Grrrr... someone using my router.

I *thought* I knew how to secure it:

WPA2 only, ridiculously long passphrase, disactivate "Guest network", use
MAC-based access list.

He was spoofing the MAC of a PC that was at the time powered off.
Presumably he got it at some time previously. Using the router console log,
I could see occaisional packets coming back from the Internet and looked-up
a few of the IP#s. It seems that he was using various cloud compute
services, probably to break other people's passwords.

Since then, I have obviously changed the passphrase, as well as the SID
which I now do not "advertise", but after going through all the options on
the router console page (http://www.routerlogin.net), I cannot see anything
else that will make things any more secure.

Other than asking my daughter to come downstairs and turn off the "WPS"
button when she does not need Internet access, what else can I do?

Since then, I have done some reading. I have half a mind to find out what
frequencies are used by the various channels and build a triangulator or
three. (And some sort of "delivery" system using one of those radio-
controlled toy helicopters. Don't ask me what I want to deliver.)

 

You mean you're running with WPS enabled? That could be your problem.
You'll want to listen to "Security Now!" (http://www.grc.com/sn), podcasts
#335 and #337.

 

Which router are you using?

--
"The Hunam Tiger ant has been known to consume an entire meal before the
picnic guest arrive." --12th century Tang Dynasty proverb.
/\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
/ /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
| |o o| |
\ _ / If crediting, then use Ant nickname and AQFL URL/link.
( ) If e-mailing, then axe ANT from its address if needed.
A song is/was playing on this computer: Tiffany - Locomotion

 

Netgear WNR2000v2

 

I have disabled WEP. Perhaps that is what you mean?

I thought the WPS button turned on/off ALL wireless access. Here are the
help sections of the "Advanced Wireless Settings / WPS Settings" internal
console web page. All 3 options are checked. He probably knowns my PIN
already. Anyone capable of spoofing a MAC probably took note of it:

WPS Settings

Router's PIN

This is the PIN number you use on a registrar (e.g., from Network
Explorer on a Vista Windows PC) to configure the router's wireless
settings through WPS. You can also find the PIN on the router's product
label.

Disable Router's PIN

You can configure the router's wireless settings or add a wireless client
through WPS using the router's PIN only when the PIN is enabled. The
router's PIN can be disabled temporarily when the router detects
suspicious attempts to break into the router's wireless settings by using
the router's PIN through WPS. You can manually enable this function by
clearing the check box and clicking the Apply button.

Keep Existing Wireless Settings

This shows whether the router is in the WPS configured state.
If this option is not selected, adding a new wireless client will change
the router's wireless settings to an automatically generated random SSID
and security key. In addition, if this option is selected, some external
registrars (e.g., Network Explorer on Vista Windows) might not see the
router. Configuring basic wireless settings from the router's management
GUI selects this option automatically.



I might also consider blocking off most of the ports, I presume that my
daughter only needs http to do her homework.

 

Thanks much for the above. I now know that the "WPS" button does not
enable/disable access to the Internet from wireless clients. When you
press it, WPS is enabled for 2 minutes (during which time the button
flashes).

If you want to disable Internet access for wireless clients, it is done
by a separate entry on the virtual console.

The good news is that WPS is only enabled for 2 minutes at a time, and I
have NEVER used this feature. Instead, I always used the standard SSID +
passphrase to enable clients. I also use a MAC access list restricted to
the 2 devices I want to have access. So nobody else should have my PIN,
which is hard-coded into the router. In any case, it is only used by the
WPS setup procedure, which I have never used.

It looks like there is a way to crack a passphrase in a few minutes if
you know the SSID, which by default is broadcast in the clear. It takes a
fair bit of number crunching, and it looks as though my hacker was using
my connection to get introductory free IP-based credits from various
cloud-based compute services to do the computations to crack other
connections. (Using the console log, I could see the #IPS of the result
packets coming back to him from the Internet.) Probably he is far enough
away that his connection speed was too low to do anything else, like
downloading movies.

I have now disabled the broadcast of the SSID (and changed it and changed
the passphrase).

I also plan to check a bit closer for "connected devices" in the future,
because my local hacker friend probably took note of the MAC#s and he is
able to spoof a given MAC.

 

No. WPS. It's another security hole.

Nope, WPS is a security hole. Google it:
https://www.google.com/search?q=wps+security ... Even disabling it
doesn't mean it is disabled.
--
"... Our latest evil plan and create an army of giant ants to take over
the galaxy..." --Dark Helmet from Spaceballs: The Animated Series (S1 E3).
/\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
/ /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
| |o o| |
\ _ / If crediting, then use Ant nickname and AQFL URL/link.
( ) If e-mailing, then axe ANT from its address if needed.
A song is/was playing on this computer: The Asteroids Galaxy Tour - The
Golden Age #1

 

If you listened to the podcasts, you would've found out:

- WPS has a vulnerability. Brute forcing the PIN only requires an evil
listener of your radio traffic to capture a successful pairing and do so
ONLY once. Because PINs are static (they are, after all, printed on a
label on the access point), one successful pairing getting captured can
be brute forced offline (the attacker isn't slamming your access point
but recomputing hashes on their own host) and once the PIN gets
extracted then the evil listener can log on successfully the FIRST time
(so there is no lockout for N minutes after X failed attempts). The
vulnerability is in using a static PIN. Even if you go into your router
or access point to change its PIN (and if it lets the user change the
PIN since not all do), it is still *static* therafter. You won't be
changing the PIN for every transaction between your computer and the
access point. The original protocol was [supposed] to be designed so
the PIN was used only *once* per transaction. That's not how the WiFi
Alliance implemented WPS. They required only a static PIN which makes
it easy to guess. Another problem is that the PIN is only 8 digits
long. Think about it: how secure is 8 digits?

- WPS is not disabable on some access points or routers. The podcasts
named Linksys (Cisco) as a wifi device maker who, perhaps only for some
models, have an option to disable WPS but do NOT actually disable it.
Their firmware does not honor the user's choice to disable WPS. I don't
recall if it was just the Linksys line that had a bogus disable or if
others were mentioned.

- To be WiFi Alliance certified, wifi makers MUST have WPS enabled by
default. That means users must manually *disable* WPS. Well, we know
many users are lazy and ignorant (and prefer to remain that way) since
they don't even bother to read the manual or even go look at the config
screens of the router or even those for the software apps they use. How
many viewers will there be of these podcasts? How many will read tech
articles or news about the vulnerability? That's a very small
percentage of all users so there will be LOTS of vulnerable wifi routers
out there where WPS is enabled because it that way by default, plus some
of those that do hear about this vulnerability will be using routers
where they cannot disable WPS.

Oh yes, there may become available firmware updates to these routers
that disable WPS by default (and do so after the update flash as part of
a reset) but then again how many users of these WPS-capable wifi devices
are going to do the flash update or even know about it? WPS is one of
those "it's out there and we can't pull it back" screwups. It'll
probably be around 4 years before this problem goes away mostly because
that'll be when consumers get around to replacing their wifi devices -
unless this vulnerability gets LOTS of press coverage (and I don't mean
just the tech rags, either).

By the way, the WPS buttons does NOT turn off WPS. It initiates a
handshake session that remains open for around 2 minutes (so you can
dash off to the other end to start a WPS handshake session over there).
The button is like the ignition switch in your car: you turn it (to the
ignition position), your car starts, and you're supposed to release the
ignition switch. Both *start* something. They don't stop anything. To
disable WPS you *must* go into wifi device's web config settings to
disable it there.

That's only fixing the problem on the AP or router end. Now you have to
go to your computer and disable WPS there, too. You don't want EITHER
end to be using WPS. You don't want it to connect to the evil listener
who may have happened to capture a prior successful pairing. I believe
WPS showed up in Windows 7.

At this point, you need to disable WPS at all your wifi devices (access
points, routers, computers). Then go into the AP or router config and
change its PIN (if possible). Why? Because there are been instances
where hundreds (I've read thousands) of same-brand, same-model wifi
devices were assigned the same PIN (so you'd be sharing the same PIN
with lots of other users). Since shipping is in batches, users
purchasing from the same reseller would get wifi devices with the same
PIN and some percentage could end up being close enough to each other.

Listen to the podcasts this time to see how bad is the problem is with
WPS. Make sure if you disable WPS in your AP or router that it is a
brand and model that actually does let you disable WPS. Just changing
the option in the config screen doesn't mean that option actually works.

 

I did read the transcripts. (I posted a reply in another thread.)

Yes. The whole debacle shows again how expediency trumps accuracy.

I cannot see how to do this. I have gone through ALL the config options.

However, the help for the first 2 entries in the console are:

1 Setup Wizard

To get started:

Select Yes if you want to use the Smart Setup Wizard.
Select No to configure the router manually.

2 WPS stands for Wi-Fi Protected Setup. This is a process that lets you
add a wireless client to the network easily, without the need to
specifically configure the wireless settings such as SSID, security mode,
and passphrase.

You can select to add a wireless client using either the Push Button or
PIN Number method.

With the Push Button method, you complete the process by clicking a
button on the client (either a physical hardware button or a software
button on the client's utility GUI).

With the PIN Number method, you have to enter the client's PIN here. You
have to start the client WPS process at the same time. You can find the
client's PIN on the client's utility GUI.


I skipped over both of these and did all my config via the more
"complicated" SSID / passphrase / security mode config entries.

SO I am not sure if WPS is still enabled. It is a fairly recent (Netgear
WNR2000v2), so perhaps it does not have this vulnerability. OTOH, my
connection WAS hacked, but I was showing my SSID and allowing WPA or WPA2
instead of hiding SSID and forcing WPA2.

I will check up on this - thanks.

Sadly true. Perhaps we should white-hat an attack on a politician's home
router and use it to download animal p0rn.

I could not see this. Perhaps after I do a firmware upgrade.

I did (well, I read the transcripts; much faster), but thanks for your
comments. They did clear up a few minor misunderstandings.

 

http://www.downloads.netgear.com/files/GDC/WNR2000V2/WNR2000v2_UM_15JAN2010.pdf
page 2-19

 

I've looked through the manual linked above and don't see any way to
completely disable WPS. The closest I came was "Disable Router's PIN"
on page 2-17, but that apparently doesn't actually disable the
function.

I wonder if third party firmware would be an option for that device.
Some of them, like dd-wrt, seem to be able to completely disable WPS.

 

Download and run a program called Reaver. With that you'll be able to
infer whether WPS is active or not. Reaver is a tool for hacking WPS,
but a side benefit of using it on your own router is for peace of mind
in knowing for sure that WPS is not responding to wireless access
requests.

Broadcasting your SSID is better than hiding it. It lets others know
that a network is operating on that channel, hopefully helping them to
decide to move somewhere else. Even when you choose not to broadcast
it, many tools are available that will sniff it in seconds.

 

I could be wrong, but if that's what the podcast says it looks like
they're mixing two separate issues, aren't they? One issue involves
capturing a WPA handshake, then going offline to try to brute force
the password. That issue has nothing to do with WPS. The second issue
involves sending WPS PINs as fast as the router is willing to process
them, until the correct PIN is sent and the router opens its doors.

Note that the goal of the second vulnerability above isn't to discover
the PIN, exactly, but to use the PIN to discover the passphrase. You
then use the passphrase to connect as if you were an authorized user.

Regarding the 8 digits, it's even worse than it looks because the 8
digits are broken down into 3 groups: the first group is just 4
digits, the second group is 3 digits, and the last digit is by itself,
and may be a checksum, IIRC. By constructing the WPS standard the way
they did, with 4+3+1 digits, the total number of guesses is something
like 11,000, and on average you only have to guess half that many.

