cancel
Showing results for 
Search instead for 
Did you mean: 

TG582n disable WPS

dacious
Newbie
Posts: 3
Registered: ‎01-08-2012

TG582n disable WPS

I've been looking at the WPS feature of the TG582n router, in the light of the well-known vulnerability:
http://arstechnica.com/business/2011/12/researchers-publish-open-source-tool-for-hacking-wifi-protec...
I had intended to just use a 516 modem, and a wireless router that doesn't have WPS, but I received a 582n (apparently the 516 is not available from plusnet any more?). So I thought it might be worth seeing whether it might be usable, since it seems pretty good apart from WPS.
The first approach would be to just turn of the wireless, this doesn't seem to be a problem to do, so it is one option but it would be nice to use wireless.
However I did find on the support sites for some other ISPs that it is possible to use telnet and the command line interface to the modem to disable WPS:
http://telecom.custhelp.com/app/answers/detail/a_id/25608/~/wps-security-risk---technicolor-tg582n,-...
I've tried this out, and it certainly seems to work - before doing this, pressing the WPS button causes it to flash orange. Afterwards, the WPS button does not cause flashing - in fact you can stop it mid-flash by sending the command! In addition, the "Wireless Easy Setup" link on the router web page now shows a gratifying server error. It can be turned back on using "enable" instead of "disable". After saving the setting, rebooting doesn't seem to turn WPS back on, so this seems like a fairly safe way to prevent the vulnerability.
I was wondering:

  • Is it worth mentioning this work around in support, for anyone worried about WPS?

  • From some of the other forum posts, I noticed that plusnet seems to have a good relationship with Technicolor, can they give any more feedback on the issue? For example, it would be nice to have an "official" confirmation from Technicolor that using that setting will guarantee WPS is turned off and will stay turned off.

  • Will a new firmware version disable WPS by default, allow for disabling it from the web interface, and/or reduce vulnerability some other way (not allowing hundreds of WPS attempts, or something similar maybe?)


I was wondering how new firmware is handled by plusnet, it's not automatically applied somehow is it?
Thanks for help.
7 REPLIES 7
adamwalker
Plusnet Help Team
Plusnet Help Team
Posts: 16,863
Thanks: 881
Fixes: 221
Registered: ‎27-04-2007

Re: TG582n disable WPS

Quote
(apparently the 516 is not available from plusnet any more?)

It hasn't been for a fair while.
Quote
Is it worth mentioning this work around in support, for anyone worried about WPS?

It's in the community forum so it's already in the right place for you guys to help each other. Our stance here is that the router does support WPS but we don't directly support the configuratoin of it.
Quote
From some of the other forum posts, I noticed that plusnet seems to have a good relationship with Technicolor, can they give any more feedback on the issue? For example, it would be nice to have an "official" confirmation from Technicolor that using that setting will guarantee WPS is turned off and will stay turned off

From what I've mentioned above I'd doubt that Technicolor would guarantee that but we'll let you know if we're able to gleam anything about that Smiley
Quote
Will a new firmware version disable WPS by default, allow for disabling it from the web interface, and/or reduce vulnerability some other way (not allowing hundreds of WPS attempts, or something similar maybe?)

No, that shouldn't happen.
Quote
I was wondering how new firmware is handled by plusnet, it's not automatically applied somehow is it?

No, as things stand any firmware updates would need to be done directly on the device.
If this post resolved your issue please click the 'This fixed my problem' button
 Adam Walker
 Plusnet Help Team
mattturner
Grafter
Posts: 246
Thanks: 2
Registered: ‎25-06-2009

Re: TG582n disable WPS

Quote from: dacious
I've been looking at the WPS feature of the TG582n router, in the light of the well-known vulnerability:
http://arstechnica.com/business/2011/12/researchers-publish-open-source-tool-for-hacking-wifi-protec...

We checked this out when it was published, the TG582n WPS feature has a lockout mechanism that is documented by US-CERT (United States Computer Emergency Readiness Team). After 5 fails the router locks out WPS for 5 minutes.
Quote from: US
The vendor states that Technicolor products use an anti brute-force mechanism: after 5 retries, the access point is locked for 5 minutes. A penetration test performed by the vendor found that to exhaust every possible PIN would take around 189.44 hours (about 7.89 days).

Link: http://www.kb.cert.org/vuls/id/JALR-8PKL26
dacious
Newbie
Posts: 3
Registered: ‎01-08-2012

Re: TG582n disable WPS

Thanks for the quick responses!
The 516 thing confused me because I could still order a 516 from your website, and the online chat guy didn't seem to know the 516 wasn't available, so it was a complete surprise to get the 582n. On the plus side I think this made it half price? Wink
It sounds like the WPS is already fairly reasonable. A week of attempts is quite a lot, but still not exactly impossible, particularly since 7.89 days is the longest time; the average would be half that Wink At the very least, it's not too much of a worry if the WPS is switched back on for a day or two.
Thanks for the link to the CERT page, that's very handy in that it looks like a fairly official confirmation of the telnet WPS disable, I'll stick with that setting for now.
In addition, it looks like a pretty much bulletproof fix is being planned, based on the quote below?
Quote
Technicolor will follow the WiFi Alliance (WFA) recommendation concerning the fix for this vulnerability to keep WFA certification for their devices. Technicolor will implement the following:
Access point is locked after 10 faulty PIN code attempts. Then, the end-user resets the access point lock state via the GUI/CLI or a reboot of the access point.
Customers should contact the vendor to inquiry when firmware updates will be available that include this feature

It would be interesting to know from Technicolor when this is due. This would completely resolve the issue from my point of view, without requiring the use of telnet.
mattturner
Grafter
Posts: 246
Thanks: 2
Registered: ‎25-06-2009

Re: TG582n disable WPS

I think I've already got a trial firmware with this in, we're testing it at the moment.
I'll check that it includes this fix and get you a copy.
Matt
dacious
Newbie
Posts: 3
Registered: ‎01-08-2012

Re: TG582n disable WPS

Thanks, that would be great Smiley
Vikpal
Grafter
Posts: 47
Registered: ‎23-03-2008

Re: TG582n disable WPS

Quote from: Matt
I think I've already got a trial firmware with this in, we're testing it at the moment.
I'll check that it includes this fix and get you a copy.
Matt

Is there a central place where firmwares are located? I would be interested in the updated fix as well.
rogersouthern
Dabbler
Posts: 13
Registered: ‎02-03-2013

Re: TG582n disable WPS

Quote from: Matt
Quote from: dacious
After 5 fails the router locks out WPS for 5 minutes.

I know this thread is old, but you might want to know that brute force tools can circumvent that feature Smiley