backtop


Print 47 comment(s) - last by althaz.. on Jan 3 at 4:41 AM

The Department of Homeland Security suggests the only solution is to disable WPS

NETGEAR, Inc. (NTGR), Cisco System, Inc.'s (CSCO) Linksys, D-Link Corp (TPE:2332), and Belkin, Inc. are some of the biggest makers of routers.  If you own a router, there's a good chance you own a router from one of these manufacturers.  And if you own a router from them, there's a good chance you used Wi-Fi Protected Setup (WPS) -- a PIN protected method -- to easily set up your home network.  And that means that there's a good chance your security is now at serious risk.

WPS was dreamed up by the Wi-Fi Alliance as a means of easing the pain of home networking.  But by including a flag in the EAP-NACK message, the standard unwittingly left a gaping hole that can be exploited by hackers to subvert your router.

The message tells the user if the first half of the pin they typed was right.  Thus it drastically reduces the time needed to crack the PIN using a brute force attack.  Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster.

Linksys router
[Image Source: Best Wireless Internet Routers Blog]

The flaw reduces the time it takes to crack your average PIN from 108 attempts to 104+103 attempts (11,000 attempts total).  Assuming you can fire off ten requests or more a second, you should be able to crack routers in minutes.

The U.S. Department of Homeland Security (DHS) has issued a warning to the public about the flaw.  It advises disabling WPS.  This may be a painful option for less savvy operators, though, as setting up a network with more sophisticated protections can require a bit of learning.

Stefan Viehbock discovered the vulnerability and reported it to the DHS.  He claims that none of the major manufacturers stepped up to the plate with a patch.  He is going to release a C-coded exploitation tool shortly -- perhaps that will help prompt the business into action.

Sources: .BrainDump (Stefan Viehbock), Department of Homeland Security



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Tip
By Hyperion1400 on 12/29/2011 2:50:26 PM , Rating: 4
Correct Horse Battery Staple

http://xkcd.com/936/
(f'ing spam filter better let that link through...)

Anyway, Jason, wireless networking doesn't have to be difficult, people MAKE it difficult by not reading the instructions and giving up immediately. I can walk just a about any computer illiterate a-hole that can use a browser through it, over the phone, without(!) remote desktop support, in about 10 min.

Netgear: routerlogin.net/192.168.1.1>admin/password>cl ick "Wireless Settings" subcategory under "Basic">Type in what ever the hell you want your network to be called>Select WPA2-PSK>Enter in a pass and for the love of god remember it!

Linksys: 192.168.1.1>*blank*/admin>Basic Setup>Enter network name>Wireless>Security>Select WPA2 "Personal"(what ever the h*ll that means)>Enter in pass, same as above

Belkin: Buy yourself a Linksys or Netgear

All other brands: same as Belkin


RE: Tip
By iLLz on 12/29/2011 7:04:35 PM , Rating: 2
That Comic is wrong about the length of time it would take to crack that password. According to GRC's Password Haystack link posted in here by another, it would take 1.83 Billion Centuries to crack that password of Tr0ub4dor&3. There is capital and lowercase lettering and numbers and special characters.

Brute Force Search Space Analysis:
Search Space Depth (Alphabet): 26+26+10+33 = 95
Search Space Length (Characters): 11 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length) 5,748,
511,570,879,116,626,495
Search Space Size (as a power of 10): 5.75 x 1021
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 1.83 billion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 18.28 centuries

What they did get right was that correcthorsebatterystaple takes longer with a time of 78.3 Billion Trillion Centuries, but that is only due to its length. Its 25 characters long but all lowercase lettering. If you add capital lettering and numbers and a symbol it makes it ridiculously long to crack.

Here is the one for correcthorsebatterstaple:

Brute Force Search Space Analysis:
Search Space Depth (Alphabet): 26
Search Space Length (Characters): 25 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length) 246,244,783,208,286,292,
431,866,971,536,008,150
Search Space Size (as a power of 10): 2.46 x 1035
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 78.30 billion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 7.83 hundred trillion centuries


RE: Tip
By iLLz on 12/29/2011 7:08:51 PM , Rating: 2
In the search space size to the power of 10 lines. They are:

5.75 x 10^21

2.46 x 10^35

Sorry the copy and paste didn't do exponentials properly.


RE: Tip
By Hyperion1400 on 12/29/2011 8:04:26 PM , Rating: 2
I really don't think they were intending it to be a mathematically perfect portrayal of brute-force hacking, but rather, an accurate analogy to disprove contemporary password logic. And, as you said, whether or not the math is right, the logic stands.

For my important stuff, like paypal, I use a 20 digit hex key...I don't think even God could brute-force hack that!


RE: Tip
By TrinityTP on 12/30/2011 8:44:41 AM , Rating: 3
No its correct. GRC's estimate is only valid if you pick numbers/letters/symbols at random. The point xkcd was making is people take a simple word "Troubadour" and replace a few letters with similar numbers and symbols "Tr0ub4dour" and add a number and/or symbol to the end. Common passwords have typically no more than about 2.5bits of entropy per character and a few number substitutions only add a few extra bits to the whole password.
Nobody would try to brute force the whole password keyspace as it would take too long so you use things like john-the-ripper to expand a common password dictionary with the standard substitutions people make.

So yet again Steve Gibson's security "advice" is less useful than a comic, he should have stuck to fixing hard drives he was actually good that that...


"There is a single light of science, and to brighten it anywhere is to brighten it everywhere." -- Isaac Asimov

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki