cancel
Showing results for 
Search instead for 
Did you mean: 

Another discussion about WPS

PNRichardC
Dabbler
Posts: 14
Registered: 20-10-2014

Another discussion about WPS

Quote from: deadkenny
Likewise same model and firmware (8.C.M.0). I don't need to update but I am concerned if I have the latest approved firmware from a security perspective. Just been reading about the WPS vulnerability and a bit confused by that. Is my 582n at risk or is WPS disabled? I thought it was only enabled if I press the WPS button? Then I see there's some firmware that disables it after 5 attempts, but do I have that firmware? (though one comment says this is easily worked around by hackers). Other comments say some firmware versions disable it permanently. I recall using WPS button on mine a while back, but would PN have rolled out an update to my router, or has it not changed since I got it?

Why do you want to use WPS?  If a review of your router I have just looked at is to be believed your router supports WPA2 which is much more secure, and not that difficult to set up.  WPS is better than no encryption at all, but you don't seem very sure whether you are even using WPS.
10 REPLIES
Community Veteran
Posts: 19,100
Thanks: 437
Fixes: 21
Registered: 31-08-2007

Re: Another discussion about WPS

@PNRichardC
I think you are confusing WPS which is a method for setting up the wireless, with security encryption which could be WEP/WPA/WPA2.
There used to be security vulnerabilities with WPS which could be hacked and then the WPA(2) encryption key could be obtained.
Edit: and PS that enquiry was 8 weeks ago!
PNRichardC
Dabbler
Posts: 14
Registered: 20-10-2014

Re: Another discussion about WPS

I didn't spot that the reason this thread had appeared at the top of the new posts list was ejkirby had commented after a long gap instead of starting a new thread.
WPS is a mechanism for sharing pre-shared encryption keys.  The PIN method has been criticised.  It just seemed to me incongruous to be worrying about getting a firmware update to address the problem when a better solution would be to enter secure keys directly, or does this router not allow that?  deadkenny didn't seem sure which WPS method he had used, which made me wonder if he had no encryption at all.
Community Veteran
Posts: 38,460
Thanks: 1,027
Fixes: 62
Registered: 15-06-2007

Re: Another discussion about WPS

split off to avoid confusion and to make it more visible to staff - title also changed
deadkenny
Grafter
Posts: 228
Thanks: 1
Registered: 13-09-2007

Re: Another discussion about WPS

Quote from: PNRichardC
WPS is a mechanism for sharing pre-shared encryption keys.  The PIN method has been criticised.  It just seemed to me incongruous to be worrying about getting a firmware update to address the problem when a better solution would be to enter secure keys directly, or does this router not allow that?  deadkenny didn't seem sure which WPS method he had used, which made me wonder if he had no encryption at all.

I'm well aware of the WPA/WPA2 side of things and yes, WPA2 absolutely preferable and I would never run it with no encryption.
No, my enquiry was about WPS. I'd only used it once myself, via the button, just to see what it does really, but I don't want or need to use it. As for being sure about using it, I'm 100% sure *I* am not using it, my concern is whether anyone else could use it externally without my knowledge if there's a router vulnerability.
i.e. My concern in the original post a while back was in response to this which was doing the rounds recently in the news in relation to a newly discovered flaw beyond the earlier PIN vulnerability...
http://www.engadget.com/2014/08/31/wifi-protected-setup-flaw/
So my question was, is my router vulnerable, and if so how can I disable WPS? As I understand it I don't have to be using WPS myself, but if it's present in the router and enabled it can be attacked using the PIN method, unless fully disabled. Advice in the news is simply to disable WPS.
So far the PN response on the other thread now was that I should be okay. If that's the case, then I'm fine. Would still be nice to have an option for no one to be able to use WPS via PIN in case of future vulnerabilities (obviously the button method needs physical access).
Community Veteran
Posts: 38,460
Thanks: 1,027
Fixes: 62
Registered: 15-06-2007

