Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
dan, does the wash tool included with reaver check for advertised config methods? if not and it does some more in depth analysis to determine if an ap is vuln,, that might be the active scanner youre looking for. On Mon, Feb 13, 2012 at 5:27 PM, Derek Grocke wrote: > That's definitely not a good thing if it's found to be the case across > more of the vendors. > Is it the intent of the of the column on the google docs spreadsheet (WPS > can be disabled and it stays off), to include confirmation of the retest > after the WPS setting has been disabled? > > I wonder if everyone retested after the option was turned off? I hope so. > > Thanks > Derek > > > On 14/02/2012, at 9:40 AM, chris nelson > wrote: > > i believe that disabling wps on router still leaves some routers > vulnerable was reported on before. > from > http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars > "Having demonstrated the insecurity of WPS, I went into the Linksys' > administrative interface and turned WPS off. Then, I relaunched Reaver, > figuring that surely setting the router to manual configuration would block > the attacks at the door. But apparently Reaver didn't get the memo, and the > Linksys' WPS interface still responded to its queries—once again coughing > up the password and SSID. " > > the testing i did was in early-mid jan, ill verify my findings again. at > work now, but will let you know about config methods. > > On Mon, Feb 13, 2012 at 2:57 PM, Dan Kaminsky wrote: > >> That's a fairly significant finding. Can anyone else confirm the >> existence of devices that still fall to Reaver even when WPS is disabled? >> >> Chris, when you run: >> >> iw scan wlan0 | grep “Config methods” >> >> Do you see a difference in advertised methods? >> >> >> On Mon, Feb 13, 2012 at 3:58 PM, chris nelson > > wrote: >> >>> i have tested reaver on a netgear and linksys (dont have model nos. with >>> me) with wps disabled and enabled. the wps setting did not matter and both >>> were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. >>> >>> >>> >>> >>> On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky wrote: >>> Steve while he's often derided goes into this very well. Many cisco's > only stop advertising wps when it is "off" but wps actually still > exists...which means they are still easily hackable. > Have you directly confirmed a WPS exchange can occur even on devices that aren't advertising support? That would indeed be a quick and dirty way to "turn the feature off". ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >> > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
That's definitely not a good thing if it's found to be the case across more of the vendors. Is it the intent of the of the column on the google docs spreadsheet (WPS can be disabled and it stays off), to include confirmation of the retest after the WPS setting has been disabled? I wonder if everyone retested after the option was turned off? I hope so. Thanks Derek On 14/02/2012, at 9:40 AM, chris nelson wrote: i believe that disabling wps on router still leaves some routers vulnerable was reported on before. from http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars "Having demonstrated the insecurity of WPS, I went into the Linksys' administrative interface and turned WPS off. Then, I relaunched Reaver, figuring that surely setting the router to manual configuration would block the attacks at the door. But apparently Reaver didn't get the memo, and the Linksys' WPS interface still responded to its queries—once again coughing up the password and SSID. " the testing i did was in early-mid jan, ill verify my findings again. at work now, but will let you know about config methods. On Mon, Feb 13, 2012 at 2:57 PM, Dan Kaminsky wrote: > That's a fairly significant finding. Can anyone else confirm the > existence of devices that still fall to Reaver even when WPS is disabled? > > Chris, when you run: > > iw scan wlan0 | grep “Config methods” > > Do you see a difference in advertised methods? > > > On Mon, Feb 13, 2012 at 3:58 PM, chris nelson > wrote: > >> i have tested reaver on a netgear and linksys (dont have model nos. with >> me) with wps disabled and enabled. the wps setting did not matter and both >> were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. >> >> >> >> >> On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky wrote: >> >>> Steve while he's often derided goes into this very well. Many cisco's only stop advertising wps when it is "off" but wps actually still exists...which means they are still easily hackable. >>> >>> Have you directly confirmed a WPS exchange can occur even on devices >>> that aren't advertising support? That would indeed be a quick and dirty >>> way to "turn the feature off". >>> >>> >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Well, what this all tells me is that my process of simply checking for advertised configuration methods understates the number of nodes actually vulnerable. Reaver should be modifiable into an active scanner, at least. On Mon, Feb 13, 2012 at 7:09 PM, Ian Hayes wrote: > On Mon, Feb 13, 2012 at 1:57 PM, Dan Kaminsky wrote: > > That's a fairly significant finding. Can anyone else confirm the > existence > > of devices that still fall to Reaver even when WPS is disabled? > > The Netgear N750 definitely does. I can rummage through my Box'o'Stuff > and see if I have any more wireless APs... > > It looks like the Belkin routers don't. After disabling WPS, reaver > just hung after hitting the channel the AP was on. Re-enabling, reaver > went right to work. > > Just in case anyone hasn't figured out how to use it yet, I did an > in-house presentation a few weeks ago: > > > http://www.n2netsec.com/site/index.php?option=com_content&view=section&layout=blog&id=5&Itemid=89 > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