That part doesn't sound right. I'm under the impression that WPS only
has to be disabled at the router since that's the only device that's
listening, or should be listening, for inbound connection attempts.
Also, capturing a 4-way handshake is again mentioned above, and I
don't think that's part of the WPS vulnerability.

Agreed. I use Reaver to make sure the router is deaf and dumb to WPS
requests.

 

Yep, page 2-17 (not 2-19). It's the only mention I found in the manual
on disabling WPS.

"Disable Router¢s PIN. If the router¢s PIN is disabled, you cannot
configure the router¢s wireless settings with WPS."

If you cannot configure using WPS then it certainly seems that WPS is
disabled. If you cannot configure using WPS, why would you think it was
still enabled?

So how do you know it doesn't work? Do you have this router and tested?
Or did you look in the spreadsheet mentioned in the podcast (I don't
recall the URL) to see if it was one listed as showing a disable but it
was ignored, like they mention for some of the Linksys routers?

The podcasts mention DD-WRT and Tomato as alternative firmware code sets
to replace what's in the router. I've heard of DD-WRT but never delved
into it, and the podcast was the first I've heard of Tomato.

http://www.dd-wrt.com/ (offline when I tried)
http://en.wikipedia.org/wiki/Dd-wrt

http://www.polarcloud.com/tomato
http://en.wikipedia.org/wiki/Tomato_(firmware)

From my reading of forum posts, these alternative firmware let you
disable WPS. You need to make sure this firmware lists your particular
router as compatible; however, I see reports saying switching to these
alternative firmware can result in loss of functionality. I'd check
over at http://www.dslreports.com/forum/wsecurity to ask if either
incurs critical problems on the routers.

The following videos show Reaver Pro with its GUI used to hack into wifi
routers and shows how easy it is:


(no narration, music is loud, so mute speakers before playing)



My review of the podcasts is that the hacker only needs to capture *one*
successful pairing using WPS and then does the hash crunching offline on
their own host. When they come back, there is no fear of lockout (i.e.,
N failed connects results in X minutes of refusing further connects -
yet some routers don't even do this, anyway) because the first attempt
will succeed as the hacker has a correct PIN. So if you had WPS
enabled, and since you don't know if a hacker captured your prior
successful pairing(s), it seem you should not only disable WPS but also
change your PIN (which means it won't match the sticker on the unit).

 

Because the very next sentence reads, "However, if your settings are
already configured, you can still add WPS-enabled wireless clients."

I figure if WPS-enabled clients can still make connections to the
router, then WPS is still active and the only part that's disabled is
the PIN. That might be good enough, but I'm not sure.

The next sentences make it seem like the router is capable of
protecting itself against Reaver and it's cousins.

"The router might disable the PIN if it detects suspicious attempts to
break into your wireless settings; this can happen if the check box is
selected. You can enable the PIN by clearing the check box and
clicking Apply."

I don't have that router and haven't tested it. I was just going by
how I interpreted the manual and could well be wrong.

I ran Tomato in a WRT54G some years ago, for maybe 2 years or so. For
the last 4-5 years I've been running dd-wrt exclusively. I always
flash it before putting a box into service. I currently have 6
WRT54GL's scattered around the house, all running dd-wrt.

That last part is highly doubtful. What the alternative firmwares do
is offer tons MORE functionality.

As the two videos show, the WPS vulnerability isn't related to the
capability of capturing a WPA/WPA2 handshake and then doing an offline
dictionary attack against the captured handshake. Those are two
separate vulnerabilities, I believe. You've somehow mixed them
together into a single vulnerability.

 

Well, with it being ambiguous, I'd probably reset the router, not rely
on that setting, change the PIN to something other than the sticker, and
maybe even tape something over the WPS button or physically disable it
to ensure it didn't get accidentally used. They mention some Linksys
models cannot have WPS disabled so maybe Netgear is just as stupid.

