New wifi router vulnerability, easy hacking of WPA/WPA2 routers | Gamers With Jobs
New wifi router vulnerability, easy hacking of WPA/WPA2 routers
*Legion*
Head Coach
Donator v3.0
*Legion*'s picture
Location: Austin, TX
Thursday, January 19th, 2012 - 11:27am
A new attack on wifi routers has emerged, and it's the biggest wifi threat since WEP cracking. And this time, it applies to WPA/WPA2 encrypted networks.
WPA/WPA2 itself has not been broken - it remains as cryptographically viable as before.
However, almost every modern router on the market has a feature called WPS - Wifi Protected Setup. It's supposed to be the "easy" way for technologically illiterate people to set up encrypted networks. You've probably seen the little push buttons on the front of some routers, for enabling a sort of "pairing" mode, to easily get a new device onto the network.
WPS - and this is the part I was not aware of - is not limited only to the push button pairing mode. It also is in an always on state, ready to accept a static 8-digit PIN number that is usually written on a sticker on the bottom of the router.
And here's the other part I was not aware of - WPS is required to be both present and on by default in order for a device to be giving Wifi Alliance certification and use the little "wifi" logo. Which, of course, every wifi maker wants, and so they comply. Virtually every big-name router manufacturer (Linksys, D-Link, Netgear, Belkin, Cisco, etc) have WPS on by default on virtually all of their routers.
So, that's not good - Joey Nerdboy has a WPA2 router at home with a 64-character random key, yet it's got an 8-digit PIN number that would be much easier to crack instead.
And it gets much worse. Because the vulnerability I'm talking about is a weakness in that 8-digit PIN number, which reduces it from ~10 million possibilities to a search space of about 11,000 instead. And that is what turns this from a long brute-force attack into a fairly trivial one.
This is not a theoretical attack either. A tool called Reaver has been released to run this attack. It is very much like WEP cracking - it's open season on vulnerable routers now. If you want to see how easy it is, Lifehacker has made a How-To.
The solution here is, turn WPS off. There's a problem, though. If you have a Cisco or Linksys router, you can't! There's a setting in the admin panel for turning WPS off, but it doesn't actually do anything. Look for a firmware update for your router very soon.
If you are running DD-WRT or Tomato, you are not vulnerable. These firmwares do not implement WPS (by design). The only exception to this is the Buffalo routers that come with DD-WRT builds - Buffalo insisted on WPS and the DD-WRT guys provided it, but they intentionally leave it out of "true" DD-WRT.
So, in short:
* If you're running DD-WRT or Tomato, high five! Open source firmware rules again
* ... unless your DD-WRT is a Buffalo branded build, then go turn WPS off
* If you're running a router modern enough to have WPS, go check your admin panel NOW and turn WPS the hell off
* If you're on a Cisco or Linksys router, either go look for a firmware upgrade, or better yet, join the DD-WRT club
No comments:
Post a Comment