Wednesday, January 11, 2012

Is Your WPA/WPA2-enabled Wi-Fi Router Secure?

Quick Summary: If you're looking to secure your router against the WPS vulnerability, the best thing to do is log into your router's web-based setup and disable WPS immediately.  However, as of this writing a number of routers -- notably those manufactured by Linksys -- sport WPS configuration tools that claim to let you disable WPS but actually don't.  To find out if anyone has tested your router's WPS vulnerability (and noted its ability actually to be disabled via the device's software interface), check this crowdsourced Google Docs spreadsheet.  My router, the D-Link DIR-655, appears there and indicates that WPS can be disabled by logging into its setup screen and changing its WPS configuration.  Moreover, D-Link tech support confirms this procedure.  (See below.)  Note: per a recent Security Now! podcast, host Steve Gibson explains that the Wi-Fi Alliance requires that all Wi-Fi Alliance-certified WPS-capable routers have WPS enabled by default.  So even if you've never bothered using WPS you should still check its status via your router's setup interface.

How to log into your D-Link DIR-655 router to disable WPS:
  • Fire up your browser and log into your router by entering its default URL:
  • Click on the Advanced menu item at the top of the home page
  • From the Advanced page's left nav, find and click on WI-FI PROTECTED SETUP
  • Uncheck the Enable box
That should do it.  If you're a natural-born paranoic and still want to evaluate your router's vulnerability using the current exploit, you can learn more about it by clicking on the Ars Technica article link below.  Please be responsible and use the tool only to evaluate and correct your own router's vulnerability.  Thank you.

*     *     *     *     *

Yesterday I sent the following email query to D-Link tech support:
I just read an online article about a fatal security vulnerability in routers that support WPS (Wi-Fi Protected Setup).  Since my D-Link DIR-655 is one such router, I'm writing to ask that you investigate this vulnerability in all of your WPS-supported routers and assure your customers either that they can and should turn off WPS via the web interface or that you are hard at work on firmware patches that will allow customers to turn off WPS via the web interface.

I read the article on Ars Technica here:

The article reports that the researchers who discovered this vulnerability -- one that makes it possible to crack any WPA/WPA2 password because it circumvents WPA/WPA2 to focus strictly on guessing the WPS PIN -- found that Linksys routers that allegedly permit users to turn off WPS via software were still vulnerable to the exploit.  In other words, WPS was *still* enabled in these Linksys routers even though the software setting showed it was disabled.

I've disabled WPS in my D-Link router and I'm very keen to know whether I have indeed disabled it or whether I'm still vulnerable to this alarming exploit.

Thank you.
I'm pretty anxious to hear what they have to say.  I take Wi-Fi security seriously -- so seriously my WPA2 password comes from Steve Gibson's website, which will generate a secure one for you of 63 random printable ASCII characters, 64 random hexadecimal alphanumeric characters, or 63 random alphanumeric characters.  To learn that the length and randomness of my password doesn't matter -- that the backdoor exploits the super-simple WPS feature I've never bothered using -- is deeply troubling.

I'll let you know what I hear.

(In the meantime, I just visited Steve Gibson's Twitter account and one of his tweets includes a link to a "Waiting for the WPS Fix" piece on  While it's already old news [the piece pubbed on 1/7], it does list a number of router vendors, including Buffalo, Cisco [which owns Linksys], D-Link, Netgear, TRENDnet, and ZyXel, and what they've said publicly about fixing the problem on their company's products.  I'm afraid D-Link's response was pretty boilerplate.)

Update #1: Steve Gibson has also tweeted about an open Google Docs spreadsheet where router users who have tested their own router via the exploit can post vulnerability results.  The spreadsheet currently reports that D-Link's DIR-655 router, which has WPS enabled by default, appears to be invulnerable to the current hack when its WPS functionality has been manually disabled.  I did so yesterday as soon as I learned of the problem, so I'm much relieved to think that may be all I need to do.  For those of you with a D-Link DIR-655 router, you may turn off WPS by logging into your router (its default URL is, clicking on the Advanced menu item at the top of the home page, and scanning the Advanced page's left nav until you spot and click on WI-FI PROTECTED SETUP.  From that page uncheck the Enable box and that should do it.  And thank you, Steve Gibson, for helping to keep laypeople like me secure from black hat hackers.

Update #2: Got a reply from D-link tech support this afternoon (1/11/2012).  Here's what it says:
Dear Richard,
Your Case ID is [I've deleted this number for publication]
[Critical: Please do not change the subject line of your email when you reply. Leaving the subject line as it is will allow us to review your complete history and help us to better serve you.]
Date of Reply: 1/11/2012 10:52 AM
Products: DIR-655
Our Product Management team is  currently investigating the issue
To disable the WPS function on the router uncheck the Enable WPS box and saving settings.
Should you require further assistance with your D-Link products, please reply to this message, or call toll free at 877-453-5465.
Thank you for networking with D-Link .
Eric French
D-Link Technical Support
So: pretty much what I already knew.  You'll note that Eric doesn't mention he realizes that I'd already stated in my original email that I'd done what he's now recommending: turn off WPS manually.  And if he didn't read that far, you'll also note that he doesn't bother supplying step-by-step instructions for turned it off, which, since he works for tech support, would be preferable to the terse help he does give.  Many D-Link customers likely won't know how to do what he's suggesting, and by failing to go into any detail he's guaranteeing that a portion of the company's user base will tie up its 800 number, get cranky on hold, and vow never again to buy a D-Link product.  (Or maybe it's just me: 5 years ago I vowed never to buy another Linksys router after that company forced me to wait nearly 6 months to receive a $15 rebate check.)

Update #3: If you've read this far, you might like to check out my post on Securifi's Almond touch screen wireless router.  Its touch screen allows you to set it up without touching a PC or a Mac, and its built-in wizard simplifies configuration so much you literally need no more than 2 1/2 minutes to turn it into a nice range extender for whatever wireless router you already have.  (It's just as easy to set up as a wireless router, too.)

No comments:

Post a Comment