I've read forum posts (DLSreports) where users that flashed to an
alternative firmwave resulted in one attenna disabled and other normal
functionality was lost, and that was for a router model listed as
compatible. They had to flash back to the original firmware. I don't
have reason to doubt those posters: all functionality worked with
original firmware, some lost with alternative firmware, regained when
reflashing back to original firmware.

The evil listener captures lots of over-the-air WPS sessions waiting for
a successful pairing acknowledged by one end of the communication.
Then, while offline, recomputes hashes to brute force out the PIN doing.

http://media.grc.com/sn/sn-337-lq.mp3
"How it works" starts at the 48:20 time mark.
"Here's the problem" starts at the 57:00 time mark.

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
"The flaw allows a remote attacker to recover the WPS PIN in a few hours
and, with it, the network's WPA/WPA2 pre-shared key."

"http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf"
PIN (page 3)
"This option is called wps_pin in wpa_cli"

So we have another vulnerability via WPS to exploit another. WPS is
using hashing to authenticate each endpoint without actually
transmitting the PIN (except within the hash) but after authentication
is granted it isn't like WPS continues working. WPS is the initial
handshaking which bypasses WPA/WPA2 handshaking. WPS sets up the
pre-shared key (PSK) mode at the endpoints so WPA/WPA2 takes over now
that it has that key. WPS is the automated pre-setup for WPA. Rather
than have you write down the PIN from one device and then walk over to
the other device (computer) to enter it, both of which are manual inputs
and prone to error, WPS lets you push a button to prepare one endpoint
so it waits for a pairing broadcast while you walk over to the other end
to push a [software] button to do the handshaking for you but
automatically (beyond having to push a button at each end).

You could go under your car's hood to pull out the fuse(s) for
non-startup components and short across the starter to start your car or
you can let the ignition switch do the pre-setup (disconnect
non-essential electrical components) and run the starter. WPS is just
doing the pre-setup for WPA: getting the PINs between the endpoints.
The problem is the short & permanent PIN is not secure when using WPS.

The shared-key WPA vulnerability is vulnerable to cracking if the
password phrase is short. Well, the same is true of using a short PIN
when using WPS to get that PIN (recognized through hashing) known to the
other endpoint. The PINs are 7 digits long with the 8th being a
checksum. Short PINs and short passphrases are insecure but even short
7-character passphrases have a far greater number of combinations than
7-digit PINs: 78 billion versus 10 million. The podcasts and forum
posts indicate it may take up to 10 hours to hack out the PIN from the
captured WPS hashes. That means the hack tools are recomputing 278
hashes per second which doesn't seem impossible or even improbable.
That same brute method on 7 alphanum characters would take 10 hours
times 7836 (the difference in values for 7 digits versus 7 alphanum
chars) or 8.9 years. Part of the argument regarding WPS is its weak
8-digit (7 + checksum) PIN is way too insecure. THe other argument on
why WPS is bad is the reuse of a static PIN value which is trasmitted
over the air to be captured (in a hash) rather than using a different
(dynamic) one each time.

When you manually write down the PIN at one endpoint and then walk to
the other endpoint to manually input the PIN over there, it isn't in the
air to get captured so short length and permanence aren't as much a
problem on hacking with that scenario (although it is still recommended
to use a long passphrase instead of a short one). Without permanence,
the bruted out PIN would be of time-limted value to the hacker. The
next WPS handshake with a different (dynamic) PIN would mean the hacker
has to recompute all those hashes again for another 8-10 hours. Hackers
don't like targets that move faster than they can aim. It'd be easier
to find a nearby wifi hotspot. With a much longer PIN length, it would
take too long for the hacker to brute out the PIN from the captured
hashes. With long dynamic PINs, the window of vulnerability is too
short for the hackers to bother. Twould be far easier to tap into your
cable at the pole or doghouse to "borrow" your bandwidth rather than try
to tap into the router or AP.

 

WPS gets the PINs transferred between the endpoints. This is to
automate the process where you used to manually write down the PIN and
walk to the other endpoint to enter it: a manual and error prone
process. Then WPA kicked in because now it had a shared key. Pushing
a WPS button was for convenience to get the PIN to the other end
without error-prone manual input and without having to do the walking.
It does not supplant WPA.

When running Reaver Pro, it only needs to capture one successful
pairing. After that, the hash recomputing happens offline. Your
router or AP is not getting flooded with WPS requests. Once Reaver
records your pairing, it isn't scanning anymore and certainly not
transmitting. You click the button to hack out the PIN which is done
offline. Sometime later, like 8-10 hours, and after Reaver is done,
you then tell it to connect using the discovered PIN. The listening is
passive. Your router won't know about it. The only record you'll have
(at a minimum) is when the hacker comes back with the discovered PIN.
One WPS 10 hours later is hardly anything your router or AP will alert
on regarding a flood of connection requests.

Nope, it only takes the evil listener to capture ONE successful pairing
between the endpoints to have all the data it needs to brute out the
PIN from the hash while offline. Then the hacker, after getting a
successful rehash, comes back and does the WPS connect request just
*once*. Yep, just once. That's because he now has the correct PIN.
There is no lockout (not available in all routers or APs) where N
failed attempts result in having to wait X minutes before the next
request is accepted. There was no failed request. They have your PIN
already. That was done offline. They aren't slamming your routing
with repeated WPS broadcasts.

True if you're only interested in your router not accepting evil WPS
requests from the hacker. But don't you want to prevent your computer
from also not connecting to the evil listener? I'm haven't thought out
the scenario yet but I'm sure there's one where the user goes into
Windows 7 and starts the WPS wizard and the evil listener with the same
PIN as for the router or AP will intercept the broadcast. Remember
that the PIN is permanent (for now) at the router and AP. It doesn't
change. Even if you go into its web config to change the PIN, it's
still permanent after that point. You push the WPS button on the
router or AP but the evil listener will also acknowledge the WPS
session started at your computer and pretend it's your router or AP.
You've got 2 listeners with the same PIN vying to establish the
handshake and establish a connection. Well, I bet the hacker might use
a stronger signal to swamp out yours. In fact, from what I've seen of
videos showing how to use Reaver Pro, they recommend certain brands and
models because they have greater signal strength.

 

I seriously doubt those reports, but I don't know the details. I'm
primarily familiar with dd-wrt and Tomato, both of which have far more
to offer than any stock firmware, so it's possible that those posters
used something else. I feel very confident in saying, however, that it
was most likely some kind of user error. The popular alternative
firmwares have so many additional features and options that it's
probably easy for someone to get lost. For them, going back to the
stock firmware is a safe, but very limited, choice.

The Wikipedia link sums it up pretty well, and makes it clear that the
WPS vulnerability has nothing to do with the 'handshake and offline
attack' vulnerability. They are two separate vulnerabilities. Check
out the Security section.

Is the above text copied from somewhere, (perhaps the link I snipped)?
It's basically gobbledy-gook. Short WPS PIN? Every WPS PIN is the same
length: 8 digits, which breaks down into 4 digits, 3 digits, and 1
digit. Likewise the rubbish about short passphrases, within the
context of the WPS vulnerability. When attacking that specific
vulnerability, it doesn't matter how long or how gnarly the passphrase
is, because no matter what it is or how often it gets changed, the
router being attacked will happily cough it up anytime the attacker
asks for it.

Not true. Once you have the PIN, you have access to the passphrase, no
matter how long it is, how big and gnarly it is, or how often it gets
changed. The only time you don't have access to the passphrase is
during the window between the time it gets changed and the time the
correct PIN is attempted. That can be minutes or hours, depending on
several factors. Since most people don't change their router's WPS PIN
and WPA/WPA2 passphrase every few minutes, this remains an exploit
that can be taken advantage of.

