Making this WPS vulnerability even worse

If the vulnerability in WPS that I linked and talked about this week wasn’t bad enough, some of the commenters at the always excellent Hackaday found something terrible.

Many vendors use a predictable number as the WPS PIN, and don’t even bother to make it unique on a router-by-router basis. So much for it taking a couple of hours to get into a network. Since some vendors set the PIN to something like 123456789 or 123456780 (how clever), the vulnerability may not even be necessary to get in. Just try some of the known numbers, and chances are you can be on somebody’s network in a matter of minutes.

So here’s your homework. Disable WPS on your router. If the PIN is something stupidly obvious, change it if you can. Change it to a meaningless number of course. If you can’t disable WPS and/or if your vendor uses a really bad PIN and it can’t be changed, see if your router is capable of running DD-WRT, TomatoOpen WRT, or some other similar open-source, third-party firmware. Such firmware is more likely to allow you to disable WPS and is much more likely to address this major vulnerability in a timely fashion, seeing as most of the vendors really don’t seem to care. A quick search suggests that WPS is broken under Open WRT on some routers, which suddenly looks like an unintended benefit to me.

This is why openness is good, and black boxes are bad. Very bad. And why locking down firmware so it can’t be changed is shortsighted. It means when a vendor can’t be bothered to fix a problem, somebody else can.

2 thoughts on “Making this WPS vulnerability even worse

  • January 4, 2012 at 1:24 am
    Permalink

    I don’t think WPS is even supported on dd-wrt. I know the WPS button can be mapped to do things that are handy (either scripts or disable/enable the WiFi Radio) but as far as this WPS, i don’t think it’s even there.

    At least, from looking around, I can’t see anything remotely related to WPS or the pin thing, except for enabling or disabling use of the button for the on/off radio.

    To add to this, with the stock linksys firmware, even when ‘manual’ configuration is selected, WPS appears to be still being offered, at least, the laptop informs me that the router is WPS capable and to push the button etc. However, if you do so, it eventually fails and says to enter wireless key instead. So it appears that the feature is only half-off with stock firmware which is a bit of a worry for people out there.

    whilst I can’t be 100% certain it’s off with DD-WRT, at least when connecting via wireless, the laptop asks for the key immediately and there’s no mention of WPS or pushing any buttons etc.

    • January 4, 2012 at 6:38 pm
      Permalink

      I know DD-WRT doesn’t support WPS on certain hardware. My old WRT54G routers didn’t even give me the option, which could be due to the old hardware or it could be due to the version of DD-WRT I was running.

      If you’re not getting the option to use WPS, I’m pretty comfortable that you’re not vulnerable. If you really want to be sure, download the tool and try to hack your own network. There’s nothing wrong or immoral about that.

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux