WPS Hack – What This Means To The Does And The Trolls

31 Aug 12 Update

Here are two a recent Arstechnica articles that relate to WiFi vulnerabilities.

How I cracked my neighbor’s WiFi password without breaking a sweat

Why passwords have never been weaker—and crackers have never been stronger

DTD 🙂

————————————————————————————————————

In case you didn’t see the recent news article or my previous post, but in the last part of 2011, a security research firm released a White Paper  detailing a vulnerability in the WiFi Protected Set-Up (WPS) feature available in a majority of Home / Small Office WiFi access points (AP).  According to the White Paper authors, they have known about this since the first part of 2011.  Note:  WPS has been in use since 2007.  A few days after the White Paper was released, another security research firm released the open source tool (Reaver) to exploit this vulnerability.  No MIT computer degree or expensive equipment is needed to exploit this vulnerability.  

For those of you who are not geeks, this may be a bit of, “OK, big deal.  Everything gets hack at one time or another.” 

What this means is since WPS came out (2007), any equipment (WiFi Firewall/Router, AP, etc.) that uses it, could have been hacked and abused by unknown personnel.  By hacking it, I’m talking about someone being able to connect to your WiFi connection and surfing the Internet.  This hack allows someone to get the WiFi Protected Access (WPA/WPA2) password/passphase.  It doesn’t matter if you passphrase is “&2385TrollsareStupid509%$”; the WPS vulnerability negates a super strong password/passphrase with a numeric PIN of ONLY 11,000 variations!

The open source tool, “Reaver,” allows a recovery of the WPA/WPA2 password/passphrase in under a day.            

Possible scenario: 

  1. John Doe purchases a wonderful new WiFi Fire Wall/Router (Model # E4200) and sets it up on his network.  He decides to use WPA2 and sets an access passphrase of “Python602Yarbles##!” (Nice and Strong).  The Doe has multiple systems on his network, so to make it a little bit easier, he uses WPS on the Firewall/Router. 
  2. WPS allows the Doe to connect those WPS enabled devices (to his network) by either pushing a couple of buttons (WiFi Firewall/Router & Device) OR by entering an 8 digit PIN.  The PIN is hard-coded into the WiFi/WPS enabled device (i.e. Wireless Network Interface Card).  The Does connects all his devices via WPS and by manually entering the WPA2 passphrase.  All is well and the Doe goes about with his life. 
  3. Along comes some nefarious person and decides to exploit this vulnerability.  I will allow you to come up with the background details on this person.  It could be the next-door neighbor, a hacker “War-Driving,” or someone using a directional antenna to obtain free Internet service from unsuspecting people.  This hacker runs Reaver against the Doe’s Firewall/Router and hours later is provided the WPA2 passphrase.  The Hacker then connects to the Does WiFi and starts up a BitTorrent session.  Lets see, how about a title like “Amateur Allure Jessie” and a few others?  The Hacker leaves the connection to the Doe’s network up until the movie download is complete OR keeps it active for a longer period.  If this activity is done by a neighbor, the connection can be for a long periods.  The Doe sees nothing unusual in his network connections and all appears well and good to him. 
  4. Next comes John Steele (now Prenda Law) and Peter Hansmeier trolling BitTottent and collects all the information it can on the “Public” IP addresses downloading/sharing “Amateur Allure Jessie,” during this time period.  One of the Public IP addresses they collect is assigned to this Doe.  Prenda Law files a Federal copyright Infringement case in Washington DC, and lists all the Public IP address that allegedly took part in this criminal action.  A subpoena is granted to Prenda to obtain all the ISP subscriber information for the Public IP addresses they collected.  The Does then receives the notice from his ISP, stating they will release his contact information unless he files a Motion to Quash with the court by a certain date.  Here is where most of us join this story in real life – “What the hell!?” 
  5. The Doe in this scenario decides calls his ISP and tries to get additional information.  His ISP tells him his Public IP address allegedly took part in illegal file sharing and is part of a Federal law suit.  The ISP also says he can call Prenda and try to resolve the issue.  The Doe decides to call Prenda and explain that he did not download any pornography – they are bound to understand this.  The Doe calls Prenda and tries to explain he did not do this; his explanation falls on deaf ears.  The Prenda representative tell the Doe that if he didn’t do it, then it was likely his loser kid living in the basement (John Steele comments).  The Prenda representative also tells the Doe that even if it wasn’t someone in his residence, he is still responsible for the activity that takes place on his network.  The Prenda representative graciously informs the Doe this can easily be handled out of the court (avoiding possible embarrassment and judgments of over $150K!) – Prenda Settlement Letter.  But this has to be done FAST, while the copyright owner still is willing to settle and not fight this out in court.  A simple payment of $3400 and signing a non-disclosure agreement will let you get your life back. 
  6. What happens from this point on varies with each Doe.  Some will pay the settlement fee while others will fight.  Lets say this Doe told Prenda to stick it where the sun doesn’t shine.  The Does goes into his Firewall/Router (once he finds where he wrote down the “Admin” password.  The Does accesses the Firewall/Router and stumbles around looking for anything to explain what is going on.  In the list of computers connecting to the network, he notes one system on the network that he doesn’t recognize.  This unknown system has a name of “Robby56-23,” internal IP address of 192.168.1.159, and a MAC Address c0:3f:0e:36:0a:a4.  The Doe is unsure if this is one of his systems, so he goes around to all the desktops, laptops, hand-held devices, smart phone, and the two game systems that access the network.  None of these devices have that system name or MAC address.  The Doe takes a screen shot of the Web page showing this rogue system, as well as saving it to a file, along with notes of his findings. 
  7. The documentation of any rogue systems on his network is a great piece of evidence for the Doe.  If Prenda ever pursues this to a deposition or actual trial, it raises serious doubt to who actually did this.  There is just a small problem, most of the Does do not find out their Public IP address is associated with a federal law suit until a significant time after the act allegedly took place.  This delay means that the Firewall/Router may no longer have a record of the rogue system.  These small office / home Firewall/Routers only keep a very limited logs. 

This scenario show why this WPS vulnerability and Hack are relevant to the Does.  Please understand that the Trolls are going to say that if you ran you WiFi connection “Open,” you are negligent and responsible for the activity that took place on it.  If you say you had it secured with WPA/WPA2, they will claim you or someone you allowed on your network did it.  This vulnerability/Hack clearly shows that even if you secure your network connection, there are going to be instances where it can be abused without your knowledge.  Lets also be honest – how many of us truly monitor our Internet connection if everything appears to be working as expected. 

Key Points:

  1. If you have an Internet Access Point that uses WPS, you may be vulnerable.
  2. This vulnerability goes back to the start of WPS, in 2007.     
  3. Even if you turned WPS off, you may still be vulnerable.  – To find out just how big the hole was, I downloaded and compiled Reaver for a bit of New Years geek fun. As it turns out, it’s a pretty big one—even with WPS allegedly turned off on a target router, I was able to get it to cough up the SSID and password. The only way to block the attack was to turn on Media Access Control (MAC) address filtering to block unwanted hardware.” – {http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars}
  4. MAC filtering (Whitelisting) of systems authorized to connect to your network isn’t perfect.  Hackers already know how to sniff your wireless traffic, determine MAC addresses that are allowed on your network, spoof one of these MAC addresses, and knock an authorized user off your network and take his place.

DieTrollDie  🙂

About DieTrollDie

I'm one of the many 'John Does' (200,000+ & growing in the US) who Copyright Trolls have threatened with a civil law suit unless they are paid off. What is a Copyright Troll? Check out the Electronic Frontier Foundation link - http://www.eff.org/issues/copyright-trolls
This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.

17 Responses to WPS Hack – What This Means To The Does And The Trolls

  1. AZFighter says:

    The bottom line: IP ≠ Individual. How can it when even the most secure connections can be breached in a matter of hours as shown in your article.

    “Please understand that the Trolls are going to say that if you ran you WiFi connection “Open,” you are negligent and responsible for the activity that took place on it.”

    If you don’t lock the doors to your car, someone steals it, and runs a person over is the car owner held responsible? Is a gun owner help responsible if someone breaks into your home, steals your gun that is not secured in a safe, and then commits a crime with it? What if someone steals an owners unsecured prescription drugs and then OD’s? Is the owner held responsible for the death? If the owner cannot be held responsible in the most egregious cases how can they in a simple copyright case?

    • CTVic says:

      Good points all. Not to mention the fact that >90% of technology consumers have no idea how it works! To properly configure a wireless network for maximum security, you practically need to have a college degree in IT – and DTD’s article says that even then, your level of security can easily be compromised!
      Locking down your network isn’t as easy as locking your door and setting the chain at night. Detecting an intrusion isn’t as easy as walking in the door and seeing that a window’s been broken, and your valuables are missing. If it WERE that easy, then there simply wouldn’t be multi-million dollar industries based around network security and identity theft protection!
      The John Steele line about a user’s liability for their personal network security is absolute bullshit! It’s a scare tactic intended to frighten Joe Consumer into signing a check. More people are waking up to this fact every day.

  2. DieTrollDie says:

    One thing a majority of the copyright owners and Trolls do not do is send out DMCA Take-Down notices. This simple step is the first logical step they should be doing once they identify possible infringement activity. This simple step makes the ISP potentially liable if they don’t do anything to address the allegation. So why not do it??????? Money is the answer. The Trolls don’t want the infringement activity to stop or slow down in the US.

    • CTVic says:

      Exactly. A phrase common to the complaints in nearly all of these copyright troll suits is that “plaintiff has no adequate remedy at law.” Indicating to the judge that they had no choice but to sue all of these people downloading their files … which is absolute bullshit! You don’t like the fact that your media is being shared on p2p networks? DMCA the sites that are distributing the trackers on these files! BitTorrent swarms will fizzle and die if no new “pirates” are able to locate where the hell they are!
      There are companies that have created their own little niche market for listening on the internet for a client’s media being shared, and proactively sending DMCA takedowns to whoever’s managing the illegal distribution of your work. So a producer wants to limit piracy of their work, without having to do all the legwork themselves? Hire one of these guys to do the legwork for you! All of that money you save in lost revenue will cover his fees ten times over!
      But there’s no money in that! Extortion is much more lucrative. When the extortion machine gets rolling, the job of protecting your work from piracy actually becomes counterproductive, and starts to eat at your profit margin! Producers are monetizing piracy, while claiming that they are trying to “recoup lost income.” The problem is that they’re not recouping anything – they’re capitalizing off of the illegal trading of their work, which serves as an incentive for them to actually PROMOTE piracy, which is the exact opposite result of what they claim to want!

  3. CTVic says:

    Back to topic: securing Wi-fi. Since my own troubles with Copyright Trolls, I’ve done a good bit of research on wireless networks and have come to the conclusion that they’re very much like sex. The only way to be completely safe is to not play the game at all. Also like sex, that’s not exactly a realistic expectation.
    Just about any security scheme can be cracked, it’s only a matter of how long it takes. Older models can be cracked in minutes. Newer ones in days. This latest revelation of exploiting WPS pins is totally unsurprising to me since I’ve taken the time to do the research. So the best way I’ve seen yet to secure your personal wireless network is to hide it, so that nobody outside your personal knowledge even knows it’s there.
    Wireless networks advertise themselves to other devices with an SSID broadcast – the router essentially broadcasts its identity to the world. This is how passing hackers know they’ve got a target to poke around with in the first place. You can disable this! It effectively hides the existence of your network, and for any passing miscreant to tap into it without your authority, they have to be within range, and know the name (SSID) of the network to attempt a logon. You can still connect your other devices to your wireless network, except that you need to know the SSID and have to key it into the device ahead of time.
    Essentially it’s like soundproofing your bedroom. You could be gettin it on with the missus until you’re blue in the face, but none of your nosy neighbors has a clue.
    People who REALLY want to tap your computers and crack into your systems will still be able to find a way. There’s always a way. But this will at least take away the bulls-eye that’s posted at a 1/2 mile radius around your house for any passer-by to notice.

    • rocafella says:

      Your a fool. Hide the network. That’s laughable. As an attacker, all they would still is use a WiFi scanning tool that enables the option to show hidden ssid’s. Your burying treasure when you hide your wi-fi network. That just makes the pirate want to find it even more. You better hope your never my neighbor, because if you hide your ssid, I am going to find out why. An I want to know what your doing. You think you can protect your daughter from boys ?! , then how the hell are you going to protect your WIFI dummy ?! You sound like my idiot customers. Thinking they are protected by Norton, when they really ate only partying Norton.

      • DieTrollDie says:

        No need to call people names. The various steps you take to prevent it from happening are not perfect. But it is better than nothing. Dong try to troll here pleasr.

        DTD 🙂

  4. DieTrollDie says:

    Here is a US Computer Emergency Response Team (US Cert) Note on this vulnerability. http://www.kb.cert.org/vuls/id/723755
    “Vulnerability Note VU#723755, WiFi Protected Setup (WPS) PIN brute force vulnerability”

  5. Samy says:

    Thanks 4 this article Mr. DTD…. I planned to close this link but got struck coz of the comment written here by Mr. CTVic… well, i don’t think Hiding SSID is not the solution… 4 user it’ll be tedious to enter SSID & pwd every time he/she wants to connect, but for a IT geek, getting SSID is no big deal… Kismet, Netstumbler, wirecrack etc tools are available that’s gonna tell u much more than the SSID… another thing is, if a user will set it to “connect automatically” while connecting 1st time to his/her hidden wireless network, then where that lappy/ipad/iphone is, its gonna broadcast that hidden SSID in air (even if that hidden network is not in range)… for ex: i configured a hidden wireless network at home & while connecting my ipad for 1st time i checked the “connect automatically” box. after some time i went 2 a coffee shop but there my hidden wireless network is not present (i am way out the range)… my ipad will then start broadcasting my hidden wireless SSID to check if its available in there… so, every IT geek in the coffee shop can find out that i got a hidden wireless back at home/office…
    even mac filtering is not a good option… the only thing i feel secure is WPA2 Personal/WPA2 Only/AES Only/Key Interval: 900-1500 secs/key size: 20-32 chars or WPA2 Enterprise/WPA2 Only/AES Only/RADIUS or TACACS+

    if u got multiple wireless device at home, i’ll suggest to have a RADIUS configured on one of them

    • DieTrollDie says:

      Thanks Samy. Maintaining a network that is 100% safe and cannot be exploited is damn near impossible. The cost in time and money to reach that level in a home network is not worth the potential loss (in terms of chance that it occurs and what potential loss would be). As most people are not as technically savvy as you, many WiFi networks are either wide open or easy to exploit. As this is the “Norm”, to the majority of people in the US, it makes the Troll’s claim of negligence and resultant liability worthless.

      DTD 🙂

  6. Samy says:

    i agree with you sir… some wise man said that security is a journey not destination!!! only problem is that sometimes we forgot this thing & start getting feeling as we reached to the destination (by adding few tools/appliance in the network)…
    You r right, Cost is one of the major factor for both enterprise & home user; but then Human Ignorance is something thats making more dents or loopholes for crackers…
    anyway, security is something that we can talk for days… it all matters how paranoiac you are when surfing net!!!

    Samy 🙂

  7. SIFOO says:

    PENTEST TOOLS WEP WPA WPS

  8. DieTrollDie says:

    Here are two a recent Arstechnica articles that relate to WiFi vulnerabilities. Links to the articles have been added to the top of the post,

    How I cracked my neighbor’s WiFi password without breaking a sweat

    Why passwords have never been weaker—and crackers have never been stronger

    DTD 🙂

    • doe says:

      Fuckn neighbours whyou can’t they just mind there own Fuckn business

    • doe says:

      Too bad we have piece of shot neighbors who break into ther neighbors house while ther sleeping just to steAL the codes off the router what a ducking loser creep can’t even go to sleep with your doors locked without a deadbeat neighbor creeping around your house while your sleeping what a duck deadbeat

  9. doe says:

    Fuckn neighbours whyou can’t they just mind there own Fuckn business

  10. Keeping WiFi safe, specially by a consumer on consumer devices (the ones ISP’s give you/under a few hundred bucks) is not realistic.
    Consumers miss the education needed and half the damn manufactures got hard coded backdoors in them, and lot’s have an easily exploited webinterface.
    If they don’t have them TLA’s (3 letter agencies) will make/introduce/force them…

    Hiding ssid is of no use for security. It’s obscurity.
    Best is using a long pass phrase, of course don’t use WEP/WPS.
    Split up/separate your wired network from your WiFi.
    -Router interface should not be accessible from WiFi.
    -WiFi and wired should be on separate subnets.
    -Wired network should not be accessible from Wifi.
    *(if needed make rules based on MAC)
    If circumstances allow it, use mac filtering and static IP Addresses.
    Make sure all external ports are closed, and the router is not accessible from your WAN and WiFi.
    -If your ISP has a “service port” or “help” function to get on your router, turn it off.
    Hackers know about those too.
    They (ISP) should deploy better software, where you should push a button before they can connect. And have to do so in a short time window.
    -Check last update date from firmware. look if there is newer, if so pressure your ISP to update.
    -If a little educated, log, and forward logs to an external device USB/Mail/server.
    -Check the damn logs!

    Actually breaking in, in some ones wifi network is generally also very easy.
    Specially if WEP or WPA with WPS is in place. There are several programs for this.
    And even linux distro’s like Kali (formally backtrack) that make it very easy.
    Even if you don’t know how to break an encrypted password, if you can just capture it, you can use web bases services for that.

    -Always turn of your WiFi on devices when leaving your home/work etc.
    (and blue-tooth for that matter, stops shops/google/TLA’s from following you everywhere.

    Winblow$ is a yelling baby that shits in its own bed..
    Sorry, let me explain, i am (trying hard) not going to rant on Windoze.

    First the Yelling part:

    As soon as you put your WiFi on, windhoze starts “yelling” to every WiFi AP (Acces Point)
    Are you >insert your home network< …
    Nice feature hey?! Well m$ stimulates stupidity…
    (tbh Android does/did the same, and many more OS's (Operating Systems))

    If i use for example an Pineapple AP (google hak5 pineapple) or any compatible router/AP with Jasager software on it, it will always answer your device with YES..
    Thus will your device give me your pass phrase in order to connect…
    And at the same time you are connected to my laptop, that's between you and the internet.
    Imagine what i could do, besides monitoring everything you do…
    -So always turn of your WiFi on devices when leaving your home/work etc…\
    (and blue-tooth for that matter, stops shops/google/TLA's from following you everywhere.

    For the shitting part:
    Is Windows a Virus? https://www.redhat.com/archives/rhl-list/2005-October/msg00818.html

    Goramn, i tried to keep it short… LOL

    **I did not include links to everything since i don't want to get flagged as spam.
    If more info is needed feel free to contact me.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s