topic Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack in Tech Help - Software/Hardware etc

WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

WelshPaul — Fri, 30 Dec 2011 11:16:20 GMT

I've seen a few news articles come through in the past 24 hours about a new Wi-Fi attack. It uses an attack on the implementation of WPS (ironically, WiFi Protected Setup) to crack WPA and WPA2 network passwords:
http://nakedsecurity.sophos.com/2011/12/30/most-wi-fi-routers-susceptible-to-hacking-through-security-feature/
http://isc.sans.edu/diary.html?storyid=12292
Here is a more technical write-up of the vulnerability:
http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
I won't link to the tool, but there is already some free software around to do this.
Long passwords are no defence against this as it actually cracks an 8 character PIN. Best thing you can do is to search for the model of your router and see if you can disable WPS.
[Moderator's note by Dick (Strat) First and last URLs fixed.

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Strat — Fri, 30 Dec 2011 11:30:38 GMT

WPS appears to be off by default on my Billion 7800N.

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Oldjim — Fri, 30 Dec 2011 11:56:31 GMT

My Netgear doesn't support it
http://support.netgear.com/app/answers/detail/a_id/96
http://support.netgear.com/app/answers/detail/a_id/34/session/L2F2LzEvdGltZS8xMzI1MjQ2MDcxL3NpZC9DUU51RFRNaw%3D%3D

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Kelly — Fri, 30 Dec 2011 11:58:25 GMT

We ship all our technicolor routers with WPS off.

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

alanf — Fri, 30 Dec 2011 12:17:09 GMT

I cannot find anywhere in the setup of my BT Voyager 2110 (supplied by Plusnet) to check this setting. Does this mean the router does not have this feature? I know its a few years old but the firmware has been updated during that time.
www.voyager.bt.com is not responding at present.

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

VileReynard — Fri, 30 Dec 2011 14:32:30 GMT

Isn't WPS a Windows "feature"?

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

prichardson — Fri, 30 Dec 2011 14:40:48 GMT

The Voyager 2110 does not support WPS.
WPS is a wireless specification. Microsoft decided to adopt it within the Windows 7 core wireless functionality, through wireless cards that support it (supply the required API calls to windows).

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Gus — Fri, 30 Dec 2011 14:43:13 GMT

Buffalo WBMR-HP-GN have it enabled by default

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

alanf — Fri, 30 Dec 2011 14:43:55 GMT

Thanks Phil. It pays not to be using state-of-the-art kit it seems!

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Colin1234 — Fri, 30 Dec 2011 23:07:18 GMT

I can't see what the problem is as you need access to the router for this to work. You need to press a button on it to activate WPS. Am I missing something?

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

WelshPaul — Sat, 31 Dec 2011 00:25:28 GMT

Taken from the first link:

Quote
It has three methods of simplifying the connection of wireless devices to WPA2 protected access points:
Push Button Connect (PBC) requires the user to push a button on the router which allows it to communicate with a client needing configuration. The client attempts to connect and the router simply sends it the security configuration required to communicate.
Client PIN mode is where the client device supports WPS and has a PIN assigned by the manufacturer. You then login to the router's management interface and enter the PIN to authorize that client to obtain the encryption configuration.
Router PIN mode allows a client to connect by entering a secret PIN from a label on the router, or from its management interface which authorizes the client to obtain the security configuration details.
The first method requires physical access, while the second requires administrative access, both of these pass muster. The third however, can be accomplished only through the use of the Wi-Fi radio.

So no you don't need to have physical access to the router.

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

ReedRichards — Sat, 31 Dec 2011 09:24:39 GMT

This doesn't surprise me. The thinking must have been:
1) Lets invent a secret password system to protect our wireless networks
2) Oh dear, some people are too ignorant/stupid to cope with the secret password; lets invent a way of handing out the password even if they can't-remember/don't-know what it is. And WPS was born.
Now it turns out that the means of handing out the secret password is open to abuse. Well what a surprise!

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Anonymous — Sat, 31 Dec 2011 10:19:43 GMT

Much like all those Windows users who disable the User login password and use the machine with full administrator privileges at all times !

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

w23 — Sat, 31 Dec 2011 10:38:39 GMT

I know someone with a Talk-Talk router that thoughtfully has the WPA2 passcode printed on a label on the side of the router (helpful for users who don't think to look underneath), the router is kept on the front windowsill near the master socket..... Who needs WPS?

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

Vargster — Wed, 04 Jan 2012 20:15:55 GMT

Quote from: Kelly
We ship all our technicolor routers with WPS off.

Am I right in thinking my Thomson TG585 v7 is a Technicolor router?
Cheers!

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

spraxyt — Wed, 04 Jan 2012 23:30:04 GMT

Yes it is. Technicolor own the Thomson Telecom brand.

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

MartinGoose — Thu, 16 Feb 2012 15:12:10 GMT

Quote from: Kelly
We ship all our technicolor routers with WPS off.

Does this survive a factory reset?
Product Name: TG585 v8
Software Release: 8.2.7.8
If not what is the WPS facility called and on which router management screen does it appear?

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

mattturner — Thu, 16 Feb 2012 15:39:23 GMT

Hi Martin,
Yes, this does survive a factory reset. There is no web interface to enable WPS, you'll need to do this through the telnet interface. If you're interested then the command is:
:wireless wps config ssid_id=0 state=enabled
And if you change your mind, to disable then run this:
:wireless wps config ssid_id=0 state=disabled
dick:quote

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

MartinGoose — Thu, 16 Feb 2012 18:51:06 GMT

Quote from: Matt
Yes, this does survive a factory reset.

Good news!

Quote
There is no web interface to enable WPS, you'll need to do this through the telnet interface.

OK.. 2 questions.
1. Is there a Telnet command to query the current status?
2. Any other usefulTelnet commands that are not available in the web interface?
PS The part of the web interface that confused me was on the Wireless config page.
The item is called "Allow New Devices:".
The options are "New stations not allowed", "New stations are allowed (via registration)", or "New stations are allowed (automatically)"
I wondered if this was WPS.

Re: WPA2 Password Cracking in under 10 hours - WPS Side-channel attack

spraxyt — Thu, 16 Feb 2012 19:43:22 GMT

If you telnet into the router and do
wireless wps config
(without the state= parameter) it will tell you the current state (eg WPS disabled)
After enabling it I think you need to do
saveall
to ensure the changed setting survives reboot.