Major Wireless Network Security Breach – Wi-Fi Protected Setup (WPS Bug) PIN Brute Force Vulnerability – Reaver

Linksys wireless router, Linksys router, WRT54G

Updated January 2014 to cover a new TCP 32764 Wireless router Vulnerability.

A major security hole known as WiFi Protected Setup (WPS Bug) PIN brute force vulnerability (US-CERT VU#723755) has been recently found in virtually all modern Wireless Routers used in the home, resulting in a vulnerability that allows hackers to extract your WPA wireless security password in a matter of hours. Wi-Fi Protected Setup (WPS) is a protocol that allows users to press a button on their Wireless Router and connect to their computers without typing in a long cryptic password. A hole in this protocol has been recently found and exploited, allowing hackers easy access to cracking most wireless networks.

Why is this a major security problem?

  • Virtually all wireless routers have this problem
  • Many wireless routers (Qwest Actiontec, etc) use the same unchangeable PIN 12345670, hackable in seconds
  • WPS is turn on by default to get certified by Wi-Fi Alliance
  • Wireless routers do not automatically update their software to get a fix
  • The number of PIN codes to test is only 11,000 instead of 100 million
  • Attack software is available

The biggest issue is that virtually all wireless routers sold in the last 4 of years are hackable. The manufacturers need to update their firmware for these devices in order to fix the security breach. Virtually all wireless routers do not automatically update their firmware. As of January 16th, 2012, no manufacturers have issued updates, leaving millions of wireless networks vulnerable. Adding insult to injury, options to disable Wi-Fi Protected Setup (WPS) have been found to not do anything.

Why is getting your wireless password bad?

There are many reasons why you do not want your wireless password hacked.

  • Others could use your Internet Connection Freely
  • Spam or other illegal activities could be sent
  • Everything you do on your network could be captured and read
  • Your online banking and trading would no longer be secure

Secure your computer, web browser, Internet connection

It is important that you not only secure your wireless router but also secure all the devices connected to it. Follow our guides to secure your Windows PC or secure your Macintosh by installing the right software, firewall, antivirus software, etc. Secure your mobile devices: iPhone, Android smartphone or tablet, iPad. Configure the settings and add plug-ins to you web browser so that it is more secure. Consult our tutorials for: Internet Explorer 9, Google Chrome, and Mozilla Firefox. Secure your Internet Connection: Wireless Network, Public Wi-Fi.

How to hack a wireless network

Reaver is a Linux based attack program that can quickly exploit the Wi-Fi Protected Setup (WPS) bug and recover a wireless network’s password. This page has links to several articles on how to install and run Reaver.

How to tell if your wireless router is vulnerable

People have been running Reaver and testing to find Reaver vulnerable routers due to the WPS Bug.  This Google Docs Spreadsheet is being updated as new results come in. If you test a configuration, be sure to add it to the spreadsheet.

  • Wireless routers produced starting in 2007 have Wi-Fi Protected Setup (WPS), so older ones will not be vulnerable.
  • Below are the major wireless router manufacturers and status reports on updates to their firmware to fix the Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability or how to disable WPS.

Actiontec Q1000 (Qwest) – Vulnerable

Apple – Not Vulnerable

ASUS – Vulnerable Unverified: Disable WPS by Clicking Disabled in the WPS tab after clicking “Wireless” in the left hand column

Belkin – Vulnerable – Instructions to Disable WPS

Buffalo – Not Vulnerable – Uses DD-WRT with custom PIN code

Cisco (Linksys) – Some VulnerableProduct ListE4200V1 & WRT320N WPS Disable Hack – Turning off WPS does not really turn it off. E1200 v2, E1500, E3200, E4200 V1 firmware fix released March 2012.

D-Link – Vulnerable – Disable WPS by Unchecking Enabled in the ADVANCED tab > WI-FI PROTECTED SETUP

Dynex – Vulnerable

Huawei – Vulnerable

Netgear – Vulnerable – Instructions to Disable WPS

Technicolor – Vulnerable – Instructions to Disable WPS

Tomson – Vulnerable

TP-Link – Vulnerable – Disable WPS by Clicking Disabled WPS after clicking “WPS” in the left hand column.

