPS on and off, and we prefer passwords (since we can change those pretty quickly and never have hackers easily).
    I just didn't think WPS was so widely used, is what I referred to. From some wardriving experience, most people use WPA2 protections here in Sweden, so that's where I'm coming from ;)
     
  7. Izzy011

    Member Izzy011 The Business Bitch

    Joined:
    Jun 13, 2008
    Messages:
    247
    Country:
    United States
    I use WEP. Is that a bad thing ? :blink:
     
  8. TehSkull

    Member TehSkull Living the life

    Joined:
    Nov 29, 2009
    Messages:
    2,700
    Location:
    Louisiana
    Country:
    United States
    But no password at all is even easier.

    Anyone who cares about security knows how to remember a password. Your grandma isn't going to set up WPS on their wifi, if they have wifi at all.

    Regardless, this seems like the type of flaw that could be resolved in a firmware update. Disable the flag, done?
     
  9. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    WEP's broken, anybody can crack it by running some programs they can google or look on youtube for.

    Assuming that people who want to be secure know enough about computers?
     
    1 person likes this.
  10. Nimbus

    Member Nimbus sudo /usr/bin make-me-a-coffee --nosugar --cream=1

    Joined:
    Nov 1, 2009
    Messages:
    913
    Location:
    Probably being lazy.
    Country:
    United Kingdom
    I never use that POS excuse for a feature that is WPS anyway. I dont even advise anyone else to use it either.

    The best way IMHO is to set it up manually, and to never take the easy route when setting up any wireless device.

    Also sorry for my long absense, work and Second Life :P
     
  11. TehSkull

    Member TehSkull Living the life

    Joined:
    Nov 29, 2009
    Messages:
    2,700
    Location:
    Louisiana
    Country:
    United States
    Yes. That is exactly my assumption. Someone who feels insecure will usually spend time to make themselves feel secure. That's how man is.
     
  12. raulpica

    Supervisor raulpica With your drill, thrust to the sky!

    Joined:
    Oct 23, 2007
    Messages:
    10,674
    Location:
    _____________ PowerLevel: 9001
    Country:
    Italy
    And that's why I always disable WPS on my routers.
     
    1 person likes this.
  13. Maikel Steneker

    Member Maikel Steneker M3 Fanboy

    Joined:
    May 16, 2007
    Messages:
    3,396
    Country:
    Netherlands
    Alright, I know nothing about network security. I'm using a Linksys WRT54G with DD-WRT micro running on it. Do I need to manually disable WPS? I've never used it or changed the settings for it.
     
  14. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    The issue is that most people don't know what's what when it comes to computers, so what makes them feel secure isn't always what's actually secure.

    See: Fake AVs.
     
    1 person likes this.
  15. 1NOOB

    Member 1NOOB GBAtemp Fan

    Joined:
    Sep 9, 2006
    Messages:
    375
    Location:
    Inside My Head...
    Country:
    Canada
    disabling wps is the first thing i did when i connected my new router o.0 good to know
     
  16. Tom Bombadildo

    Contributor Tom Bombadildo Honk!

    pip
    Joined:
    Jul 11, 2009
    Messages:
    8,828
    Location:
    I forgot
    Country:
    United States
    But when you have someone who doesn't know anything about computers they generally have some professional (read Geeksquad) come in and set everything up for them. Whether or not they disable WPS is up to them, personally if it were me setting up someones router I would disable the shit out of WPS every time.
     
  17. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Geek squad is only "professional" in the technical sense of the word (that it's their job), their actual practices and such aren't always the best.

    WPS is often used as an alternative to the manual setup anyways.
     
  18. TehSkull

    Member TehSkull Living the life

    Joined:
    Nov 29, 2009
    Messages:
    2,700
    Location:
    Louisiana
    Country:
    United States
    Those fake antiviruses work by first making the user feel insecure by saying their computer is loaded with viruses, and, to be honest, if you don't have an antivirus and you're foolish enough to fall for an ad like that, you probably have a virus anyway. They then suddenly have a solution for you.

    If you honestly felt insecure without an advertisement telling you that you should, time would be invested in finding some sort of antivirus.
    There's still the (high) chance that they'll get stuck with a bad one though. Many a time have I had to fix a computer where all it took was to uninstall their old AV and install Avast.

    And back to the topic at hand, I've never met anyone who uses WPS nor can I even think of a time where a device offered to connect via WPS.
     
  19. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Fake AVs are most often NOT installed with user consent, they come in through browser/plugin exploits.

    I see tons of people that use WPS, because tons of people don't know shit about computers.
     
    1 person likes this.
  20. Izzy011

    Member Izzy011 The Business Bitch

    Joined:
    Jun 13, 2008
    Messages:
    247
    Country:
    United States
    So what's better than WEP? I don't want my neighbors stealing my internet.
     

Share This Page