Showing results for 
Search instead for 
Do you mean 
Reply
LinkedOut
Posts: 11
Registered: ‎12-30-2011

Urgent: WPS vulnerability fix ETA?

As others have posted (forum link), the WPS protocol contains a design flaw for which now an exploit is in the wild with freely downloadable exploits. All WPS enabled WiFi routers are vulnerable to this, as far as I know including all Linksys ones.

 

Basically right now anyone can crack pretty much every modern WiFi router out there within hours, unless they have provisions to switch WPS off. Unfortunately many models don't have this capability at all (my WRT160N still accepts WPS when setting the router to manual).

 

When can we expect firmware updates addressing this issue? I'm particularly interested in WRT160Nv3.

LinkedOut
Posts: 11
Registered: ‎12-30-2011

Re: Urgent: WPS vulnerability fix ETA?

Summary from other thread:

 

- WPS contains unfixable design flaw

- WPS cannot be switched off on several routers at all, which means they are vulnerable as long as they are switched on

- no word from manufacturers on what they are planning to do

bsteener
Posts: 7
Registered: ‎01-07-2012

Re: Urgent: WPS vulnerability fix ETA?

This is a major vulnerability. Not being able to disable WPS is a major design failure. It would be nice to get a statement from Cisco about their plans to address this. About all you can do to protect yourself is disable wireless entirely and wait for a patch
somms
Posts: 129
Registered: ‎03-20-2008

Re: Urgent: WPS vulnerability fix ETA?

[ Edited ]

bsteener wrote:
This is a major vulnerability. Not being able to disable WPS is a major design failure. It would be nice to get a statement from Cisco about their plans to address this. About all you can do to protect yourself is disable wireless entirely and wait for a patch

Patch is avail immediately at least for the E4200V1 (NOT the E4200V2) in the form of more robust and secure open source firmware like Tomato or DD-WRT which does not contain WPS:  http://www.dd-wrt.com/phpBB2/viewtopic.php?t=149251



FTTH

Member of the Professional Aviation Safety Specialists Union!
bsteener
Posts: 7
Registered: ‎01-07-2012

Re: Urgent: WPS vulnerability fix ETA?

That is a good idea, thanks. I see my e3200 is supported. Looks like I need to do some reading.
somms
Posts: 129
Registered: ‎03-20-2008

Re: Urgent: WPS vulnerability fix ETA?

 

 

http://vimeo.com/34667806?pg=embed&sec=34667806

 

A demonstration of Tactical Network Solutions' commercial Reaver Pro product cracking a WPA-encrypted wireless network.



FTTH

Member of the Professional Aviation Safety Specialists Union!
Expert
sabretooth
Posts: 5,311
Registered: ‎11-11-2008

Re: Urgent: WPS vulnerability fix ETA?

Well the good thing about this is that there are no roving bands of folks with a Linux machines driving around in cars trying to crack your WPS so they can logon your network to order from Pizza Hut.  Give it a few weeks to see what happens.

somms
Posts: 129
Registered: ‎03-20-2008

Re: Urgent: WPS vulnerability fix ETA?


sabretooth wrote:

Well the good thing about this is that there are no roving bands of folks with a Linux machines driving around in cars trying to crack your WPS so they can logon your network to order from Pizza Hut.  Give it a few weeks to see what happens.



http://www.wired.com/threatlevel/2011/07/hacking-neighbor-from-hell/

 

If I was still running stock linksys firmware, I would be more concerned about the next-door disgruntled neighbor or script kiddie myself then roving mobs!:smileywink:

 



FTTH

Member of the Professional Aviation Safety Specialists Union!
Expert
sabretooth
Posts: 5,311
Registered: ‎11-11-2008

Re: Urgent: WPS vulnerability fix ETA?

Luckily that's one in a million.   It just doesn't happen as much as you think.  It makes the news and people 'play with it' to see if they can crack security codes.  Why?  It's fun.  Can you get in trouble?  Yes, and you know you can if you can 'crack the code' and use it for malicious circumstances.

 

Anyhow, I'd be more worried about folks that run NO security what-so-ever.   Folks who should be of slight concern is in apartment buildings and  college dorms where it would be more prevalent.   This is not to say that it won't happen now.  Most people will never hear of this issue.  And you can bet every post on vendor's forums will tell everyone to upgrade their firmware when a fix is out.  How many will upgrade?  Only 21.4% (my guess).

RogerSC
Posts: 482
Registered: ‎08-01-2009

Re: Urgent: WPS vulnerability fix ETA?

Well, the WPS fix firmware may come with other fixes that people have been waiting for, so that 21.4% may go as high as 21.8% *smile*.