Topic: PSA: Security flaw with WPA (Wireless Router) Security...with simple fix.

[Fatah Ruark (aka MIKE B)]

Just wanted to make sure everyone has the heads up to a new security flaw that make it easy for anyone with half a brain to break into your wireless network.

MOST routers made in the past several years are vulnerable.

Basically the flaw is in the WPS part of the router. This is the little button with the key printed on the bottom of your router that make it easy for the average Joe to set up wireless security (so you don't need to get into the web based setup).

Simple solution is to TURN OFF WPS. You need to get into that web based setup screen (most likely 192.168.1.1) and turn it off. Sounds like you can't turn it off on Linksys routers though (well you can uncheck it, but it doesn't actually turn it off).

Here's an article on how to break into someone's router:

http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver

Figured I'd toss that out there. Not a huge problem because someone would have to be within range of your network to abuse it.

If you run an aftermarket firmware (Tomato, DD-WRT) on your router, I'm pretty sure your safe. I know Tomato doesn't have WPS support, so obviously you can't take advantage of it it then.

[mattmiller]

Glad I installed Tomato several years ago.

[johnw]

Anyone found a fix for Cisco/Linksys? I have the e1200 and there is no way to disable WPS! 

[Fatah Ruark (aka MIKE B)]

Anyone found a fix for Cisco/Linksys? I have the e1200 and there is no way to disable WPS! 

As far as I can tell Tomato or DD-WRT is not compatible with the e1200. You might want to double check on that though because installing Tomato or DD-WRT will fix the problem.

Otherwise the only thing you can do is wait for Linksys to come out with a new firmware. I'm under the impression they are working on new firmware to resolve this problem.

[johnw]

Yeah it looks like my model isn't supported on either site, and I don't want to brick it by trying.

[Fatah Ruark (aka MIKE B)]

Good news is someone that wants to do this has to be within range of your router.

Not sure what someone could do once they gain access. I'm under the impression that a router secured with WPA does not allow one computer to see another computers data. Could be wrong on that though.

[rastasean]

Well the least that could be done would be to monitor you internet usage and intercept insecure data going across the wire. Also it would be possible to edit host records and direct it elsewhere but this this isn't likely.

If you're really worried about this, I would recommend disabling wireless and only using the ethernet cable...not very practical but secure.

On a related note, I have discovered my cable modem has ssh and telnet open and I tried to login a couple times and got locked out with brute force protection. Since then, the cable provider is filtering ssh and telnet but I'm hopeful another reset of the modem will fix this.

[fleish]

I'm under the impression that a router secured with WPA does not allow one computer to see another computers data. Could be wrong on that though.

Depends what you mean by "see" ... are you saying wireless clients talking directly to each other without going through the WAP? Otherwise (or even if that was the case), standard system level access controls would (or should) be in control of what data can be seen on a computer.

Well the least that could be done would be to monitor you internet usage and intercept insecure data going across the wire. Also it would be possible to edit host records and direct it elsewhere but this this isn't likely.

Huh? Edit host records where & how exactly?

On a related note, I have discovered my cable modem has ssh and telnet open and I tried to login a couple times and got locked out with brute force protection. Since then, the cable provider is filtering ssh and telnet but I'm hopeful another reset of the modem will fix this.

This kind of thing always makes me laugh. The stupidity of residential ISP's has a long, sordid, and ongoing history of doing dumb sh!t. Just yesterday I was flipping between a primary cable modem connection & backup DSL connection - all the while pinging the router for the cable connection @ 10.10.10.1 to make sure I was still online. Well, after I switched over to the LAN for the DSL connection - I noticed 10.10.10.1 was still responding - only at an increased rate of ~60ms. Stupid AT&T is routing it right out onto the public internet and something on their network is even responding to the ICMP requests

The mention of telnet though reminds me of the old days in the 90s when a bunch of us got our first residential DSL lines through Digital Select. We get the thing setup and start probing around RFC1918 (private, not-supposed-to-be-routed-on-the-internet) space space for some reason. Next thing we know, we find we're able to login to many of Digital Select's backbone ATM nodes ... VIA TELNET! No access control whatsoever, we were just dropped right into a full access prompt. Saw a bunch of their WAN links and could probably have caused them a huge outage if we were so inclined.

[rastasean]

Huh? Edit host records where & how exactly?

If you have access to the router, why would you not be able to edit the DNS to a machine you have setup as a DNS server with edited records. Its highly unlikely anyone would want to do this, however. I suppose a more simpler solution would be to setup an opendns account under the WAN IP and then block traffic as you wish.

[fleish]

Huh? Edit host records where & how exactly?

If you have access to the router, why would you not be able to edit the DNS to a machine you have setup as a DNS server with edited records. Its highly unlikely anyone would want to do this, however. I suppose a more simpler solution would be to setup an opendns account under the WAN IP and then block traffic as you wish.

Ah yes if the router was not secured with a password this would be possible.