How to log into your D-Link DIR-655 router to disable WPS:
- Fire up your browser and log into your router by entering its default URL: 192.168.0.1
- Click on the Advanced menu item at the top of the home page
- From the Advanced page's left nav, find and click on WI-FI PROTECTED SETUP
- Uncheck the Enable box
* * * * *
Yesterday I sent the following email query to D-Link tech support:
I just read an online article about a fatal security vulnerability in routers that support WPS (Wi-Fi Protected Setup). Since my D-Link DIR-655 is one such router, I'm writing to ask that you investigate this vulnerability in all of your WPS-supported routers and assure your customers either that they can and should turn off WPS via the web interface or that you are hard at work on firmware patches that will allow customers to turn off WPS via the web interface.I'm pretty anxious to hear what they have to say. I take Wi-Fi security seriously -- so seriously my WPA2 password comes from Steve Gibson's GRC.com website, which will generate a secure one for you of 63 random printable ASCII characters, 64 random hexadecimal alphanumeric characters, or 63 random alphanumeric characters. To learn that the length and randomness of my password doesn't matter -- that the backdoor exploits the super-simple WPS feature I've never bothered using -- is deeply troubling.
I read the article on Ars Technica here: http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars
The article reports that the researchers who discovered this vulnerability -- one that makes it possible to crack any WPA/WPA2 password because it circumvents WPA/WPA2 to focus strictly on guessing the WPS PIN -- found that Linksys routers that allegedly permit users to turn off WPS via software were still vulnerable to the exploit. In other words, WPS was *still* enabled in these Linksys routers even though the software setting showed it was disabled.
I've disabled WPS in my D-Link router and I'm very keen to know whether I have indeed disabled it or whether I'm still vulnerable to this alarming exploit.
I'll let you know what I hear.
(In the meantime, I just visited Steve Gibson's Twitter account and one of his tweets includes a link to a "Waiting for the WPS Fix" piece on SmallNetBuilder.com. While it's already old news [the piece pubbed on 1/7], it does list a number of router vendors, including Buffalo, Cisco [which owns Linksys], D-Link, Netgear, TRENDnet, and ZyXel, and what they've said publicly about fixing the problem on their company's products. I'm afraid D-Link's response was pretty boilerplate.)
Update #1: Steve Gibson has also tweeted about an open Google Docs spreadsheet where router users who have tested their own router via the exploit can post vulnerability results. The spreadsheet currently reports that D-Link's DIR-655 router, which has WPS enabled by default, appears to be invulnerable to the current hack when its WPS functionality has been manually disabled. I did so yesterday as soon as I learned of the problem, so I'm much relieved to think that may be all I need to do. For those of you with a D-Link DIR-655 router, you may turn off WPS by logging into your router (its default URL is 192.168.0.1), clicking on the Advanced menu item at the top of the home page, and scanning the Advanced page's left nav until you spot and click on WI-FI PROTECTED SETUP. From that page uncheck the Enable box and that should do it. And thank you, Steve Gibson, for helping to keep laypeople like me secure from black hat hackers.
Update #2: Got a reply from D-link tech support this afternoon (1/11/2012). Here's what it says:
Your Case ID is [I've deleted this number for publication]
[Critical: Please do not change the subject line of your email when you reply. Leaving the subject line as it is will allow us to review your complete history and help us to better serve you.]
Date of Reply: 1/11/2012 10:52 AM
Our Product Management team is currently investigating the issue
To disable the WPS function on the router uncheck the Enable WPS box and saving settings.
Should you require further assistance with your D-Link products, please reply to this message, or call toll free at 877-453-5465.
Thank you for networking with D-Link .
D-Link Technical SupportSo: pretty much what I already knew. You'll note that Eric doesn't mention he realizes that I'd already stated in my original email that I'd done what he's now recommending: turn off WPS manually. And if he didn't read that far, you'll also note that he doesn't bother supplying step-by-step instructions for turned it off, which, since he works for tech support, would be preferable to the terse help he does give. Many D-Link customers likely won't know how to do what he's suggesting, and by failing to go into any detail he's guaranteeing that a portion of the company's user base will tie up its 800 number, get cranky on hold, and vow never again to buy a D-Link product. (Or maybe it's just me: 5 years ago I vowed never to buy another Linksys router after that company forced me to wait nearly 6 months to receive a $15 rebate check.)
Update #3: If you've read this far, you might like to check out my post on Securifi's Almond touch screen wireless router. Its touch screen allows you to set it up without touching a PC or a Mac, and its built-in wizard simplifies configuration so much you literally need no more than 2 1/2 minutes to turn it into a nice range extender for whatever wireless router you already have. (It's just as easy to set up as a wireless router, too.)