TalkTalk DSL-3680 WPS security vulnerability

Discussion in 'Broadband' started by Masta Ace, Dec 20, 2014.

  1. Masta Ace

    Masta Ace Guest

    It's not Reaver this time.

    The hack tool Dumpper is able to obtain the TalkTalk DSL-3680 WPS PIN in
    about one second. WPS PIN is enabled by default on the router, so once
    obtained full wi-fi access is granted.

    In addition, the default DSL-3680 SSID contains a set of hexadecimal
    characters. When the characters are converted to decimal, it reveals 7
    of the 8 digits of the WPS PIN. The final digit can of course just be
    gained by trial and error.

    Very poor wi-fi security on this router.
     
    Masta Ace, Dec 20, 2014
    #1
    1. Advertisements

  2. Masta Ace

    Woody Guest



    What is the underlying make - D-Link, Huawei, or some other?
     
    Woody, Dec 20, 2014
    #2
    1. Advertisements

  3. Masta Ace

    Masta Ace Guest

    It's manufactured for TalkTalk by D-Link.
     
    Masta Ace, Dec 21, 2014
    #3
  4. Masta Ace

    grinch Guest

    The fact that WPS is vulnerable has been around for a number of years ,I
    turned it off on my internal AP about 4 years ago.
     
    grinch, Dec 21, 2014
    #4
  5. Likewise. I never use it, as it appears to be completely superfluous
    and therefore just something else to go wrong. Why anybody thinks that
    typing a PIN to get connected is any easier than typing a password to
    get connected is utterly beyond me.

    Rod.
     
    Roderick Stewart, Dec 21, 2014
    #5
  6. Masta Ace

    Masta Ace Guest

    Yup, I can confirm disabling WPS on the DSL-3680 makes the attack
    impossible. Sadly these routers in their default state, which probably
    number in the millions, have WPS enabled. I suspect the vast majority of
    TalkTalk customers will not go into "advanced" settings to disable it.
     
    Masta Ace, Dec 21, 2014
    #6
  7. Masta Ace

    Woody Guest


    Yes and, er, no?

    The WPS method is (I think) really intended for connect dumb
    items - like a wireless printer where, unless the user has
    the know-how to connect to the printer and set it up, it is
    impossible to enter a key be that text or PIN. Having been
    playing with such of late my belief is that the handshake
    should be printer initiated so removing a possible router
    access vulnerability.
     
    Woody, Dec 21, 2014
    #7
  8. Masta Ace

    Masta Ace Guest

    WPS exist in two variants, Push Button and PIN. From what I have seen,
    Push Button is pretty safe, and can exist separately from the PIN method
    (e.g. the latest Home Hubs).

    It's the PIN method of WPS that seems to be riddled with security holes.
    But the DSL-3680 goes one step further by broadcasting 7 of the 8 digits
    of the PIN in the SSID, which is just madness. It's no worse than a
    manufacturer making the default SSID the WPA key in reverse.
     
    Masta Ace, Dec 21, 2014
    #8
  9. You need more or less the same know-how to log in to a network printer
    via its IP address and password as you do to log in to a router,
    access point, bridge, backup drive or any other local network device.
    The fact that it's a printer shouldn't offer any additional obstacles.

    The additional complication of another system however, over and above
    the existing IP/username/password system is, IMHO, something that the
    inexperienced do not need. Automatics are fine until they go wrong,
    and then you're worse of than without them.

    Rod.
     
    Roderick Stewart, Dec 21, 2014
    #9
  10. You should be using a password that is way harder to type than a short
    PIN. I would recommend a minimum of 40 randomly chosen characters.
     
    Brian Gregory, Jan 1, 2015
    #10
  11. Masta Ace

    grinch Guest

    Why you would still be using WPS is beyond me, see the below url for
    details.Note the original release date of this vulnerability was 2012
    it (WPS) is susceptible to brute force attacks.


    https://www.us-cert.gov/ncas/alerts/TA12-006A
     
    grinch, Jan 1, 2015
    #11
  12. Masta Ace

    Masta Ace Guest

    Most newer WPS implementations will prevent further WPS PIN attempts
    after a few unsuccessful ones, which is at least something in respect to
    brute force attacks.

    It's unclear why Dumpper can get the WPS PIN for the DSL-3680 so
    quickly. I can only assume it's due to a default PIN which can be easily
    derived from other information the router broadcasts.

    Backed up of course by the fact that the DSL-3680 default SSID already
    contains 7 of the 8 required WPS PIN digits...
     
    Masta Ace, Jan 2, 2015
    #12
  13. I'm not still using it but I wish there was a more secure variation of
    it I could use. I'd be prepared to allow to network to be a little
    insecure for a couple of minutes to save typing the password into a new
    device.
     
    Brian Gregory, Jan 3, 2015
    #13
  14. I'm still puzzled. It would save you typing the password into a new
    device, but you'd have to type a PIN into the new device instead, so
    what would it really have saved you?

    Rod.
     
    Roderick Stewart, Jan 3, 2015
    #14
  15. Masta Ace

    grinch Guest

    You type the password in once and that's it ,I disabled WPS when the
    vuln came out not had any problems. You should be using WPS2-PSK as a
    minimum.

    Remember if hackers Paedophiles and other miscreants get in they will
    be using your IP address for their nefarious purposes, and you are
    guilty until proven innocent,in the eyes of public opinion.

    Not wishing to be overly dramatic this sort of thing has ended very
    badly for innocent people in the past ,no smoke without fire etc.
     
    grinch, Jan 3, 2015
    #15
  16. Masta Ace

    Andy Burns Guest

    WPS PIN is one method, but there is WPS push-button mode too, where you
    prod the router and for a short period of time it will accept a
    connection from a new device with no pin/password - I suppose the theory
    is the chance of the bad guy being sat waiting within range for the 60
    seconds(?) you're "open" is seen as negligible?
     
    Andy Burns, Jan 3, 2015
    #16
  17. Wouldn't pressing a button and typing an 8 character numeric PIN be
    easier than entering a 40+ character pass phrase?
     
    Brian Gregory, Jan 5, 2015
    #17
  18. It doesn't have to be 40+ characters. Of course the longer it is the
    more secure it is, but I'd be surprised if many that bother to use
    wireless security at all actually use anything longer than the name of
    their child, pet, girlfriend, place of birth or favourite football
    team. Even if any of these are longer than 8 characters, they're
    probably easier to remember than somebody else's choice of 8 random
    numerical digits. And you don't even need to press any buttons.

    From the user's point of view, whether you have to type a PIN or a
    password, it's just something you have to type to make it work, so it
    hardly makes a difference which one you use, but from a technical
    point of view, WPS is another layer of complication on top of
    something that works perfectly well without it, so what's the point?

    Rod.
     
    Roderick Stewart, Jan 5, 2015
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.