On Mon, Feb 13, 2012 at 1:57 PM, Dan Kaminsky wrote: > That's a fairly significant finding. Can anyone else confirm the existence > of devices that still fall to Reaver even when WPS is disabled? The Netgear N750 definitely does. I can rummage through my Box'o'Stuff and see if I have any more wireless APs... It looks like the Belkin routers don't. After disabling WPS, reaver just hung after hitting the channel the AP was on. Re-enabling, reaver went right to work. Just in case anyone hasn't figured out how to use it yet, I did an in-house presentation a few weeks ago: http://www.n2netsec.com/site/index.php?option=com_content&view=section&layout=blog&id=5&Itemid=89 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
also here: http://www.backtrack-linux.org/forums/showthread.php?t=47038 and here: http://adaywithtape.blogspot.com/2012/01/cracking-wpa-using-wps-vulnerability.html On Mon, Feb 13, 2012 at 4:09 PM, chris nelson wrote: > i believe that disabling wps on router still leaves some routers > vulnerable was reported on before. > from > http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars > "Having demonstrated the insecurity of WPS, I went into the Linksys' > administrative interface and turned WPS off. Then, I relaunched Reaver, > figuring that surely setting the router to manual configuration would block > the attacks at the door. But apparently Reaver didn't get the memo, and the > Linksys' WPS interface still responded to its queries—once again coughing > up the password and SSID. " > > the testing i did was in early-mid jan, ill verify my findings again. at > work now, but will let you know about config methods. > > > On Mon, Feb 13, 2012 at 2:57 PM, Dan Kaminsky wrote: > >> That's a fairly significant finding. Can anyone else confirm the >> existence of devices that still fall to Reaver even when WPS is disabled? >> >> Chris, when you run: >> >> iw scan wlan0 | grep “Config methods” >> >> Do you see a difference in advertised methods? >> >> >> On Mon, Feb 13, 2012 at 3:58 PM, chris nelson > > wrote: >> >>> i have tested reaver on a netgear and linksys (dont have model nos. with >>> me) with wps disabled and enabled. the wps setting did not matter and both >>> were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. >>> >>> >>> >>> >>> On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky wrote: >>> Steve while he's often derided goes into this very well. Many cisco's > only stop advertising wps when it is "off" but wps actually still > exists...which means they are still easily hackable. > Have you directly confirmed a WPS exchange can occur even on devices that aren't advertising support? That would indeed be a quick and dirty way to "turn the feature off". ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
i believe that disabling wps on router still leaves some routers vulnerable was reported on before. from http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars "Having demonstrated the insecurity of WPS, I went into the Linksys' administrative interface and turned WPS off. Then, I relaunched Reaver, figuring that surely setting the router to manual configuration would block the attacks at the door. But apparently Reaver didn't get the memo, and the Linksys' WPS interface still responded to its queries—once again coughing up the password and SSID. " the testing i did was in early-mid jan, ill verify my findings again. at work now, but will let you know about config methods. On Mon, Feb 13, 2012 at 2:57 PM, Dan Kaminsky wrote: > That's a fairly significant finding. Can anyone else confirm the > existence of devices that still fall to Reaver even when WPS is disabled? > > Chris, when you run: > > iw scan wlan0 | grep “Config methods” > > Do you see a difference in advertised methods? > > > On Mon, Feb 13, 2012 at 3:58 PM, chris nelson > wrote: > >> i have tested reaver on a netgear and linksys (dont have model nos. with >> me) with wps disabled and enabled. the wps setting did not matter and both >> were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. >> >> >> >> >> On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky wrote: >> >>> Steve while he's often derided goes into this very well. Many cisco's only stop advertising wps when it is "off" but wps actually still exists...which means they are still easily hackable. >>> >>> Have you directly confirmed a WPS exchange can occur even on devices >>> that aren't advertising support? That would indeed be a quick and dirty >>> way to "turn the feature off". >>> >>> >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
That's a fairly significant finding. Can anyone else confirm the existence of devices that still fall to Reaver even when WPS is disabled? Chris, when you run: iw scan wlan0 | grep “Config methods” Do you see a difference in advertised methods? On Mon, Feb 13, 2012 at 3:58 PM, chris nelson wrote: > i have tested reaver on a netgear and linksys (dont have model nos. with > me) with wps disabled and enabled. the wps setting did not matter and both > were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. > > > > > On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky wrote: > >> Steve while he's often derided goes into this very well. Many cisco's >>> only stop advertising wps when it is "off" but wps actually still >>> exists...which means they are still easily hackable. >>> >> >> Have you directly confirmed a WPS exchange can occur even on devices that >> aren't advertising support? That would indeed be a quick and dirty way to >> "turn the feature off". >> >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
i have tested reaver on a netgear and linksys (dont have model nos. with me) with wps disabled and enabled. the wps setting did not matter and both were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky wrote: > Steve while he's often derided goes into this very well. Many cisco's >> only stop advertising wps when it is "off" but wps actually still >> exists...which means they are still easily hackable. >> > > Have you directly confirmed a WPS exchange can occur even on devices that > aren't advertising support? That would indeed be a quick and dirty way to > "turn the feature off". > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
