Joined
·
16,178 Posts
This especially affects Linksys.
There is a major flaw in WiFi Protected setup that allows you to push a button on the device or enter a pin (usually on a label) to connect a device to your wireless. It does not matter if you are encrypted, someone can connect without ever figuring that out. All they need to do is figure out the 8 digit number that's printed on the router. Normally, that would mean quite a few possible combinations, but the way it's actually done is that they need to figure out the first 4 digits, which the router will confirm is correct, then figure out the next 3. Once they figure those 7 out, the last digit doesn't matter. Most units only force a one minute timeout for wrong answers, so it can be figured out in less than a day in many cases.
The only option right now is to go into the web interface and disable WPS PIN authentication. Push button isn't vulnerable. Netgear units seem to be more resilient than most, as are Apple Airports. This functionality is required to be on by default to be certified.
Here's where the Linksys issue comes in. Currently, they'll show in the GUI that WPS can be disabled, but it doesn't work. Linksys has issued a timetable of when this will be fixed, and a few devices will be fixed in March, but many are still listed as TBD. Of course the majority of users won't update and WPS will stay on.
I would highly recommend disabling PIN authentication if possible, and for Linksys units, keep a watch out for firmware updates and connected devices you don't recognize.
If you have DD-WRT, or upgrade your router to use it instead, you are not vulnerable. DD-WRT (and I'm think Tomato), does not support WPS at all.
There is a major flaw in WiFi Protected setup that allows you to push a button on the device or enter a pin (usually on a label) to connect a device to your wireless. It does not matter if you are encrypted, someone can connect without ever figuring that out. All they need to do is figure out the 8 digit number that's printed on the router. Normally, that would mean quite a few possible combinations, but the way it's actually done is that they need to figure out the first 4 digits, which the router will confirm is correct, then figure out the next 3. Once they figure those 7 out, the last digit doesn't matter. Most units only force a one minute timeout for wrong answers, so it can be figured out in less than a day in many cases.
The only option right now is to go into the web interface and disable WPS PIN authentication. Push button isn't vulnerable. Netgear units seem to be more resilient than most, as are Apple Airports. This functionality is required to be on by default to be certified.
Here's where the Linksys issue comes in. Currently, they'll show in the GUI that WPS can be disabled, but it doesn't work. Linksys has issued a timetable of when this will be fixed, and a few devices will be fixed in March, but many are still listed as TBD. Of course the majority of users won't update and WPS will stay on.
I would highly recommend disabling PIN authentication if possible, and for Linksys units, keep a watch out for firmware updates and connected devices you don't recognize.
If you have DD-WRT, or upgrade your router to use it instead, you are not vulnerable. DD-WRT (and I'm think Tomato), does not support WPS at all.
