Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[FurryNutz]

It was posted in the DIR-655 forum about a recent security problem that was found when using WPS. Dir-655 Forum. Hackers are able to gain access to the devices web page and operation by Brute Force hacking into the router using a scanning program to the WPS (Wi-Fi Protected Setup) feature of the device.  Seems this effects a few major brands including D-Link.

This common feature is seen on most routers and wireless access point devices. This feature comes turned ON by default out of the box. In general this feature is only used with trying to connect with another device such as a wireless printer for seamless connection between the router and wireless device. In some cases, it's not used much, in most cases I've seen. Most wireless connections between devices is done with the wireless SSID and Password. This security vulnerability does not effect any SSID or password options. This only effects WPS and those devices that have the WPS option.

D-Link is aware of this issue and is currently working on identifying and verifying the issue on those products effected. Then developing, testing and releasing a fix of which I do not know when nor do I  know of any details of which products are effected. "No other BETA or full release will be posted until the current vulnerability fix is included for all affected products."

So there is one work around for this vulnerability that users can take action on, Turn OFF or disable the WPS (Wi-Fi Protected Setup) option should you really be concerned about this. If you don't use this option then you can just turn it off anyways. Doing this will help block any sort of attack should one take place. Maintain the Wireless security for the SSID your using and be sure to use WPA and or WPA2 with TPIK and or AES. WPA2 and AES provides the best in security for Wireless devices. Be aware that WPA2 and AES isn't supported on all devices so check with the Mfr for your devices to find out what they support.

Also make sure your D-Link device admin log-in for the page is also secure by placing a password on it to protect the log-in for the devices web page as well.

In meantime and your really concerned about it, turn OFF WPS and be patient on firmware updates regarding WPS vulnerabilities from D-Link. They are working on it.

If you have any more questions or concerns, please post or call your local D-Link support office and ask your questions there.

Thank you.

Furry.

[zippoking]

Was just reading about this new hack, interesting.  Seems some other routers when you go in to turn off WPS it is still on and vulnerable, but not D-link ones from what I've seen (this one wasn't specifically listed but all others from D-link were ok).  I'm curious though, if you disable WPS do you have to manually reconnect anything that was first connected using WPS?  I guess I'll find that out eventually, I'm just not sure with so many devices these days which I would have connected using this method, but I think I've tried it a few times...

more hack info here if you want to try it
http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver

[zrkdar]

Stefan Viehböck's paper on the vulnerability is here: http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

He also has a short video of an attack here: http://vimeo.com/34402962. In this video the actual recovery time was around 45 minutes.

Chester Wisniewski at Sophos has an informative blog post (http://nakedsecurity.sophos.com/2011/12/30/most-wi-fi-routers-susceptible-to-hacking-through-security-feature/) on this vulnerability:  

The PIN used for authentication is only eight digits which would give the appearance of 108 (100,000,000) possibilities. It turns out the last digit is just a checksum, which takes us down to 107 (10,000,000) combinations.

Worse yet the protocol is designed so that the first half and second half are sent separately and the protocol will confirm if only one half is correct.

So you have now reduced the difficulty of brute forcing the PIN down to 104 (10,000) plus 103 (1,000) or 11,000 possibilities.

Some of the routers Viehböck tested did seem to implement a mechanism to slow down the brute forcing, but the worst case scenario allowed him to acquire the keys within 44 hours.

Compared with attempting to attack WPA2-PSK directly, this is a cheap and effective attack.

So if you were using a PSK with something like 128 bits of entropy it can now be bypassed with security that amounts to  less than 14 bits of entropy. This is the security equivalent of securing your online bank account with "Password1". What's more amazing is that companies like D-Link, Cisco, Netgear etc. implemented this hair-brained scheme and apparently very badly in most cases (lookout periods, anyone?). This doesn't exactly inspire confidence that any of these companies give a hoot about wireless security.

So where's the information on mitigation? Instructions on turning off WPS? Does turning off WPS really work as some people have suggested it might not in some cases? When will fixes be available?

[FurryNutz]

Turn OFF WPS under Advanced settings. Be patient on firmware updates regarding WPS vulnerabilities from D-Link. They are working on it.

If you have any more questions or concerns, please post or call your local D-Link support office

[zrkdar]

There's a link from the CERT site to a spreadsheet with data on lots of routers, including 23 D-Link routers. I guess the good news is that on all the D-Link routers reported so far WPS can be turned-off and it stays off. This is not true for certain other well-known brands.

Here's the link: http://www.us-cert.gov/cas/techalerts/TA12-006A.html
Then scroll done and click "WPS Vulnerability Testing" link in "IV. References" section.

Given that a lot of the testing was done by D-Link themselves it would be nice if they posted their findings here directly or somewhere on the site or provide a link if they already have.

[woodbar]

Thanks for the tip - just turned mine off - I don't use it anyway

[SFwireless]

I wish D-Link would tell people about this.
I agree that the WPS issue needs way more attention paid to it.

This blog post has details on how bad it is.
http://www.safegadget.com/72/major-wireless-network-vulnerability-wps-bug/

[FurryNutz]

At least you can turn OFF WPS and prevent the attack should you be in a area with these problems.
Even though WPS is on DLink products, it's the Standards people who own the code and development on WPS so it's they who should be proactive in notifying Mfrs and users. I do agree, Mfrs should be posting some info about it as well.

[FurryNutz]

Update: 05/14/2012
http://www.dlink.com/wpsfwupgrade

Update: 7.12/2012 Link no longer works since new main site went live. Products will be updated as needed we presume.

[FurryNutz]

Keep up to date on issues here...D-Link Security Advisory Information

Most WPS problems have been fixed by now.