> > Steve while he's often derided goes into this very well. Many cisco's > only stop advertising wps when it is "off" but wps actually still > exists...which means they are still easily hackable. > Have you directly confirmed a WPS exchange can occur even on devices that aren't advertising support? That would indeed be a quick and dirty way to "turn the feature off". ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
On 2/12/2012 5:42 PM, Sanguinarious Rose wrote: > On Sat, Feb 11, 2012 at 2:23 PM, wrote: >> _ >> "Use Tomato-USB OS on them." >> _ >> >> Besides you void warranty... >> list of DD-WRT Supported routers: >> >> E1000supported >> E1000 v2 supported >> E1000 v2.1 supported >> E1200 v1 ??? >> E1200 v2 ??? >> E1500??? >> E1550??? >> E2000supported >> E2100L supported >> E2500not supported >> E3000supported >> E3200supported >> E4200 v1 not supported yet >> E4200 v2 not supported >> M10 >> M20 >> M20 v2 >> RE1000 >> WAG120N not supported >> WAG160N not supported >> WAG160N v2 not supported >> WAG310G not supported >> WAG320N not supported >> WAG54G2 not supported >> WAP610N not supported >> WRT110 not supported >> WRT120N not supported >> WRT160N v1 supported >> WRT160N v2 not supported >> WRT160N v3 supported >> WRT160NL supported >> WRT310N v1 supported >> WRT310N v2 not supported yet >> WRT320N supported >> WRT400N supported >> WRT54G2 v1 supported >> WRT54G2 v1.3 supported >> WRT54G2 v1.5 not supported >> WRT54GS2 v1 supported >> WRT610N v1 supported >> WRT610N v2 supported >> X2000not supported >> X2000 v2 not supported >> X3000not supported. >> >> _ >> >> "Fixing? Heh. >> >> Aside from rate limiting WPS, there isn't much of a fix, and you can't turn >> it off either." >> _ >> >> What about removing WuPS entirely? >> >> WuPS is a total failure because: >> >> 1. Even if everything is fine 8 digits long is very weak because once you >> got the pin after 7 month - 2 years for example, you are completely pwned. >> > I can't see someone sitting outside my house for 7 months let alone 2 > years trying to get my PIN for my router. > >> 2. Pin number is fixed you can't change it to a longer number or maybe a >> string like "omgponnies" >> > A valid point and easy security improvement > >> 3. Setting up a WPA2 password manually it's a piece of cake (even with >> keypad only cell phones), if some people are lazy, you don't have to >> weakening the security of a strong protocol. >> > People are lazy by default and I see it honestly as their fault for > not taking simple precautions or god forbid reading up a bit. > >> Farth Vader >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ actually you only need to uges the first 4 then it's child's play. Tools that are out now guess this in seconds not years. wps is a total failure by its very design. http://twit.tv/show/security-now/337 Steve while he's often derided goes into this very well. Many cisco's only stop advertising wps when it is "off" but wps actually still exists...which means they are still easily hackable. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Just morbidly curious, what did you use for the SSID? On Feb 12, 2012 5:31 PM, "Derek" wrote: > They should at least consider providing an option to disable the static > pin only or disable it after an hour if the future is activated by the user. > > Seems to be something that could be included in a future firmware update. > > For a vendor to provide another mechanism for a user to get remotely > hacked (within wireless TX/RX range) and not address it in a reasonable > amount of time, exposes the less technical user, who is was intended to > help in the first place. > > It would be interesting to see if this feature went through a technical > security risk assessment and if so, how the static pin was rationalised for > public release. > > I setup an isolated vulnerable device and had attack traffic within 2 days > of it being activated. I did make the SSID very attractive, but the war > drivers are certainly getting out of the house again. > > > Thanks > Derek > > > On 13/02/2012, at 1:47, Rob Fuller wrote: > > > I've tested a 6 models of Linksys, all of them appear to disable WPS > > completely as soon as a single wireless setting is set. I assume this > > would be the reason Cisco/Linksys aren't putting much stock in > > 'fixing' it further. If anyone has any experience to contradict this > > or have a modification to current tools to circumvent what I've > > perceived as disabled, I, as I'm sure Craig, would be very interested. > > > > -- > > Rob Fuller | Mubix > > Certified Checkbox Unchecker > > Room362.com | Hak5.org > > > > > > > > On Sat, Feb 11, 2012 at 4:23 PM, wrote: > >> > _ > >> "Use Tomato-USB OS on them." > >> > _ > >> > >> Besides you void warranty... > >> list of DD-WRT Supported routers: > >> > >> E1000supported > >> E1000 v2 supported > >> E1000 v2.1 supported > >> E1200 v1 ??? > >> E1200 v2 ??? > >> E1500??? > >> E1550??? > >> E2000supported > >> E2100L supported > >> E2500not supported > >> E3000supported > >> E3200supported > >> E4200 v1 not supported yet > >> E4200 v2 not supported > >> M10 > >> M20 > >> M20 v2 > >> RE1000 > >> WAG120N not supported > >> WAG160N not supported > >> WAG160N v2 not supported > >> WAG310G not supported > >> WAG320N not supported > >> WAG54G2 not supported > >> WAP610N not supported > >> WRT110 not supported > >> WRT120N not supported > >> WRT160N v1 supported > >> WRT160N v2 not supported > >> WRT160N v3 supported > >> WRT160NL supported > >> WRT310N v1 supported > >> WRT310N v2 not supported yet > >> WRT320N supported > >> WRT400N supported > >> WRT54G2 v1 supported > >> WRT54G2 