On 1/17/2012 7:15 AM, Brian Weeden wrote:
But is it really off? There was one brand that still responded to WPS requests even
after it was "turned off".
Apparently, if you a Netgear, yes. From Smallnetbuilder.com:
http://www.smallnetbuilder.com/wireless/wireless-features/31664-waiting-for-the-wps-fix
*NETGEAR* -Preparing an "official response" that will be sent
"shortly".Updated 1/7/2012: NETGEAR's response follows:
/Wi-Fi Protected Setup (WPS) is a method developed by the WiFi
Alliance for setting up a new wireless router for a home network
which includes a way for users to easily connect to a secure network
by pushing a button or entering a PIN code. Recently a security
researcher posted an article highlighting security vulnerabilities
with the WiFi Alliances WPS-PIN (WiFi Protected Setup-PIN) security
protocol. Wireless routers that support WiFi Alliance WPS are
vulnerable to a brute force attack. This vulnerability is likely to
be addressed in the upcoming WPS 2.0 standard.
Today, NETGEAR routers go beyond the requirements of the WiFi
Alliance WPS standard to deter such attacks. NETGEAR routers are the
only ones mentioned in this article to have implemented a
'lock-down' feature, which locks down WPS PIN on the router after a
number of failed attempts to connect using the PIN method. This
hampers the brute force attack, but it doesn't completely eliminate
the possibility of a brute force attack. Therefore NETGEAR
recommends that customers manually turn off the WPS-PIN feature on
their routers by following the simple steps posted below and on
NETGEAR's support site. NETGEAR is one of the few networking vendors
to have the capability to manually turn off WPS-PIN (WPS Push Button
will still work), thus eliminating the possibility of the brute
force attack mentioned in the article.
//http://support.netgear.com/app/answers/detail/a_id/19824
To disable the Router PIN method:
1. Login to the router GUI by typing www.routerlogin.net on an
Internet browser's address bar. Note: Default logins are: Username =
admin, Password = password.
2. Go to Advanced Setup menu and select Wireless Settings.
3. Under WPS settings, put a check mark on Disable Router's PIN box.
4. Hit Apply button to save settings.
//NETGEAR is working diligently to develop easier and more stringent
methods of preventing such attacks, and partnering with the WiFi
alliance and networking technology community to drive such methods
into universal standards. Short term we are looking at several
options and even disabling the WPS Pin by default./