TRENDnet – Vulnerable – Disable WPS by Selecting Disabled in the WPS Config after clicking “WPS” in the left hand column under Wireless.

ZyXEL – Vulnerable

If your wireless router does not have a solution to the WPS security hole, consider using alternative 3rd party firmware (if available), which is covered below.

How to protect your wireless network from the WPS PIN Brute Force Vulnerability

If you have a vulnerable wireless router and a fix is not available, consider purchasing a new wireless router that is not affected. This Belkin Wireless N router is cheap and can be configured correctly.

Here are some methods to prevent the WPS pin vulnerability from being exploited on your wireless router.

  • Wi-Fi Protected Setup (WPS) – Disable this feature (if possible) and enable manual setup, even though it makes setup much easier. Use a test tool to verify that WPS really got turned off.
  • Broadcast SSID – Disable this feature. This is needed for WPS to function, so this can help mitigate the problem.
  • Some Older Linksys router security incorporated SecureEasySetup™ (SES), which can be disabled to increase security.
  • Implement the security tips in our How to Setup a Secure Wireless Router article including utilizing timers to shut off your router when it is not needed, and repositioning the wireless router to limit coverage. Also watch for unknown wireless devices utilizing your network, by examining DHCP leases.
  • Use WPA2 Enterprise security.  This requires a RADIUS server, so it is for companies or sophisticated individuals.

Third Party Wireless Router Firmware to prevent WPS attack

Open Source alternatives to the software running on your wireless routers is available for some units.

  • 3rdParty Firmware or software for the wireless router is often available with additional features not available from the manufacturer’s firmware
    • Why? – Need a particular special feature. Often only for power users.
    • What features would be available? – Stability, security, configurability
    • Wireless Router Compatibility – Check website to see if your wireless router is supported by 3rd party firmware

DD WRT Wireless Router WPA2 Security Encryption

  • DD-WRT – Popular 3rd party replacement firmware for many wireless routers.
  • OpenWRT – Another Open Source firmware for wireless routers.

Wireless Router Tomato Firmware

  • Tomato – Popular 3rd party replacement firmware for many wireless routers.
  • TomatoUSB – Supports different routers than Tomato

The Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability is a major wireless security bug that affects millions of people, potentially allowing hackers to steal a lot of information. We have covered many ways to address the problem and will continue to update this article as manufacturers produce solutions.

 TCP Port 32764 Back Door

In 2014, it was discovered that some wireless routers had a backdoor that could be accessed anywhere on the Internet. Hackers could take over your router remotely without the need to enter a password!

This page has a list of wireless routers with the problem.  The most popular ones include:

  • Linksys WAG120N
  • Linksys WAG200N
  • Netgear DG834B V5.01.14
  • Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0
  • Netgear WPNT834
  • OpenWAG200

If you have any of these routers, you need to fix it right away or REPLACE it with a safe wireless router. Technical details of a patch.

 

Author: SafeGadget

Teaching users on how to secure their computers and gadgets.

9 thoughts on “Major Wireless Network Security Breach – Wi-Fi Protected Setup (WPS Bug) PIN Brute Force Vulnerability – Reaver”

  1. I find it hard to believe that routers are still being sold with WPS enabled – and with no warnings to the customer! – after this vulnerability was discovered. The whole point was to encourage non-technical people to secure their wireless networks, by making it easy, but it seems that the key was left under the doormat.

    It’s really not that hard to choose a network name, select WPA2, and enter a passphrase. To me it seems at least as easy as trying to remember/copy an 8-digit random number. Educating people on doing things manually would have been a better move than building a whole infrastructure to make an easy task easier, even if WPS had worked properly.

  2. Excellent article on this major problem that doesn’t seem to be getting enough attention.

    Luckily, I purchased a Linksys E4200 with DD-WRT from FlashRouters.com already installed so I don’t have to worry about that issue.

    Thanks for writing this excellent article.

  3. WPS is reportedly not working properly already, bringing more harm than security. Adapter providers must take more effort to include more security features aside from encryptions and passwords.

  4. The disable broadcast SSID is a myth. It only makes your connection unstable. Just disabling WPS is sufficient. Also Static IP, Mac Address Filtering doesn’t work.

Leave a Reply

By using our site you agree to our: Privacy PolicyTerms of Use.