Control a DSL line via a switch?

[Char Jackson]

In addition to MAC address filtering I also have disabled SSID Broadcast
and use WPA2-PSK(AES) with a Pass Phrase.

If I may make a suggestion, disable the MAC filter and enable the SSID
broadcast. Neither buys you any real advantage.

While you're in there, disable the PIN feature of your router's
Wireless Protected Setup (WPS), or whatever your router manufacturer
calls it, assuming your router has the feature, of course. That
feature has been compromised, meaning it doesn't matter how long and
gnarly your WPA2-PSK passphrase is. If I can guess the (8 digit
numeric) PIN, the router will happily hand over the passphrase and I'm
in.

 

[SC Tom]

If I may make a suggestion, disable the MAC filter and enable the SSID
broadcast. Neither buys you any real advantage.

While you're in there, disable the PIN feature of your router's
Wireless Protected Setup (WPS), or whatever your router manufacturer
calls it, assuming your router has the feature, of course. That
feature has been compromised, meaning it doesn't matter how long and
gnarly your WPA2-PSK passphrase is. If I can guess the (8 digit
numeric) PIN, the router will happily hand over the passphrase and I'm
in.

Is that the PIN that the Belkin's (and some others, I'm sure) use for admin
admittance? I've looked for that in my Netgear setup and can't seem to find
anything similar, other than the admin password to log into the router
settings. Of course I've changed that from the default

 

[TLC]

Is that the PIN that the Belkin's (and some others, I'm sure) use for
admin admittance? I've looked for that in my Netgear setup and can't
seem to find anything similar, other than the admin password to log into
the router settings. Of course I've changed that from the default

On my Netgear N300 web based router manager it's under:
Advanced
Wireless Setting
WPS Settings
Router's PIN
Disable Router's PIN

 

[Char Jackson]

Is that the PIN that the Belkin's (and some others, I'm sure) use for admin
admittance? I've looked for that in my Netgear setup and can't seem to find
anything similar, other than the admin password to log into the router
settings. Of course I've changed that from the default

No, it's different from the router's admin password. Most people are
familiar with the fact that the router has an admin password (which
many people never change from the default!) and the password or
passphrase required in order to connect wirelessly, but if the router
has WPS there will also be an 8 digit numeric PIN code. Some router
interfaces don't show you this PIN or allow you to change it.

Note that WPS can be called something different by every router
vendor. Linksys calls it Secure Easy Setup, for example.

Someone will correct my math, I'm sure, but an 8 digit number has
about 10 million possibilities and would take awhile to guess. On
average, you'd have to guess about half that number, but it gets
better. As it turns out, the 8 digit PIN is really composed of a 4
digit PIN and a 3 digit PIN, with the trailing digit being a checksum,
and the router will provide indications when either half of the PIN is
correct, so in essence the max number of PIN attempts is something
like 10,000 for the first half and 1000 for the second half, for a
total of 11,000 possible attempts. Again, on average, you'll have to
do half of that, so expect to make about 5500 access attempts before
being successful. Experts say that can take about 4-6 hours. What
happens when you supply (or guess) the right PIN? Why, the router
simply hands over it's wireless password/passphrase. As you can see,
the length of the password or passphrase doesn't matter in this
exploit.

Does that help?

 

[Gene Wirchenko]

[snip]

No, it's different from the router's admin password. Most people are
familiar with the fact that the router has an admin password (which
many people never change from the default!) and the password or
passphrase required in order to connect wirelessly, but if the router
has WPS there will also be an 8 digit numeric PIN code. Some router
interfaces don't show you this PIN or allow you to change it.

Note that WPS can be called something different by every router
vendor. Linksys calls it Secure Easy Setup, for example.

Someone will correct my math, I'm sure, but an 8 digit number has

about 10 million possibilities and would take awhile to guess. On

100 million.

average, you'd have to guess about half that number, but it gets
better. As it turns out, the 8 digit PIN is really composed of a 4
digit PIN and a 3 digit PIN, with the trailing digit being a checksum,
and the router will provide indications when either half of the PIN is
correct, so in essence the max number of PIN attempts is something
like 10,000 for the first half and 1000 for the second half, for a
total of 11,000 possible attempts. Again, on average, you'll have to

If the router gives an indication if either is correct, would it
be possible to run two guesses at once, so it would be 10,000 guesses
maximum?

What happens if the checksum is wrong, or is that algorithm
freely available?

do half of that, so expect to make about 5500 access attempts before

5000.5 if my query above is based correctly.

being successful. Experts say that can take about 4-6 hours. What
happens when you supply (or guess) the right PIN? Why, the router
simply hands over it's wireless password/passphrase. As you can see,
the length of the password or passphrase doesn't matter in this
exploit.

