WiFi Protected Setup PIN brute force vulnerability

From http://threatpost.com/en_us/blogs/wifi-protected-setup-flaw-can-lead-compromise-router-pins-122711:

Vulnerability Note VU#723755

 

New Tools Bypass Wireless Router Security

 

Anyone running DD-WRT on any router will be immune to this attack.

 

Turn it off.

 

Also cited at: H-Online

Article

 

You only need to turn off WPS to protect against the vulnerability:

Two New Tools Exploit Router Security Setup Problem.

-- Tom

 

Or, as mentioned in the article, implementation of a temporary login lockout after f.i. 5 failed login attempts would be enough to keep WPS safe in it's current state.

 

After initial setup there should be no reason to turn it on. Temporary login lockout is a good idea regardless.

 

This is awful, I really like WPS, it makes easy to connect devices.

So if I disable WPS, devices that were connected using WPS will connect again after a shutdown?

 

No clue.

 

And this is why I have been turning it off since it was released. I have never trusted WPS as I have no control over how it works, how long the pin is, where it gets the PIN from, how often it changes, etc etc. I don't trust things I don't control so I disable them. I figured it was a matter of time before this happened.

DDWRT is a good solution too!

 

According to this article: http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars

Turning WPS off doesn't work to mitigate the vulnerability:

 

Don't be so sure, no DD-WRT dev answered this: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=148985

 

I'm quite sure. DDWRT does not have support for this feature at all.

 

True, but a statement from a DD-WRT dev about the WPS vulnerability wouldn't hurt.

I'm somewhat surprised that there is no other mention in DD-WRT forum about the WPS vulnerability, besides this.

 

It's been mentioned on other forums/ blogs and it's pretty much been stated that openwrt and ddwrt are 100% immune to this attack as WPS isn't included.

I'm surprised it hasn't been mentioned either.

 

D-Link response:

http://forums.dlink.com/index.php?topic=45183.0

 

If by "it" you mean the router, then I'm with you. How many people leave their router on 24/7? Turn it off when you're asleep or not at home. It's a super basic security principle but highly effective. They can't crack something that's not on.

 

Also, why isn't everyone using WPA?

 

I bought a wireless router last week and after reading some info on setting up WPA2 passwords etc I though I was secure, however after reading this I'm not so sure.

My question is does this security hole still exist? I have a TP-Link router and it's firmware was updated twice this year (in Jan and Feb) but there is no mention on the "modifications and bug fixes" log of the WPS issue for either update.

Just wanted confirmation before I try DD-WRT and risk bricking my router

 

Ignore the above question i think I have all the info I need, i.e. no the firmware updates haven't fixed the issue.

However with regard to the issue of turning the WPS fuction off I found this site
http://www.safegadget.com/72/major-wireless-network-vulnerability-wps-bug/
which has a link to a google docs spreadsheet where people have been testing to see if they can crack the WPS on specific routers. Also included is a column on whether WPS can be turned off and if it actually stays off. Here is the link
https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c

This tells me that my routers WPS function can be turned off, though I can't vouch for the spreadsheets reliabilty. Still might give DD-WRT a go anyway.