v1.3 supported > >> WRT54G2 v1.5 not supported > >> WRT54GS2 v1 supported > >> WRT610N v1 supported > >> WRT610N v2 supported > >> X2000not supported > >> X2000 v2 not supported > >> X3000not supported. > >> > >> > _ > >> > >> "Fixing? Heh. > >> > >> Aside from rate limiting WPS, there isn't much of a fix, and you can't > turn it off either." > >> > _ > >> > >> What about removing WuPS entirely? > >> > >> WuPS is a total failure because: > >> > >> 1. Even if everything is fine 8 digits long is very weak because once > you got the pin after 7 month - 2 years for example, you are completely > pwned. > >> > >> 2. Pin number is fixed you can't change it to a longer number or maybe > a string like "omgponnies" > >> > >> 3. Setting up a WPA2 password manually it's a piece of cake (even with > keypad only cell phones), if some people are lazy, you don't have to > weakening the security of a strong protocol. > >> > >> Farth Vader > >> > >> ___ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
secure_CC_POS Thanks Derek On 13/02/2012, at 22:17, Alex Buie wrote: > Just morbidly curious, what did you use for the SSID? > > On Feb 12, 2012 5:31 PM, "Derek" wrote: > They should at least consider providing an option to disable the static pin > only or disable it after an hour if the future is activated by the user. > > Seems to be something that could be included in a future firmware update. > > For a vendor to provide another mechanism for a user to get remotely hacked > (within wireless TX/RX range) and not address it in a reasonable amount of > time, exposes the less technical user, who is was intended to help in the > first place. > > It would be interesting to see if this feature went through a technical > security risk assessment and if so, how the static pin was rationalised for > public release. > > I setup an isolated vulnerable device and had attack traffic within 2 days of > it being activated. I did make the SSID very attractive, but the war drivers > are certainly getting out of the house again. > > > Thanks > Derek > > > On 13/02/2012, at 1:47, Rob Fuller wrote: > > > I've tested a 6 models of Linksys, all of them appear to disable WPS > > completely as soon as a single wireless setting is set. I assume this > > would be the reason Cisco/Linksys aren't putting much stock in > > 'fixing' it further. If anyone has any experience to contradict this > > or have a modification to current tools to circumvent what I've > > perceived as disabled, I, as I'm sure Craig, would be very interested. > > > > -- > > Rob Fuller | Mubix > > Certified Checkbox Unchecker > > Room362.com | Hak5.org > > > > > > > > On Sat, Feb 11, 2012 at 4:23 PM, wrote: > >> _ > >> "Use Tomato-USB OS on them." > >> _ > >> > >> Besides you void warranty... > >> list of DD-WRT Supported routers: > >> > >> E1000supported > >> E1000 v2 supported > >> E1000 v2.1 supported > >> E1200 v1 ??? > >> E1200 v2 ??? > >> E1500??? > >> E1550??? > >> E2000supported > >> E2100L supported > >> E2500not supported > >> E3000supported > >> E3200supported > >> E4200 v1 not supported yet > >> E4200 v2 not supported > >> M10 > >> M20 > >> M20 v2 > >> RE1000 > >> WAG120N not supported > >> WAG160N not supported > >> WAG160N v2 not supported > >> WAG310G not supported > >> WAG320N not supported > >> WAG54G2 not supported > >> WAP610N not supported > >> WRT110 not supported > >> WRT120N not supported > >> WRT160N v1 supported > >> WRT160N v2 not supported > >> WRT160N v3 supported > >> WRT160NL supported > >> WRT310N v1 supported > >> WRT310N v2 not supported yet > >> WRT320N supported > >> WRT400N supported > >> WRT54G2 v1 supported > >> WRT54G2 v1.3 supported > >> WRT54G2 v1.5 not supported > >> WRT54GS2 v1 supported > >> WRT610N v1 supported > >> WRT610N v2 supported > >> X2000not supported > >> X2000 v2 not supported > >> X3000not supported. > >> > >> _ > >> > >> "Fixing? Heh. > >> > >> Aside from rate limiting WPS, there isn't much of a fix, and you can't > >> turn it off either." > >> _ > >> > >> What about removing WuPS entirely? > >> > >> WuPS is a total failure because: > >> > >> 1. Even if everything is fine 8 digits long is very weak because once you > >> got the pin after 7 month - 2 years for example, you are completely pwned. > >> > >> 2. Pin number is fixed you can't change it to a longer number or maybe a > >> string like "omgponnies" > >> > >> 3. Setting up a WPA2 password manually it's a piece of cake (even with > >> keypad only cell phones), if some people are lazy, you don't have to > >> weakening the security of a strong protocol. > >> > >> Farth Vader > >> > >> ___ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hoste
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
On Sat, Feb 11, 2012 at 2:23 PM, wrote: > _ > "Use Tomato-USB OS on them." > _ > > Besides you void warranty... > list of DD-WRT Supported routers: > > E1000 supported > E1000 v2 supported > E1000 v2.1 supported > E1200 v1 ??? > E1200 v2 ??? > E1500 ??? > E1550 ??? > E2000 supported > E2100L supported > E2500 not supported > E3000 supported > E3200 supported > E4200 v1 not supported yet > E4200 v2 not supported > M10 > M20 > M20 v2 > RE1000 > WAG120N not supported > WAG160N not supported > WAG160N v2 not supported > WAG310G not supported > WAG320N not supported > WAG54G2 not supported > WAP610N not supported > WRT110 not supported > WRT120N not supported > WRT160N v1 supported > WRT160N v2 not supported > WRT160N v3 supported > WRT160NL supported > WRT310N v1 supported > WRT310N v2 not supported yet > WRT320N supported > WRT400N supported > WRT54G2 v1 supported > WRT54G2 v1.3 supported > WRT54G2 v1.5 not supported > WRT54GS2 v1 supported > WRT610N v1 supported > WRT610N v2 supported > X2000 not supported > X2000 v2 not supported > X3000 not supported. > > _ > > "Fixing? Heh. > > Aside from rate limiting WPS, there isn't much of a fix, and you can't turn > it off either." > _ > > What about removing WuPS entirely? > > WuPS is a total failure because: > > 1. Even if everything is fine 8 digits long is very weak because once you got > the pin after 7 month - 2 years for example, you are completely pwned. > I can't see someone sitting outside my house for 7 months let alone 2 years trying to get my PIN for my router. > 2. Pin number is fixed you can't change it to a longer number or maybe a > string like "omgponnies" > A valid point and easy security improvement > 3. Setting up a WPA2 password manually it's a piece of cake (even with keypad > only cell phones), if some people are lazy, you don't have to weakening the > security of a strong protocol. > People are lazy by default and I see it honestly as their fault for not taking simple precautions or god forbid reading up a bit. > Farth Vader > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
