Disable WPS - Security Flaw Found

[jlewter]

I request a Sticky of this.

Netgear now reccomend that users Disable WPS pin.
http://support.netgear.com/app/answe...ail/a_id/19824

We all know of this bug, we all know that some netgear products are robust, but until a full "fix" comes out it is still best to disable.

[james8]

I agree that the WPS issue needs way more attention paid to it.

This blog post has details on how bad it is.
http://www.safegadget.com/72/major-w...ility-wps-bug/

[GearLess22]

I just want to confirm the WPS disabling feature:

Quote:

The WPS standard requires a PIN, usually printed on the wireless router or access point itself, to be used during the device setup phase. The vulnerability discovered in WPS makes that PIN highly susceptible to brute force attempts. Netgear home routers will protect themselves after several failed attempts to authenticate as an external registrar by entering a lock-down state. During the lock-down state, all WPS attempts using the Router PIN will not work. The router will return from the lock-down state after a predetermined time period. While the NETGEAR device is in a lock-down state, users can still use the WPS Push Button method to connect to the wireless network.

Am I correct in interpreting this blurb as, "The lockdown feature is always in effect but one should disable WPS anyway" and NOT that disabling the PIN will enable the lockdown feature which, in my mind, just means that it will take longer to crack the WPS PIN.

Thanks.

[jlewter]

Only NG knows how long the delay is or how it exactly works.
But leaving everything at default the Netgear line of products (possibly not all) have some protection because it will add that delay after every failed attempt. So what may be normally a 7 day hack may well turn into a year long hack. This doesnt stop the fact that it can still be brute forced and they could find the key a lot earlier than the max time.

Some products have been found to lock up when the WPS hack is running against them, depending on how the timer works then NG routers could really be grief'd by someone just forcing tons of attempts to make the router stall. DOS on a "local" level is really rare (Unless your neighbour hates you).

The WPS pin brute force problem may be moot in this product because of the delay. I would rather see a design change that prevents it rather than just having the timing features working as our main security feature.

I only say it may be moot because there are other new WPA2-AES style /Cracks/ that may soon be quicker to run than the WPS brute force.

There are three things I would do now to maintain a secure WiFi network.
1) disable WPS.
2) Make sure SSID is not stock (that is, change it from NETGEAR to something else)
3) Be sure to use WPA2-AES style encryption or better.

[claykin]

Your msg is solid, but I will add....

I won't assume how good or bad a job Netgear may have done implementing the WPS PIN retry function, so definitely disable it. WPS is a security degrading feature that never should have seen the light of day.

I'm no Apple fan, but they are the only company who got it right. WPS PIN has to be activated using the Airport utility and the window of opportunity to make a new connection is limited.

Also, when creating WPA2-AES passwords be sure to use at least 12 characters (preferrably 15+) and use a combo of upper, lower numbers and symbols. It may be tougher to remember, but that's the tradeoff for good security that won't be cracked by even brute force attacks.

Quote:

Originally Posted by jlewter

Only NG knows how long the delay is or how it exactly works.
But leaving everything at default the Netgear line of products (possibly not all) have some protection because it will add that delay after every failed attempt. So what may be normally a 7 day hack may well turn into a year long hack. This doesnt stop the fact that it can still be brute forced and they could find the key a lot earlier than the max time.

Some products have been found to lock up when the WPS hack is running against them, depending on how the timer works then NG routers could really be grief'd by someone just forcing tons of attempts to make the router stall. DOS on a "local" level is really rare (Unless your neighbour hates you).

The WPS pin brute force problem may be moot in this product because of the delay. I would rather see a design change that prevents it rather than just having the timing features working as our main security feature.

I only say it may be moot because there are other new WPA2-AES style /Cracks/ that may soon be quicker to run than the WPS brute force.

There are three things I would do now to maintain a secure WiFi network.
1) disable WPS.
2) Make sure SSID is not stock (that is, change it from NETGEAR to something else)
3) Be sure to use WPA2-AES style encryption or better.

[Goob]

The problem or puzzlement I am running into is ...
Even if I disable the router PIN, inSSIDer and any android device still shows my router as "WPS Enabled"

Furthermore, and possibly a more serious security hole, I find that I can disable router PIN and then if someone tries erroneously to pair with my router I find the WPS light flashing.
We are told it flashes to indicate WPS pairing mode.
We are told routers are vulnerable during pairing mode.
I see a user try to login to the router with the wrong password, and some Netgears have their WPS light begin to blink, and that blinking continues not for a brief few minutes but for hours.

Thus if blinking means pairing, and pairing mode leaves you open - does my situation of finding a Netgear with WPS light blinking for hours mean it is stuck in some vulnerable pairing mode for hours??

[Devor]

Please don't quote everything and then top-post.

Anyway, when it's time to create a Passphrase for WPA2-PSK [AES], I use 64 random hexadecimal characters. From my perspective; more than just a handful of characters is going to be difficult to remember. So, if I have to look it up, why not look up a high security passphrase.

A good site to generate a random passphrase is GRC's Perfect Passwords page.

[Devor]

Normally WPS is only active while the WPS LED on the front panel of the router is flashing. To disable WPS the setting "Disable Router's PIN" box should be checked. Both "Keep Existing Wireless Settings (...)" should be checked. Typically at this point you would disregard the solid green LED on the front panel.

If you want the solid green LED turned off, with the above settings applied, press the WPS button on the front panel. The LED will flash green for 2 minutes. Then fast-flash yellow for about 45 seconds and then turn off. The router's WPS LED should remain off until power is interrupted, a configuration change or a router reboot.

Based on the above, there is no good reason I can think of for the WPS LED to blink for hours.

[jlewter]

Uh, It's not unique to apple!...

Log into your router, 2nt option down. Same thing you describe on your apple product.


The fact that apple doesnt support WPS as a standard feature may be something you like ;P.... The fact that I have Ipods and they do not support WPS is a real pain as my fingers cover about 3 "keys" at once and I usually have to type the password several times to get it to connect.

Disable WPS and now you have the same feature as your Apple product :/...

Hopefully they'll add a working IPV6 support version to their computers and routers else you might be stuck buying from a company who does things wrong ;P....


Regarding the flashing, I have seen this too, I reset a WNDR4K and put all the settings back in from anew. WPS was enabled and after I changed the SSID my laptop tried to connect to it and asked for the WPS Key (not disabled at this point).. Then the 3700 WPS led started flashing!!!.... I havent had a look into this yet but it does worry me slightly.

[Devor]

If the WPS pin is disabled in the WNDR3700, perhaps the WPS LED was only indicating a connection attempt and nothing more?