Re: Another discussion about WPS

This part split off as it has no relevance to the request for a firmware upgrade
Community Veteran
Posts: 19,100
Thanks: 437
Fixes: 21
Registered: 31-08-2007

Re: Another discussion about WPS

Hi, I don't think it's an issue in this firmware, I'll see what I can check, however you can turn it off through the GUI. I've turned mine off.
Login, select 5.4 Advanced Options at the bottom of the screen, select Home Network from the LH menu and then select your WLAN from the displayed Interfaces.  The steps to get there may be slightly different on your Firmware, I'm running the later 10.2.5.2 EO firmware.
On the top RHS of the screen you have Overview | Details | Configure - select Configure
Towards the bottom of the screen there is "Security" - you can uncheck WPS Enabled there.
You can also make any other changes you want  Wink
HTH.
Community Veteran
Posts: 19,100
Thanks: 437
Fixes: 21
Registered: 31-08-2007

Re: Another discussion about WPS

Quote from: PNRichardC
I didn't spot that the reason this thread had appeared at the top of the new posts list was ejkirby had commented after a long gap instead of starting a new thread.

There's no real problem (on this forum anyway) with using an existing thread to raise something that is "on topic", in a lot of cases it's to be preferred as it helps with context. It doesn't normally affect "visibility" of a post in any event.
deadkenny
Grafter
Posts: 228
Thanks: 1
Registered: 13-09-2007

Re: Another discussion about WPS

Quote from: Anotherone
Hi, I don't think it's an issue in this firmware, I'll see what I can check, however you can turn it off through the GUI. I've turned mine off.
Login, select 5.4 Advanced Options at the bottom of the screen, select Home Network from the LH menu and then select your WLAN from the displayed Interfaces.  The steps to get there may be slightly different on your Firmware, I'm running the later 10.2.5.2 EO firmware.
On the top RHS of the screen you have Overview | Details | Configure - select Configure
Towards the bottom of the screen there is "Security" - you can uncheck WPS Enabled there.
You can also make any other changes you want  Wink
HTH.


Aha, I missed that option for some reason, though it's obvious now I look at it. I've been in there before to change the channel so surely I noticed it. Oh well  Embarrassed
That works. Many thanks. Smiley
PNRichardC
Dabbler
Posts: 14
Registered: 20-10-2014

Re: Another discussion about WPS

Sorry, I misunderstood what you were saying in the post I quoted.
The vulnerability may be worse than I had thought.  I thought WPS could be ignored and that a router was only vulnerable if it had been set up with the WPS PIN method and only PIN derived PSKs could be exposed, but it seems it is much wider than that.  Unfortunately the PIN method is a mandatory part of WPS.
The article you refer to manages to create quite a muddle.  One guess is actually 11000 guesses.  It does link to another article which explains thngs a lot better, but the copy I managed to download was a bit garbled.
This article also explains it and suggests a workaround is to disable the external registrar feature of WPS.
http://www.kb.cert.org/vuls/id/723755
This is what Technicolor says.
http://www.kb.cert.org/vuls/id/JALR-8PKL26
It seems the original design locked the router for 5 hours after 5 failed attempts.  This would increase the time taken for a brute force attack by about 50 hours.  Technicolor proposes to lock the router after 10 failed attempts.  It would then have to be reset from the GUI or CLI or rebooted.  It does not give a date for the change.
It says WPS can be disabled by entering the following command from the CLI.
[tt]:wireless wps config state disabled[/tt]
Added.  "locked the router for 5 hours" sholuld read 5 minutes.  Also this was nearly 3 years ago so it probably has been fixed by now.
Community Veteran
Posts: 19,100
Thanks: 437
Fixes: 21
Registered: 31-08-2007

Re: Another discussion about WPS

Glad you sorted it deadkenny, I'll post back here if I find anything definitive on the vulnerability issue itself, although PNRichardC has dug something out by the looks of the previous post, but IIRC it got implemented. I'll expect he'll also note it's easier to turn WPS off via the GUI rather than having to Telnet  Wink