They should at least consider providing an option to disable the static pin only or disable it after an hour if the future is activated by the user. Seems to be something that could be included in a future firmware update. For a vendor to provide another mechanism for a user to get remotely hacked (within wireless TX/RX range) and not address it in a reasonable amount of time, exposes the less technical user, who is was intended to help in the first place. It would be interesting to see if this feature went through a technical security risk assessment and if so, how the static pin was rationalised for public release. I setup an isolated vulnerable device and had attack traffic within 2 days of it being activated. I did make the SSID very attractive, but the war drivers are certainly getting out of the house again. Thanks Derek On 13/02/2012, at 1:47, Rob Fuller wrote: > I've tested a 6 models of Linksys, all of them appear to disable WPS > completely as soon as a single wireless setting is set. I assume this > would be the reason Cisco/Linksys aren't putting much stock in > 'fixing' it further. If anyone has any experience to contradict this > or have a modification to current tools to circumvent what I've > perceived as disabled, I, as I'm sure Craig, would be very interested. > > -- > Rob Fuller | Mubix > Certified Checkbox Unchecker > Room362.com | Hak5.org > > > > On Sat, Feb 11, 2012 at 4:23 PM, wrote: >> _ >> "Use Tomato-USB OS on them." >> _ >> >> Besides you void warranty... >> list of DD-WRT Supported routers: >> >> E1000supported >> E1000 v2 supported >> E1000 v2.1 supported >> E1200 v1 ??? >> E1200 v2 ??? >> E1500??? >> E1550??? >> E2000supported >> E2100L supported >> E2500not supported >> E3000supported >> E3200supported >> E4200 v1 not supported yet >> E4200 v2 not supported >> M10 >> M20 >> M20 v2 >> RE1000 >> WAG120N not supported >> WAG160N not supported >> WAG160N v2 not supported >> WAG310G not supported >> WAG320N not supported >> WAG54G2 not supported >> WAP610N not supported >> WRT110 not supported >> WRT120N not supported >> WRT160N v1 supported >> WRT160N v2 not supported >> WRT160N v3 supported >> WRT160NL supported >> WRT310N v1 supported >> WRT310N v2 not supported yet >> WRT320N supported >> WRT400N supported >> WRT54G2 v1 supported >> WRT54G2 v1.3 supported >> WRT54G2 v1.5 not supported >> WRT54GS2 v1 supported >> WRT610N v1 supported >> WRT610N v2 supported >> X2000not supported >> X2000 v2 not supported >> X3000not supported. >> >> _ >> >> "Fixing? Heh. >> >> Aside from rate limiting WPS, there isn't much of a fix, and you can't turn >> it off either." >> _ >> >> What about removing WuPS entirely? >> >> WuPS is a total failure because: >> >> 1. Even if everything is fine 8 digits long is very weak because once you >> got the pin after 7 month - 2 years for example, you are completely pwned. >> >> 2. Pin number is fixed you can't change it to a longer number or maybe a >> string like "omgponnies" >> >> 3. Setting up a WPA2 password manually it's a piece of cake (even with >> keypad only cell phones), if some people are lazy, you don't have to >> weakening the security of a strong protocol. >> >> Farth Vader >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Interesting. Do you know if they stop advertising WPS support after they disable it? On Sun, Feb 12, 2012 at 10:11 AM, Rob Fuller wrote: > I've tested a 6 models of Linksys, all of them appear to disable WPS > completely as soon as a single wireless setting is set. I assume this > would be the reason Cisco/Linksys aren't putting much stock in > 'fixing' it further. If anyone has any experience to contradict this > or have a modification to current tools to circumvent what I've > perceived as disabled, I, as I'm sure Craig, would be very interested. > > -- > Rob Fuller | Mubix > Certified Checkbox Unchecker > Room362.com | Hak5.org > > > > On Sat, Feb 11, 2012 at 4:23 PM, wrote: > > _ > > "Use Tomato-USB OS on them." > > _ > > > > Besides you void warranty... > > list of DD-WRT Supported routers: > > > > E1000supported > > E1000 v2 supported > > E1000 v2.1 supported > > E1200 v1 ??? > > E1200 v2 ??? > > E1500??? > > E1550??? > > E2000supported > > E2100L supported > > E2500not supported > > E3000supported > > E3200supported > > E4200 v1 not supported yet > > E4200 v2 not supported > > M10 > > M20 > > M20 v2 > > RE1000 > > WAG120N not supported > > WAG160N not supported > > WAG160N v2 not supported > > WAG310G not supported > > WAG320N not supported > > WAG54G2 not supported > > WAP610N not supported > > WRT110 not supported > > WRT120N not supported > > WRT160N v1 supported > > WRT160N v2 not supported > > WRT160N v3 supported > > WRT160NL supported > > WRT310N v1 supported > > WRT310N v2 not supported yet > > WRT320N supported > > WRT400N supported > > WRT54G2 v1 supported > > WRT54G2 v1.3 supported > > WRT54G2 v1.5 not supported > > WRT54GS2 v1 supported > > WRT610N v1 supported > > WRT610N v2 supported > > X2000not supported > > X2000 v2 not supported > > X3000not supported. > > > > _ > > > > "Fixing? Heh. > > > > Aside from rate limiting WPS, there isn't much of a fix, and you can't > turn it off either." > > _ > > > > What about removing WuPS entirely? > > > > WuPS is a total failure because: > > > > 1. Even if everything is fine 8 digits long is very weak because once > you got the pin after 7 month - 2 years for example, you are completely > pwned. > > > > 2. Pin number is fixed you can't change it to a longer number or maybe a > string like "omgponnies" > > > > 3. Setting up a WPA2 password manually it's a piece of cake (even with > keypad only cell phones), if some people are lazy, you don't have to > weakening the security of a strong protocol. > > > > Farth Vader > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
I've tested a 6 models of Linksys, all of them appear to disable WPS completely as soon as a single wireless setting is set. I assume this would be the reason Cisco/Linksys aren't putting much stock in 'fixing' it further. If anyone has any experience to contradict this or have a modification to current tools to circumvent what I've perceived as disabled, I, as I'm sure Craig, would be very interested. -- Rob Fuller | Mubix Certified Checkbox Unchecker Room362.com | Hak5.org On Sat, Feb 11, 2012 at 4:23 PM, wrote: > _ > "Use Tomato-USB OS on them." > _ > > Besides you void warranty... > list of DD-WRT Supported routers: > > E1000 supported > E1000 v2 supported > E1000 v2.1 supported > E1200 v1 ??? > E1200 v2 ??? > E1500 ??? > E1550 ??? > E2000 supported > E2100L supported > E2500 not supported > E3000 supported > E3200 supported > E4200 v1 not supported yet > E4200 v2 not supported > M10 > M20 > M20 v2 > RE1000 > WAG120N not supported > WAG160N not supported > WAG160N v2 not supported > WAG310G not supported > WAG320N not supported > WAG54G2 not supported > WAP610N not supported > WRT110 not supported > WRT120N not supported > WRT160N v1 supported > WRT160N v2 not supported > WRT160N v3 supported > WRT160NL supported > WRT310N v1 supported > WRT310N v2 not supported yet > WRT320N supported > WRT400N supported > WRT54G2 v1 supported > WRT54G2 v1.3 supported > WRT54G2 v1.5 not supported > WRT54GS2 v1 supported > WRT610N v1 supported > WRT610N v2 supported > X2000 not supported > X2000 v2 not supported > X3000 not supported. > > _ > > "Fixing? Heh. > > Aside from rate limiting WPS, there isn't much of a fix, and you can't turn > it off either." > _ > > What about removing WuPS entirely? > > WuPS is a total failure because: > > 1. Even if everything is fine 8 digits long is very weak because once you got > the pin after 7 month - 2 years for example, you are completely pwned. > > 2. Pin number is fixed you can't change it to a longer number or maybe a > string like "omgponnies" > > 3. Setting up a WPA2 password manually it's a piece of cake (even with keypad > only cell phones), if some people are lazy, you don't have to weakening the > security of a strong protocol. > > Farth Vader > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
_ "Use Tomato-USB OS on them." _ Besides you void warranty... list of DD-WRT Supported routers: E1000supported E1000 v2 supported E1000 v2.1 supported E1200 v1 ??? E1200 v2 ??? E1500??? E1550??? E2000supported E2100L supported E2500not supported E3000supported E3200supported E4200 v1 not supported yet E4200 v2 not supported M10 M20 M20 v2 RE1000 WAG120N not supported WAG160N not supported WAG160N v2 not supported WAG310G not supported WAG320N not supported WAG54G2 not supported WAP610N not supported WRT110 not supported WRT120N not supported WRT160N v1 supported WRT160N v2 not supported WRT160N v3 supported WRT160NL supported WRT310N v1 supported WRT310N v2 not supported yet WRT320N supported WRT400N supported WRT54G2 v1 supported WRT54G2 v1.3 supported WRT54G2 v1.5 not supported WRT54GS2 v1 supported WRT610N v1 supported WRT610N v2 supported X2000not supported X2000 v2 not supported X3000not supported. _ "Fixing? Heh. Aside from rate limiting WPS, there isn't much of a fix, and you can't turn it off either." _ What about removing WuPS entirely? WuPS is a total failure because: 1. Even if everything is fine 8 digits long is very weak because once you got the pin after 7 month - 2 years for example, you are completely pwned. 2. Pin number is fixed you can't change it to a longer number or maybe a string like "omgponnies" 3. Setting up a WPA2 password manually it's a piece of cake (even with keypad only cell phones), if some people are lazy, you don't have to weakening the security of a strong protocol. Farth Vader ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
On Fri, Feb 10, 2012 at 4:33 PM, wrote: > On Fri, 10 Feb 2012 14:41:37 EST, Dan Kaminsky said: > > > According to the Reaver people, DD-WRT doesn't support WPS at all :) > > The sort of people that run DD-WRT probably consider that a feature, not a > bug. ;) > If you've got the skill to install DD-WRT, you've got the skill to manually set up WPA2. Note, by the way, the core concept of WPS (that setup should be easy) was absolutely correct, and we have hard data that it worked. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
On Fri, 10 Feb 2012 14:41:37 EST, Dan Kaminsky said: > According to the Reaver people, DD-WRT doesn't support WPS at all :) The sort of people that run DD-WRT probably consider that a feature, not a bug. ;) pgpXK8cycHsYF.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Waidaminnit... Didn't you try to sell me a belkin the other day? Conflict of interest there Sent from my BlackBerry® wireless device -Original Message- From: valdis.kletni...@vt.edu Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 10 Feb 2012 11:06:49 To: Cc: Subject: Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
According to the Reaver people, DD-WRT doesn't support WPS at all :) On Fri, Feb 10, 2012 at 2:00 PM, Zach C. wrote: > Solution: use DD-WRT? Or is that vulnerable too? (Or are there worse > problems? :)) > On Feb 10, 2012 10:12 AM, "Dan Kaminsky" wrote: > >> "Fixing a vulnerability like this with all the bureoucratic, QA and legal >> process wouldn't take no more than 2 weeks" >> >> If bureaucratic, QA, and legal issues emerge, you can't even get the >> names of the people you need to speak to in less than 2 weeks, let alone >> schedule a conference call. Fixing? Heh. >> >> Aside from rate limiting WPS, there isn't much of a fix, and you can't >> turn it off either. >> >> Sent from my iPhone >> >> On Feb 10, 2012, at 2:40 AM, farthva...@hush.ai wrote: >> >> Don't buy Linksys Routers they are vulnerable to Wifi unProtected Setup >> Pin registrar Brute force attack. >> No patch or workaround exist at the making of this post. >> >> Vulnerable list and alleged patch availability: >> source:http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=25154 >> >> E1000 To Be Disclosed (aka we don't have idea) >> E1000 v2 To Be Disclosed >> E1000 v2.1 To Be Disclosed >> E1200 v1 early March >> E1200 v2 early March >> E1500 early March >> E1550 mid March >> E2000 To Be Disclosed >> E2100L mid March >> E2500 early March >> E3000 To Be Disclosed >> E3200 early March >> E4200 v1 early March >> E4200 v2 To Be Disclosed >> M10 To Be Disclosed >> M20 To Be Disclosed >> M20 v2 To Be Disclosed >> RE1000 early March >> WAG120N To Be Disclosed >> WAG160N To Be Disclosed >> WAG160N v2 To Be Disclosed >> WAG310G To Be Disclosed >> WAG320N To Be Disclosed >> WAG54G2 To Be Disclosed >> WAP610N To Be Disclosed >> WRT110 To Be Disclosed >> WRT120N To Be Disclosed >> WRT160N v1 To Be Disclosed >> WRT160N v2 To Be Disclosed >> WRT160N v3 To Be Disclosed >> WRT160NL To Be Disclosed >> WRT310N v1 To Be Disclosed >> WRT310N v2 To Be Disclosed >> WRT320N To Be Disclosed >> WRT400N To Be Disclosed >> WRT54G2 v1 To Be Disclosed >> WRT54G2 v1.3 To Be Disclosed >> WRT54G2 v1.5 To Be Disclosed >> WRT54GS2 v1 To Be Disclosed >> WRT610N v1 To Be Disclosed >> WRT610N v2 To Be Disclosed >> X2000 To Be Disclosed >> X2000 v2 To Be Disclosed >> X3000 To Be Disclosed >> >> The question is why a big company like Cisco/Linksys didn't release a >> patch since almost 1 month and a half ?. >> >> Well i have circumstantial evidence that Cisco outsource some of their >> Linksys firmware routers to other companies (Arcadyan for example.) in some >> cases source code is only available through NDA's or not available at all. >> That's why they are taking so long to release a fix to the WPS >> vulnerability. Fixing a vulnerability like this with all the bureoucratic, >> QA and legal process wouldn't take no more than 2 weeks. I found some GPL >> violations by the way but this is beyond the scope of this message >> (obfuscating firmware it's useless you now). >> >> I apologize if i offended someone but IT security it's serious business >> specially if someone use your wifi to commit crimes. >> This vulnerability contains public and very easy to use exploit code, >> it's not a Denial of Service. >> >> >> Farth Vader. >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Solution: use DD-WRT? Or is that vulnerable too? (Or are there worse problems? :)) On Feb 10, 2012 10:12 AM, "Dan Kaminsky" wrote: > "Fixing a vulnerability like this with all the bureoucratic, QA and legal > process wouldn't take no more than 2 weeks" > > If bureaucratic, QA, and legal issues emerge, you can't even get the names > of the people you need to speak to in less than 2 weeks, let alone schedule > a conference call. Fixing? Heh. > > Aside from rate limiting WPS, there isn't much of a fix, and you can't > turn it off either. > > Sent from my iPhone > > On Feb 10, 2012, at 2:40 AM, farthva...@hush.ai wrote: > > Don't buy Linksys Routers they are vulnerable to Wifi unProtected Setup > Pin registrar Brute force attack. > No patch or workaround exist at the making of this post. > > Vulnerable list and alleged patch availability: > source:http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=25154 > > E1000 To Be Disclosed (aka we don't have idea) > E1000 v2 To Be Disclosed > E1000 v2.1 To Be Disclosed > E1200 v1 early March > E1200 v2 early March > E1500 early March > E1550 mid March > E2000 To Be Disclosed > E2100L mid March > E2500 early March > E3000 To Be Disclosed > E3200 early March > E4200 v1 early March > E4200 v2 To Be Disclosed > M10 To Be Disclosed > M20 To Be Disclosed > M20 v2 To Be Disclosed > RE1000 early March > WAG120N To Be Disclosed > WAG160N To Be Disclosed > WAG160N v2 To Be Disclosed > WAG310G To Be Disclosed > WAG320N To Be Disclosed > WAG54G2 To Be Disclosed > WAP610N To Be Disclosed > WRT110 To Be Disclosed > WRT120N To Be Disclosed > WRT160N v1 To Be Disclosed > WRT160N v2 To Be Disclosed > WRT160N v3 To Be Disclosed > WRT160NL To Be Disclosed > WRT310N v1 To Be Disclosed > WRT310N v2 To Be Disclosed > WRT320N To Be Disclosed > WRT400N To Be Disclosed > WRT54G2 v1 To Be Disclosed > WRT54G2 v1.3 To Be Disclosed > WRT54G2 v1.5 To Be Disclosed > WRT54GS2 v1 To Be Disclosed > WRT610N v1 To Be Disclosed > WRT610N v2 To Be Disclosed > X2000 To Be Disclosed > X2000 v2 To Be Disclosed > X3000 To Be Disclosed > > The question is why a big company like Cisco/Linksys didn't release a > patch since almost 1 month and a half ?. > > Well i have circumstantial evidence that Cisco outsource some of their > Linksys firmware routers to other companies (Arcadyan for example.) in some > cases source code is only available through NDA's or not available at all. > That's why they are taking so long to release a fix to the WPS > vulnerability. Fixing a vulnerability like this with all the bureoucratic, > QA and legal process wouldn't take no more than 2 weeks. I found some GPL > violations by the way but this is beyond the scope of this message > (obfuscating firmware it's useless you now). > > I apologize if i offended someone but IT security it's serious business > specially if someone use your wifi to commit crimes. > This vulnerability contains public and very easy to use exploit code, it's > not a Denial of Service. > > > Farth Vader. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
