backtop


Print 47 comment(s) - last by althaz.. on Jan 3 at 4:41 AM

The Department of Homeland Security suggests the only solution is to disable WPS

NETGEAR, Inc. (NTGR), Cisco System, Inc.'s (CSCO) Linksys, D-Link Corp (TPE:2332), and Belkin, Inc. are some of the biggest makers of routers.  If you own a router, there's a good chance you own a router from one of these manufacturers.  And if you own a router from them, there's a good chance you used Wi-Fi Protected Setup (WPS) -- a PIN protected method -- to easily set up your home network.  And that means that there's a good chance your security is now at serious risk.

WPS was dreamed up by the Wi-Fi Alliance as a means of easing the pain of home networking.  But by including a flag in the EAP-NACK message, the standard unwittingly left a gaping hole that can be exploited by hackers to subvert your router.

The message tells the user if the first half of the pin they typed was right.  Thus it drastically reduces the time needed to crack the PIN using a brute force attack.  Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster.

Linksys router
[Image Source: Best Wireless Internet Routers Blog]

The flaw reduces the time it takes to crack your average PIN from 108 attempts to 104+103 attempts (11,000 attempts total).  Assuming you can fire off ten requests or more a second, you should be able to crack routers in minutes.

The U.S. Department of Homeland Security (DHS) has issued a warning to the public about the flaw.  It advises disabling WPS.  This may be a painful option for less savvy operators, though, as setting up a network with more sophisticated protections can require a bit of learning.

Stefan Viehbock discovered the vulnerability and reported it to the DHS.  He claims that none of the major manufacturers stepped up to the plate with a patch.  He is going to release a C-coded exploitation tool shortly -- perhaps that will help prompt the business into action.

Sources: .BrainDump (Stefan Viehbock), Department of Homeland Security



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

OK
By Dr of crap on 12/29/2011 1:08:19 PM , Rating: -1
But unless you live in say New York with their apartments so close together, do you have to care?

I live in the burbs of Minneapolis, and I can see a few networks that are close to my house. I have even used one of them just to see if it as protected. But I'm sure no one will try and get into my WPS system. So I don't see a problem here.
And yes I know what the responses to this will be, but I still stand by my I don't think I have to worry about this statement.




RE: OK
By phatboye on 12/29/2011 1:13:59 PM , Rating: 2
If you don't care about Wireless security then this article was probably not meant for you


RE: OK
By Labotomizer on 12/29/2011 1:33:06 PM , Rating: 2
Yes, because no one in the suburbs has any malicious intent.

The reason you protect your network is more to protect yourself. If someone attempts to hack the FBI using your wireless network you have no way to prove it wasn't you. I've also seen a case where excessive piracy on a compromised wireless network caused the person's service to be disconnected.

Just a thought for you. And I don't see why WPS is supposedly easier than a WPA2 key anyway. Something as simple as "MyDogWearsCatPants1" will make it nearly impossible to crack your wirelss network. And who would forget that?


RE: OK
By BZDTemp on 12/29/2011 6:38:15 PM , Rating: 3
Actually I've seen an insecure wireless network used as a successful defense in court case. The anti-piracy lawyers was unable to prove beyond reasonable doubt who had been downloading and sharing some movies - all they could document what internet connection was used and since the network was open...

That being said I agree one should protect ones network. Just imagine some perv parked outside using ones network and next you might end up in a sex offender database. Small risk but...


RE: OK
By inperfectdarkness on 12/29/2011 7:23:23 PM , Rating: 2
that's the same combination as my luggage!


RE: OK
By GTVic on 12/29/2011 4:47:58 PM , Rating: 2
Then if it doesn't apply to you ... why comment if you have nothing to say?


RE: OK
By delphinus100 on 12/29/2011 6:03:54 PM , Rating: 2
Ever heard of 'wardriving?'

It isn't necessarily your neighbors that you have to worry about...


"And boy have we patented it!" -- Steve Jobs, Macworld 2007

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki