January 25, 2012


This is interesting:

A major security flaw was revealed in December 2011 that affects wireless routers with the WPS feature, which most recent models have and enable by default. The flaw allows a remote attacker to recover the WPS PIN and, with it, the network's WPA/WPA2 pre-shared key in a few hours. Users have been urged to turn off the WPS feature, although this may not be possible on some router models.

So I just now got into Railgun's setup menus and looked around, and I can't even tell if Railgun supports that feature, let alone how I might disable it. Ye Gods.

UPDATE: Here's more about it. Wifi Protected Setup (WPS) seems to be a protocol to allow things like printers to use Wifi easily. It uses an 8-digit access code, but evidently the real password space is only about 11,000 values, which means it can be cracked by brute force in just a few hours by exhaustive search.

I don't think Railgun has this feature.

UPDATE: Whew! I downloaded the user manual (something I should have done a long time ago) and searched it, and this feature is never mentioned. I think that means that the Netgear SRXN3205 doesn't have it.

Posted by: Steven Den Beste in Computers at 05:14 PM | Comments (11) | Add Comment
Post contains 204 words, total size 1 kb.

1 There is normally an inverse correlation  between convenience and security.

Posted by: Mark A. Flacy at January 25, 2012 06:54 PM (Lbkvv)


For sure. But in this case they seem to have gone out of their way to fatally cripple it.

The PIN is 8 digits, one of which is a checksum. But it turns out that when you send an improper 8-digit PIN to the router, the error response code permits you to tell if the first four digits are right.

So you can search just those until you get the right one. Then you search the last three. An exhaustive search is only 11,000 attempts, not ten million.

This reminds me of the CSS protection on DVDs. Even though it was nominally a 40-bit key, in practice it was only 16 bits strong, which is a joke.

Posted by: Steven Den Beste at January 25, 2012 07:17 PM (+rSRq)


Plus, they didn't include a lockout. If the protocol had said, "OK, that's five incorrect tries for you. Come back an hour from how." plus hadn't weakened the search space, it really would be pretty secure.

Ten million possible guesses, at five guesses per hour, would be pretty good.

Posted by: Steven Den Beste at January 25, 2012 07:21 PM (+rSRq)

4 Heh.

The other maxim is "Return codes useful for figuring out what you did right or wrong are also great for bypassing security features."

(I'm a software weasel nowadays. US Army officer in my previous career path.)

Posted by: Mark A. Flacy at January 25, 2012 07:44 PM (Lbkvv)

5 Checked my router (Netgear WNDR3700).  It says that it will automatically disable WPS if it detects suspicious activity, but I turned it off anyway.

Posted by: Pixy Misa at January 25, 2012 08:03 PM (PiXy!)

6 Heh, like those "Passwords" on computers in the movies which lock in each digit as it's correctly (randomly) guessed by brute force.

Why on earth do Hollywood writers keep giving us junk like that?

What's next "Please enter your password."  "Incorrect, would you like a hint?" "Incorrect.  Okay, I'll tell you what it is."

Posted by: Mauser at January 26, 2012 01:50 AM (cZPoz)

7 I have yet to see a WPS-enabled router that doesn't have a button you have to push to turn the feature on, although that doesn't mean there aren't any.  Also, on my low-end Trendnet router, the button lights up and flashes for about a minute, and after that time, IIRC, it disables WPS.

Posted by: RickC at January 26, 2012 12:03 PM (rMbV4)


The button enables one of the modes. It doesn't have anything to do with the other one, and it's the other one that has the vulnerability.

But yeah, it seems that no one has routers with the vulnerable mode but not the button mode, so if your router doesn't have that button, you're probably safe.

Posted by: Steven Den Beste at January 26, 2012 12:53 PM (+rSRq)

9 I just read the article and I have to say, regarding this quote: "Some are leery of WPS because the Push feature means that anyone with physical access to a router or access point who has a WPS-capable client could have unauthorized access to a wireless network."  This is what Raymond Chen calls being on the other side of an airlock.  If you've got physical access to the router, you can already do anything you want.

Posted by: RickC at January 27, 2012 08:20 AM (A9FNw)

10 The key is that if the button is enabled, momentary access to your router gives permanent access to your wireless network, and you'll never know it. The plumber probably doesn't plan to download "special-interest material" whenever he's parked nearby, but it could happen.

My wireless router has WPS, and the button can't be permanently disabled, but the non-button mode can. By far the dumbest "feature", though, is making the router admin interface visible to wireless clients. They allow you to block all local access for clients, restricting them to surfing the public Internet, but if you wanted your iPhone to see your Mac for wireless sync, you'd have to let it see the admin interface as well.


Posted by: J Greely at January 27, 2012 10:49 AM (2XtN5)

11 I've got two wireless routers, one of which is too old to have WPS, but the other is almost brand new, and has many "features" that read like large gaping holes to the security-conscious.  About the first thing I did when setting up that router was to get the list of MAC addresses of my devices, and then just enable the MAC white-list security mode.  So my phone, tablet, printer, laptop, and a few relative's and friends laptops can connect, and nothing else can.

Posted by: David at January 27, 2012 12:56 PM (+yn5x)

Hide Comments | Add Comment

Enclose all spoilers in spoiler tags:
      [spoiler]your spoiler here[/spoiler]
Spoilers which are not properly tagged will be ruthlessly deleted on sight.
Also, I hate unsolicited suggestions and advice. (Even when you think you're being funny.)

At Chizumatic, we take pride in being incomplete, incorrect, inconsistent, and unfair. We do all of them deliberately.

How to put links in your comment

Comments are disabled. Post is locked.
11kb generated in CPU 0.02, elapsed 0.0244 seconds.
20 queries taking 0.0139 seconds, 28 records returned.
Powered by Minx 1.1.6c-pink.