Does that help?

If you are the exploiter, it would.

Sincerely,

Gene Wirchenko

 

[SC Tom]

No, it's different from the router's admin password. Most people are
familiar with the fact that the router has an admin password (which
many people never change from the default!) and the password or
passphrase required in order to connect wirelessly, but if the router
has WPS there will also be an 8 digit numeric PIN code. Some router
interfaces don't show you this PIN or allow you to change it.

Note that WPS can be called something different by every router
vendor. Linksys calls it Secure Easy Setup, for example.

Someone will correct my math, I'm sure, but an 8 digit number has
about 10 million possibilities and would take awhile to guess. On
average, you'd have to guess about half that number, but it gets
better. As it turns out, the 8 digit PIN is really composed of a 4
digit PIN and a 3 digit PIN, with the trailing digit being a checksum,
and the router will provide indications when either half of the PIN is
correct, so in essence the max number of PIN attempts is something
like 10,000 for the first half and 1000 for the second half, for a
total of 11,000 possible attempts. Again, on average, you'll have to
do half of that, so expect to make about 5500 access attempts before
being successful. Experts say that can take about 4-6 hours. What
happens when you supply (or guess) the right PIN? Why, the router
simply hands over it's wireless password/passphrase. As you can see,
the length of the password or passphrase doesn't matter in this
exploit.

Does that help?

Yep, it does. I don't appear to have it on mine (WGR614v9). I looked in the
area that TLC posted, but it's not there on mine. I looked through the
manual and every setting on the router, but found nothing that even mentions
a PIN. There's one on the bottom of the router itself, but I don't ever
recall having to use it for anything. Guess I have nothing to worry about on
that count

 

[Char Jackson]

Yep, it does. I don't appear to have it on mine (WGR614v9). I looked in the
area that TLC posted, but it's not there on mine. I looked through the
manual and every setting on the router, but found nothing that even mentions
a PIN. There's one on the bottom of the router itself, but I don't ever
recall having to use it for anything. Guess I have nothing to worry about on
that count

Sounds good. To others who may be reading, I would summarize by saying
you should probably disable the WPS function, if possible, especially
if you've already set up each of your wireless clients. Even if you
haven't, it's not that hard to set up clients the old fashioned way,
by attempting to connect to the wireless network, getting prompted for
the passphrase, and entering it correctly.

I say 'disable, if possible' because testing has shown that certain
routers have a GUI option that supposedly disables WPS, but testing
the exploit reveals that it's not actually disabled! Reportedly, that
situation only applies to a small number of models and I don't have
the exact details handy.

 

[Char Jackson]

[snip]

Someone will correct my math, I'm sure, but an 8 digit number has

about 10 million possibilities and would take awhile to guess. On

100 million.

You're right, of course.

If the router gives an indication if either is correct, would it
be possible to run two guesses at once, so it would be 10,000 guesses
maximum?

From what I've read, the max number is 11,000, so I assume the "two
guesses at once" thing doesn't work. I had considered that myself when
I first read about it.

What happens if the checksum is wrong, or is that algorithm
freely available?

I don't know.

 

[Brian Gregory [UK]]

On my Netgear N300 web based router manager it's under:
Advanced
Wireless Setting
WPS Settings
Router's PIN
Disable Router's PIN

Disable all of WPS completely, not just the PIN. It's all poorly designed.

 

[Brian Gregory [UK]]

No, it's different from the router's admin password. Most people are
familiar with the fact that the router has an admin password (which
many people never change from the default!) and the password or
passphrase required in order to connect wirelessly, but if the router
has WPS there will also be an 8 digit numeric PIN code. Some router
interfaces don't show you this PIN or allow you to change it.

Note that WPS can be called something different by every router
vendor. Linksys calls it Secure Easy Setup, for example.

Someone will correct my math, I'm sure, but an 8 digit number has
about 10 million possibilities and would take awhile to guess. On
average, you'd have to guess about half that number, but it gets
better. As it turns out, the 8 digit PIN is really composed of a 4
digit PIN and a 3 digit PIN, with the trailing digit being a checksum,
and the router will provide indications when either half of the PIN is
correct, so in essence the max number of PIN attempts is something
like 10,000 for the first half and 1000 for the second half, for a
total of 11,000 possible attempts. Again, on average, you'll have to
do half of that, so expect to make about 5500 access attempts before
being successful. Experts say that can take about 4-6 hours. What
happens when you supply (or guess) the right PIN? Why, the router
simply hands over it's wireless password/passphrase. As you can see,
the length of the password or passphrase doesn't matter in this
exploit.

Does that help?

Nice info about this here: http://www.grc.com/sn/sn-337.txt
and a bit more including corrections in amongst this:
http://www.grc.com/sn/sn-338.txt