Author Topic: WPA2 is seriously broken in routers/access points that have WPS as well  (Read 127 times)

Offline Heracliton

  • Newbie
  • *
  • Posts: 6
A hacker late last year found a hole that allows the Reaper hackware to pull the WPA2 key from access points & routers as well as PCs running other than Windows or iOS (I'm not sure how reliable the latter point is). That version of Reaper and several variants are freely available. The WPA2 password can be retrieved in as little as 3 seconds.

Disabling WPS might help, but be aware the there have been multiple reports of devices where using the 'disable' function leaves WPS active.

Here's a quote from on site:

"Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in Brute forcing Wi-Fi Protected Setup When poor design meets poor implementation. by Stefan Viehböck.

Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases and has been tested against a wide variety of access points and WPS implementations.

Depending on the target's Access Point (AP), to recover the plain text WPA/WPA2 passphrase the average amount of time for the transitional online brute force method is between 4-10 hours. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. When using the offline attack, if the AP is vulnerable, it may take only a matter of seconds to minutes."

It makes little difference whether the WPS PIN is set or empty.

Defense currently means ensuring that WPS set to disabled really is disabled I suspect you might need to attack your own device with Reaper to do that. CIS10 should flash up a warning if anything new joins your Wi-Fi network; I also have been using a tiny app called Wi-Fi Guard. You can then turn off Wi-Fi hopefully before the hackers have had time to ransack your files or do damage.

This is the responsibility of the manufacturers, who continue to sell kit containing WEP (broken so many times it was abandoned in 2004 (!) as well as WPS - 2 different cracks published in 2011). Nor in most case and for most kit have they bothered to fix the firmware holes that let Reaper get the WPA2 password.

As an illustration of just how awful some manufacturers can be, have a read here:

https://www.theregister.co.uk/2016/09/29/dlink_dwr932_b_owner_trash_it_says_security_bughunter/

The article linked from the bottom left of the page about the 'D-Link router riddled with 0-day flaws' shows D-Links utter incompetence and total disregard for users' security needs.





« Last Edit: March 03, 2018, 01:41:20 PM by Heracliton »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek