Print 47 comment(s) - last by althaz.. on Jan 3 at 4:41 AM

The Department of Homeland Security suggests the only solution is to disable WPS

NETGEAR, Inc. (NTGR), Cisco System, Inc.'s (CSCO) Linksys, D-Link Corp (TPE:2332), and Belkin, Inc. are some of the biggest makers of routers.  If you own a router, there's a good chance you own a router from one of these manufacturers.  And if you own a router from them, there's a good chance you used Wi-Fi Protected Setup (WPS) -- a PIN protected method -- to easily set up your home network.  And that means that there's a good chance your security is now at serious risk.

WPS was dreamed up by the Wi-Fi Alliance as a means of easing the pain of home networking.  But by including a flag in the EAP-NACK message, the standard unwittingly left a gaping hole that can be exploited by hackers to subvert your router.

The message tells the user if the first half of the pin they typed was right.  Thus it drastically reduces the time needed to crack the PIN using a brute force attack.  Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster.

Linksys router
[Image Source: Best Wireless Internet Routers Blog]

The flaw reduces the time it takes to crack your average PIN from 108 attempts to 104+103 attempts (11,000 attempts total).  Assuming you can fire off ten requests or more a second, you should be able to crack routers in minutes.

The U.S. Department of Homeland Security (DHS) has issued a warning to the public about the flaw.  It advises disabling WPS.  This may be a painful option for less savvy operators, though, as setting up a network with more sophisticated protections can require a bit of learning.

Stefan Viehbock discovered the vulnerability and reported it to the DHS.  He claims that none of the major manufacturers stepped up to the plate with a patch.  He is going to release a C-coded exploitation tool shortly -- perhaps that will help prompt the business into action.

Sources: .BrainDump (Stefan Viehbock), Department of Homeland Security

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Tip
By cochy on 12/30/2011 11:40:24 AM , Rating: 2
I don't follow what you are saying. What is misleading?

RE: Tip
By TrinityTP on 12/30/2011 8:05:55 PM , Rating: 2
Well at least Gibson specifies that it is not a strength meter (he's right it isn't) but calls it a keyspace meter instead (which is basically the same thing by another name). So having pointed out that is doesn't measure the password strength then goes on to describe how long it would take to brute force it. See the contradiction???

Keyspace (as calculated by that page) is irrelevant unless it represents the process of generating a key. For example, take a lowercase letter followed by 1234567879, that is a 10 character alphanumeric password but only has a keyspace of 26 (i.e. [a-z]123456789) and not (26+10)^10.
Basically don't reference that page (or that site), period. Ironically xkcd makes far better suggestions (as long as the password field is big enough).

For Wifi a 19+ length random mixed case alphnumeric password is basically totally overkill ( ~113bits of security) since with 4096 rounds of PBKDF2 hardening we are nearly at the 128bit security level (the level that even thermodynamically speaking would require the entire planet's energy output for nearly a decade for a perfectly efficient computer to simply count to that number let alone actually SHA1 hash something that many times). Makes 256bit security look a bit silly really doesn't it?

RE: Tip
By TrinityTP on 12/30/2011 8:29:11 PM , Rating: 2
Sorry Cont...
As far as his actual password generation advice goes: its complete drivel! People are far more predictable than we like to think (I have don't several password audits and EVERYONE uses the exact same substitutions - no sorry none of you are at all original). This the reason tools like john-the-ripper exist, Gibson is stating something know to be factually wrong. Do not use his advice, its very bad. Don't use words with substations they are just not secure. Ideally try Diceroll or failing that try dingbats type representations of a long nonsensical passphrase (that is unique to you) movie quotes etc.


Cheese but not Ties repel Cats because they are bigger than peas = Chse!&->"_">ppp
using "_" for a cat as it reminds me of the Cheshire cat in Alice in wonderland
and & for a tie

RE: Tip
By TrinityTP on 12/30/2011 8:31:22 PM , Rating: 2
Arrg sorry that should read "NO movie quotes".

"When an individual makes a copy of a song for himself, I suppose we can say he stole a song." -- Sony BMG attorney Jennifer Pariser
Related Articles

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki