January 25, 2012
A major security flaw was revealed in December 2011 that affects wireless routers with the WPS feature, which most recent models have and enable by default. The flaw allows a remote attacker to recover the WPS PIN and, with it, the network's WPA/WPA2 pre-shared key in a few hours. Users have been urged to turn off the WPS feature, although this may not be possible on some router models.
So I just now got into Railgun's setup menus and looked around, and I can't even tell if Railgun supports that feature, let alone how I might disable it. Ye Gods.
UPDATE: Here's more about it. Wifi Protected Setup (WPS) seems to be a protocol to allow things like printers to use Wifi easily. It uses an 8-digit access code, but evidently the real password space is only about 11,000 values, which means it can be cracked by brute force in just a few hours by exhaustive search.
I don't think Railgun has this feature.
UPDATE: Whew! I downloaded the user manual (something I should have done a long time ago) and searched it, and this feature is never mentioned. I think that means that the Netgear SRXN3205 doesn't have it.
Posted by: Mark A. Flacy at January 25, 2012 06:54 PM (Lbkvv)
For sure. But in this case they seem to have gone out of their way to fatally cripple it.
The PIN is 8 digits, one of which is a checksum. But it turns out that when you send an improper 8-digit PIN to the router, the error response code permits you to tell if the first four digits are right.
So you can search just those until you get the right one. Then you search the last three. An exhaustive search is only 11,000 attempts, not ten million.
This reminds me of the CSS protection on DVDs. Even though it was nominally a 40-bit key, in practice it was only 16 bits strong, which is a joke.
Posted by: Steven Den Beste at January 25, 2012 07:17 PM (+rSRq)
Plus, they didn't include a lockout. If the protocol had said, "OK, that's five incorrect tries for you. Come back an hour from how." plus hadn't weakened the search space, it really would be pretty secure.
Ten million possible guesses, at five guesses per hour, would be pretty good.
Posted by: Steven Den Beste at January 25, 2012 07:21 PM (+rSRq)
The other maxim is "Return codes useful for figuring out what you did right or wrong are also great for bypassing security features."
(I'm a software weasel nowadays. US Army officer in my previous career path.)
Posted by: Mark A. Flacy at January 25, 2012 07:44 PM (Lbkvv)
Posted by: Pixy Misa at January 25, 2012 08:03 PM (PiXy!)
Why on earth do Hollywood writers keep giving us junk like that?
What's next "Please enter your password." "Incorrect, would you like a hint?" "Incorrect. Okay, I'll tell you what it is."
Posted by: Mauser at January 26, 2012 01:50 AM (cZPoz)
Posted by: RickC at January 26, 2012 12:03 PM (rMbV4)
The button enables one of the modes. It doesn't have anything to do with the other one, and it's the other one that has the vulnerability.
But yeah, it seems that no one has routers with the vulnerable mode but not the button mode, so if your router doesn't have that button, you're probably safe.
Posted by: Steven Den Beste at January 26, 2012 12:53 PM (+rSRq)
Posted by: RickC at January 27, 2012 08:20 AM (A9FNw)
My wireless router has WPS, and the button can't be permanently disabled, but the non-button mode can. By far the dumbest "feature", though, is making the router admin interface visible to wireless clients. They allow you to block all local access for clients, restricting them to surfing the public Internet, but if you wanted your iPhone to see your Mac for wireless sync, you'd have to let it see the admin interface as well.
Posted by: J Greely at January 27, 2012 10:49 AM (2XtN5)
Posted by: David at January 27, 2012 12:56 PM (+yn5x)
Enclose all spoilers in spoiler tags:
[spoiler]your spoiler here[/spoiler]
Spoilers which are not properly tagged will be ruthlessly deleted on sight.
Also, I hate unsolicited suggestions and advice. (Even when you think you're being funny.)
At Chizumatic, we take pride in being incomplete, incorrect, inconsistent, and unfair. We do all of them deliberately.
20 queries taking 0.0233 seconds, 28 records returned.
Powered by Minx 1.1.6c-pink.