"Fixing a vulnerability like this with all the bureoucratic, QA and legal process wouldn't take no more than 2 weeks" If bureaucratic, QA, and legal issues emerge, you can't even get the names of the people you need to speak to in less than 2 weeks, let alone schedule a conference call. Fixing? Heh. Aside from rate limiting WPS, there isn't much of a fix, and you can't turn it off either. Sent from my iPhone On Feb 10, 2012, at 2:40 AM, farthva...@hush.ai wrote: > Don't buy Linksys Routers they are vulnerable to Wifi unProtected Setup Pin > registrar Brute force attack. > No patch or workaround exist at the making of this post. > > Vulnerable list and alleged patch availability: > source:http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=25154 > > E1000 To Be Disclosed (aka we don't have idea) > E1000 v2 To Be Disclosed > E1000 v2.1 To Be Disclosed > E1200 v1 early March > E1200 v2 early March > E1500 early March > E1550 mid March > E2000 To Be Disclosed > E2100L mid March > E2500 early March > E3000 To Be Disclosed > E3200 early March > E4200 v1 early March > E4200 v2 To Be Disclosed > M10 To Be Disclosed > M20 To Be Disclosed > M20 v2 To Be Disclosed > RE1000 early March > WAG120N To Be Disclosed > WAG160N To Be Disclosed > WAG160N v2 To Be Disclosed > WAG310G To Be Disclosed > WAG320N To Be Disclosed > WAG54G2 To Be Disclosed > WAP610N To Be Disclosed > WRT110 To Be Disclosed > WRT120N To Be Disclosed > WRT160N v1 To Be Disclosed > WRT160N v2 To Be Disclosed > WRT160N v3 To Be Disclosed > WRT160NL To Be Disclosed > WRT310N v1 To Be Disclosed > WRT310N v2 To Be Disclosed > WRT320N To Be Disclosed > WRT400N To Be Disclosed > WRT54G2 v1 To Be Disclosed > WRT54G2 v1.3 To Be Disclosed > WRT54G2 v1.5 To Be Disclosed > WRT54GS2 v1 To Be Disclosed > WRT610N v1 To Be Disclosed > WRT610N v2 To Be Disclosed > X2000 To Be Disclosed > X2000 v2 To Be Disclosed > X3000 To Be Disclosed > > The question is why a big company like Cisco/Linksys didn't release a patch > since almost 1 month and a half ?. > > Well i have circumstantial evidence that Cisco outsource some of their > Linksys firmware routers to other companies (Arcadyan for example.) in some > cases source code is only available through NDA's or not available at all. > That's why they are taking so long to release a fix to the WPS vulnerability. > Fixing a vulnerability like this with all the bureoucratic, QA and legal > process wouldn't take no more than 2 weeks. I found some GPL violations by > the way but this is beyond the scope of this message (obfuscating firmware > it's useless you now). > > I apologize if i offended someone but IT security it's serious business > specially if someone use your wifi to commit crimes. > This vulnerability contains public and very easy to use exploit code, it's > not a Denial of Service. > > > Farth Vader. > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
On Fri, 10 Feb 2012 07:40:03 GMT, farthva...@hush.ai said: > Don't buy Linksys Routers they are vulnerable to Wifi unProtected > Setup Pin registrar Brute force attack. Nice sound bite there. So tell us - what alternative brand should we buy instead? Include in your discussion a proof that the alternative doesn't have other, even worse, security issues. pgpvKPZFzbBVD.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Use Tomato-USB OS on them. A. On Fri, 10 Feb 2012 07:40:03 +, farthva...@hush.ai wrote: Don't buy Linksys Routers they are vulnerable to Wifi unProtected Setup Pin registrar Brute force attack. No patch or workaround exist at the making of this post. Vulnerable list and alleged patch availability: source:http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=25154 [1] E1000 To Be Disclosed (aka we don't have idea) E1000 v2 To Be Disclosed E1000 v2.1 To Be Disclosed E1200 v1 early March E1200 v2 early March E1500 early March E1550 mid March E2000 To Be Disclosed E2100L mid March E2500 early March E3000 To Be Disclosed E3200 early March E4200 v1 early March E4200 v2 To Be Disclosed M10 To Be Disclosed M20 To Be Disclosed M20 v2 To Be Disclosed RE1000 early March WAG120N To Be Disclosed WAG160N To Be Disclosed WAG160N v2 To Be Disclosed WAG310G To Be Disclosed WAG320N To Be Disclosed WAG54G2 To Be Disclosed WAP610N To Be Disclosed WRT110 To Be Disclosed WRT120N To Be Disclosed WRT160N v1 To Be Disclosed WRT160N v2 To Be Disclosed WRT160N v3 To Be Disclosed WRT160NL To Be Disclosed WRT310N v1 To Be Disclosed WRT310N v2 To Be Disclosed WRT320N To Be Disclosed WRT400N To Be Disclosed WRT54G2 v1 To Be Disclosed WRT54G2 v1.3 To Be Disclosed WRT54G2 v1.5 To Be Disclosed WRT54GS2 v1 To Be Disclosed WRT610N v1 To Be Disclosed WRT610N v2 To Be Disclosed X2000 To Be Disclosed X2000 v2 To Be Disclosed X3000 To Be Disclosed The question is why a big company like Cisco/Linksys didn't release a patch since almost 1 month and a half ?. Well i have circumstantial evidence that Cisco outsource some of their Linksys firmware routers to other companies (Arcadyan for example.) in some cases source code is only available through NDA's or not available at all. That's why they are taking so long to release a fix to the WPS vulnerability. Fixing a vulnerability like this with all the bureoucratic, QA and legal process wouldn't take no more than 2 weeks. I found some GPL violations by the way but this is beyond the scope of this message (obfuscating firmware it's useless you now). I apologize if i offended someone but IT security it's serious business specially if someone use your wifi to commit crimes. This vulnerability contains public and very easy to use exploit code, it's not a Denial of Service. Farth Vader. Links: -- [1] http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=25154 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/