WiFi Protected Setup (WPS): TURN IT OFF RIGHT NOW!

[joeekaitis]

Even if you've cloaked the network name (SSID) of your WiFi router, cranked the security all the way up to WPA2-PSK with AES cipher and have a pre-shared key (password) that's so obscure a supercomputer couldn't crack it in a dozen centuries, there might still be a security hole.

It's called WPS (WiFi Protected Setup). Some makers call it Pushbutton Wireless or some other user-friendly name. It's usually enabled by default because it's meant to simplify adding wireless users to your network. Since it's protected by an 8-digit password, it can yield to a brute force attack in as little as 8 hours. Once inside your router via WPS, a hacker can do anything any other user can do.

Log into your router's wireless setup screen, find the page for WPS and turn it off! When a friend brings over a laptop, enter the WiFi connection information yourself and delete it before your friend leaves.

Even worse, recent Cisco/Linksys routers have a bug that keeps WPS enabled even if you turn it off in the setup screen. If you have one of those, get the latest firmware update.

http://techlogon.com/2012/01/04/wps-security-flaw-may-put-your-wi-fi-network-at-risk/

 

[retropia]

I checked our router, and yes, WPS was enabled, so I disabled it. However, we use WEP for our key, which may be even easier to hack than WPS, LOL!

 

[joeekaitis]

$25 will get you a WiFi router with the latest, greatest security.

http://www.monoprice.com/products/p...=10521&cs_id=1052102&p_id=8070&seq=1&format=2

 

[mark_wpduet]

Mine says under security mode- WPA/WPA2 Personal (PSK)

Under Authentication it says -WPA-PSK+WPA2-PSK

 

[westie2]

Mine is like Marks above.

 

[lordkenmore]

"However, we use WEP for our key, which may be even easier to hack than WPS, LOL!"

WEP's day has definitely passed. It can apparently quite easily be cracked. I don't do wi-fi (it's pointless, since I don't have a laptop, tablet, or other portable device). But if I did use wi-fi, I'd avoid WEP...at least for the Internet connection I pay for.

The only time I'd make an exception to this rule if if I wanted WEP so I could play with old hardware that only works with WEP. In that case, I'd probably only run WEP when actively using it.

 

[joeekaitis]

The newly discovered security hole is in WiFi Protected Setup, highlighted in yellow. Do whatever it takes to turn it off and never, ever use it.

Update the firmware in the router just to be safe, especially newer Linksys routers.

[this post was last edited: 1/21/2012-22:59]

 

[sudsmaster]

Sorry, not clear here.

Is WPS the same as WPA2-PSK (Wi-Fi Protected Access 2 with Pre-Shared Key)?

My Netgear router doesn't have "WPS".

 

[retropia]

I purchased and installed a new router last June, so it's got the latest security options. However, now that everything is running and working, I'm hesitant to make any major changes. It's such a pain to get all of our devices connected, because they're all slightly different.

 

[joeekaitis]

" Is WPS the same as WPA2-PSK (Wi-Fi Protected Access 2

WPS isn't a security setting. It's a feature intended to simplify adding wireless clients.

Look for a button on the router with the double-arrow symbol in the logo below or that's labelled something like "One Touch WiFi". If the router doesn't have the button, it doesn't have WPS.

 

[joeekaitis]

"I purchased and installed a new router last June, so it

I know it might be a pain but you really should turn the security up to WPA2-PSK with AES cipher and go crazy with the SSID and PSK (password). Two easy to remember sentences make perfect SSIDs and PSKs. Heck, they can even be appliance related:

SSID: Preheat oven to 350 degrees F.

PSK: Frigidaire Division, General Motors.

According to the Password Haystacks calculator at www.grc.com, it would take the fastest supercomputer in a brute force attack 6.90 hundred billion trillion trillion centuries to crack the SSID and 9.26 billion trillion trillion trillion centuries to figure out the PSK, assuming the attacker had no reason to try an appliance-related series of phrases and sentences, i.e.: the attacker has no previous knowledge of you and your interests.



[this post was last edited: 1/22/2012-12:29]

http://https//www.grc.com/haystack.htm

 

[jasonl]

I've always hated that

This is one instance where "Automatic" isn't good. I always figured that "one button" install was a joke. Fortunately, my Westel dsl modem/router doesn't feature it. My previous Linksys did and that was the first thing I turned OFF when I secured the network.

 

[mark_wpduet]

I'm thoroughly confused:

In my Belkin router, it does have a push button on the router itself, but I don't think we've ever used it.

In the router interface, there is a section under "security" but there is another section under wi-fi protected setup (WPS) and it is enabled, so by disabling that, the router is now completely NOT secure? You have no security? Am I wrong? So it's better to disable it and have NO security at all as to have it enabled?

There are no other options for security other than WEP, Are you saying that WPA should be disabled and WEP enabled?

 

[joeekaitis]

WPS enabled: BAD. WPS disabled: GOOD!!

 

 

Leaving WPS enabled opens your router to attack.  Disable WPS.  It's called "Wi-Fi Protected Setup" but it's no protection at all.  That's why the picture in an earlier post shows it disabled.

 

Moving on to security, if all of your WiFi devices support WPA2-PSK, use it exclusively.  If not, use the most secure combination like WPA2-PSK with WPA-PSK.  The weakest device is the weakest link, meaning WEP should NEVER  be used.

 

Here are the most secure settings on a D-Link router.  The setup screens might be a little different on other routers, but it's like driving a car.  The knobs and switches are in different places on the dashboard.

 

 

[this post was last edited: 1/22/2012-18:40]

 

[mark_wpduet]

Here is what the security looks like on my interface.

 

[mark_wpduet]

Mine also has a firmware update to click on the interface........but NOTHING happens when you try to update it.

 

[joeekaitis]

"Here is what the security looks like on my interface.&#

And that's how it should look. The only thing more secure is WPA2-PSK but if you need the combo setting for compatibility, you're fine.

Belkin routers weren't mentioned as having the WPS flaw requiring a firmware update but you should still turn off WPS (not to be confused with WPA/WPA2). Sometimes the built-in firmware updater doesn't work and you have to visit the maker's website to manually download the latest firmware.

Just be sure to backup the current configuration so you can load it back in if the firmware update goes awry. It's rare but it happens.