Full Disclosure: Re: Linksys Routers still Vulnerable to Wps vulnerability.

Re: Linksys Routers still Vulnerable to Wps vulnerability.

From: Derek <derek () madrock net>
Date: Mon, 13 Feb 2012 09:00:49 +1030

They should at least consider providing an option to disable the static pin only or disable it after an hour if the 
future is activated by the user.

Seems to be something that could be included in a future firmware update.

For a vendor to provide another mechanism for a user to get remotely hacked (within wireless TX/RX range) and not 
address it in a reasonable amount of time, exposes the less technical user, who is was intended to help in the first 
place.

It would be interesting to see if this feature went through a technical security risk assessment and if so, how the 
static pin was rationalised for public release.

I setup an isolated vulnerable device and had attack traffic within 2 days of it being activated. I did make the SSID 
very attractive, but the war drivers are certainly getting out of the house again. 


Thanks
Derek


On 13/02/2012, at 1:47, Rob Fuller <jd.mubix () gmail com> wrote:

I've tested a 6 models of Linksys, all of them appear to disable WPS
completely as soon as a single wireless setting is set. I assume this
would be the reason Cisco/Linksys aren't putting much stock in
'fixing' it further. If anyone has any experience to contradict this
or have a modification to current tools to circumvent what I've
perceived as disabled, I, as I'm sure Craig, would be very interested.

--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org



On Sat, Feb 11, 2012 at 4:23 PM,  <farthvader () hush ai> wrote:

_________________________________________________________________________
"Use Tomato-USB OS on them."
_________________________________________________________________________

Besides you void warranty...
list of DD-WRT Supported routers:

 E1000        supported
 E1000 v2     supported
 E1000 v2.1   supported
 E1200 v1     ???
 E1200 v2     ???
 E1500        ???
 E1550        ???
 E2000        supported
 E2100L       supported
 E2500        not supported
 E3000        supported
 E3200        supported
 E4200 v1     not supported yet
 E4200 v2     not supported
 M10          ????
 M20          ????
 M20 v2       ????
 RE1000       ????
 WAG120N      not supported
 WAG160N      not supported
 WAG160N v2   not supported
 WAG310G      not supported
 WAG320N      not supported
 WAG54G2      not supported
 WAP610N      not supported
 WRT110       not supported
 WRT120N      not supported
 WRT160N v1   supported
 WRT160N v2   not supported
 WRT160N v3   supported
 WRT160NL     supported
 WRT310N v1   supported
 WRT310N v2   not supported yet
 WRT320N      supported
 WRT400N      supported
 WRT54G2 v1   supported
 WRT54G2 v1.3 supported
 WRT54G2 v1.5 not supported
 WRT54GS2 v1  supported
 WRT610N v1   supported
 WRT610N v2   supported
 X2000        not supported
 X2000 v2     not supported
 X3000        not supported.

_________________________________________________________________________

"Fixing?  Heh.

Aside from rate limiting WPS, there isn't much of a fix, and you can't turn it off either."
_________________________________________________________________________

What about removing WuPS entirely?

WuPS is a total failure because:

1. Even if everything is fine 8 digits long is very weak because once you got the pin after 7 month - 2 years for 
example, you are completely pwned.

2. Pin number is fixed you can't change it to a longer number or maybe a string like "omgponnies"

3. Setting up a WPA2 password manually it's a piece of cake (even with keypad only cell phones), if some people are 
lazy, you don't have to weakening the security of a strong protocol.

Farth Vader

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Re: [Full-disclosure] Linksys Routers still Vulnerable to W ps vulnerability. farthvader (Feb 12)
- Re: Linksys Routers still Vulnerable to Wps vulnerability. Rob Fuller (Feb 12)
  - Re: Linksys Routers still Vulnerable to Wps vulnerability. Dan Kaminsky (Feb 12)
  - Re: Linksys Routers still Vulnerable to Wps vulnerability. Derek (Feb 12)
    - Re: Linksys Routers still Vulnerable to Wps vulnerability. Alex Buie (Feb 13)
    - Re: Linksys Routers still Vulnerable to Wps vulnerability. Derek (Feb 13)
- Re: Linksys Routers still Vulnerable to Wps vulnerability. Sanguinarious Rose (Feb 12)
  - Re: Linksys Routers still Vulnerable to Wps vulnerability. William Warren (Feb 13)
    - Re: Linksys Routers still Vulnerable to Wps vulnerability. Dan Kaminsky (Feb 13)
    - Re: Linksys Routers still Vulnerable to Wps vulnerability. chris nelson (Feb 13)
    - Re: Linksys Routers still Vulnerable to Wps vulnerability. Dan Kaminsky (Feb 13)
    - Re: Linksys Routers still Vulnerable to Wps vulnerability. chris nelson (Feb 13)
    - Re: Linksys Routers still Vulnerable to Wps vulnerability. chris nelson (Feb 13)
    - Re: Linksys Routers still Vulnerable to Wps vulnerability. Derek Grocke (Feb 14)

(Thread continues...)