No idea what any of that means, but I can tell you it has nothing to
do with the WPS vulnerability. It looks like it contains pieces of the
WPA/WPA2 bug, but that's not a clean fit either.

 

Correct. That part is well known.

Nope. Reaver (and it's Pro version) care not about pairing or
handshaking or whatever we should call it. That's not how Reaver
works.

Reaver does nothing offline. It's strictly an online tool. This seems
to be where you're jumping over to the WPA/WPA2 bug, but that bug has
nothing to do with WPS and Reaver.

On the contrary, Reaver works by sending WPS requests as fast as the
router will allow. With some routers and with good signal quality,
that can be about 1 per second. Other routers, or sub-optimal wireless
signal quality, can slow that way down to about 1 every 20 seconds. So
flooded isn't the right word, granted, but you'd have to be extremely
lucky to hit the right PIN on the very first attempt. There are about
11,000 possibilities, so you have a 1 in 11,000 chance of guessing it
the first time.

Nope, Reaver continues to guess PINs until the target router says it
has guessed correctly. When that happens, the router happily hands
over the passphrase, which Reaver displays in the clear. As you can
see, it doesn't matter how long or complicated the passphrase is since
the router is just going to cough it up the moment you guess the right
PIN.

You're not describing Reaver. Reaver does nothing offline. It's
strictly sending WPS requests with random PINs, hoping the router will
say yes to one of them. As soon as it does, Reaver stops sending
requests. It's work is done. Reaver never makes an actual connection
to the router. All it wants is the router's passphrase, which it gets
as soon as it guesses the right PIN. Once it gets it, Reaver's work is
done. There's no need for Reaver to connect to the router using the
discovered passphrase.

I have my doubts that even 11,000 failed WPS attempts would be
something the router's owner would be made aware of.

OK, you're describing the WPA/WPA2 bug. I'm talking about the WPS bug.
Two totally separate vulnerabilities, completely unrelated to one
another.

Yup, definitely not describing the WPS bug. I apologize for any part I
may have played in the confusion, but from the start I was trying to
keep the two issues separate since they are completely unrelated.

Agreed, that applies to the WPA/WPA2 bug. I was primarily trying to
discuss the WPS bug, though. Hence, my repeated mentioning of Reaver,
which only applies to the WPS bug.

I can't say that your scenario is impossible, but it seems pretty
stretched. After all, once you use WPS to get a host associated with
your router, you'll probably never have to do it again for that host,
so the scenario (at best) would only be valid for new hosts being
introduced to the wireless network. That isn't a frequent occurrence
in most households, so the hacker would have to be very patient with
his little honeypot. There's a lot more action to be had elsewhere, I
think, so I don't think it's anything to worry about. Besides, on a
Win 7 PC, unlike a wireless router, WPS isn't just sitting there
waiting for connection attempts. Not by default, anyway.

Reaver needs to associate with a router before it can start guessing
WPS PINs, so a good steady wireless signal is mandatory. Dropped
packets would stretch the hacking session way out. Crappy wireless
hardware means you have to be pretty close, physically, to your
target. Better equipment lets you attack from a greater distance.

 

Those aren't WPS sessions. They are WPA or WPA2 sessions. You can
precompute your own rainbow tables for popular SSIDs so that you can
brute force the passphrase almost instantly after capturing a WPA/WPA2
handshake. You can even purchase precomputed rainbow tables online, or
have a custom rainbow table built for you. Each SSID has it's own
rainbow table of possible hashes.

I listened to the section from about 42:00 to just after 72:00 and
during that time they only talked about the WPA/WPA2 vulnerability. No
mention was made of the WPS vulnerability. Is there another section
that I should listen to? I hate to commit to the whole 80-minute thing
because the guy talks so slowly and takes forever to make his points.
Not exactly an engaging speaker.