Ouch! Security problem in linksys routers in Wireless Security

Ouch! Security problem in linksys routers in Wireless Security http://www.dslreports.com/forum/r14141344 en Fri, 27 Nov 2009 17:09:35 EDT Fri, 27 Nov 2009 17:09:35 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14259591 funchords :

said by Yoofer

:

So am I correct that the consensus is this is an issue related to old settings not being purged after a firmware update?

Yes, you are correct.]]> http://www.dslreports.com/forum/remark,14259591 Wed, 31 Aug 2005 06:46:33 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14257053 Yoofer : Quick update to my settings: just switched to WPA-AES.
--
Ken S.]]> http://www.dslreports.com/forum/remark,14257053 Tue, 30 Aug 2005 21:23:19 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14256920 Yoofer : Okay, I'm not new to networking, but extremely new to wireless (under 1 week with the Linky WRT54G, firmware 3.03.6). So am I correct that the consensus is this is an issue related to old settings not being purged after a firmware update? Has anyone been able to confirm this behavior in the G? Or only the GS? Am I okay with my currently installed firmware? How does MAC filtering figure in? Mine is currently set to permit only, with just the MAC of my notebook's built-in wireless adapter entered. Sorry for all the questions, still learning...

Some (relevant?) settings:
SSID broadcast disabled
Firewall enabled
WPA-TKIP enabled
MAC filtering (permit only) enabled

I have a friend coming over to the house in a couple of days - I'll have him bring his wireless notebook (it's never seen my router) and see if he can connect. I'll post back with the results...
--
Ken S.]]> http://www.dslreports.com/forum/remark,14256920 Tue, 30 Aug 2005 21:09:50 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14164154 Glen T : Well here are the results of my test:

1. I saved a config file from firmware v3.03.6 on my WRT54G v1.1 router.
2. I used the HTML interface to apply the firmware update to v4.20.6.
3. Tried logging on from my laptop using a Linksys WUSB11 v2.6 adapter on my neighbour's laptop (which has seen my secure connection in the past). I could not log on. However, he is running WinXP without SP2, so it saw my connection as WEP (not WPA).
4. I brought his WUSB11 v2.6 connector to my laptop, installed it, and set it up. It identified my connection as secure, but I could not log on.
5. My other wireless PC which was on and connected throughout the upgrade, remained connected.
6. I did a factory reset on the WRT54G. All settings including password for log on were purged.
7. I successfully logged onto the newly unsecured connection from my laptop.
8. I then applied the saved config file made from firmware v3.03.6. My settings appear to be completely restored with no problems. The router never complained or warned in any way about the different version of the config file.

Conclusions:

1. This was not a clean test for reproducing the problems with unsecured logon following the firmware upgrade. I didn't have access to a clean client that had not previously seen my router. However, the router did end up in a state where I could not log on from my laptop prior to do a factory reset.

2. My test showed that it is at least feasible to save your config to file prior to upgrading the firmware, and then restoring your settings after a factory reset. On the WRT54G, this could be a recommended work around. Linksys support confirmed this (for what that's worth).]]> http://www.dslreports.com/forum/remark,14164154 Thu, 18 Aug 2005 15:12:50 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14162414 Glen T : Here is the question that I asked Linksys support:

Thanks for your reply. I just want to confirm your answer:

I can use the Config Managment tool to restore a previously saved config file, saved before I did a firmware upgrade. In other words, the following:
1. My router is using firmware version X. I create a back up config file from version X.
2. I upgrade my router to firmware Y.
3. I do a factory reset following the firmware upgrade.
4. I do a restore of my config file to restore my settings.
This will work?

Here is the response:

Yes. It is the configuration or the settings that you need to save and not the firmware. Create a back up first then restore it after.

I have not had time to try this yet, but I plan to do the entire procedure on my WRT54G -- hopefully today. After all, who wouldn't want to miss the opportunity of turning their router into a doorstop?

I'll post my findings when I'm done. Please allow time for me to run to the store and by a new WRX router!

My objective is to establish whether or not I can reproduce the reported conditions, and whether or not you can restore a saved config file after an upgrade of firmware. This would at least provide a decent workaround.

Note that I am using an access restriction table on router which limits access to the Internet for several computers based on their MAC numbers and time of day. Should be interesting to see if that survives the restore, along with other settings.]]> http://www.dslreports.com/forum/remark,14162414 Thu, 18 Aug 2005 11:41:03 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14155597 Glen T :

said by Bill

:

It gives me something to do until school starts again :p

Greg_Z

, I'm also interested in seeing which other WRT's this applies to. If I had another WRT54G, or WRT54GS, I'd test it out :(.

I'm still waiting for he definitive response from Linksys support regarding the feasibility of using the save/restore settings after a a firmware upgrade/reset.

If I get the green light from Linksys, I'd like to try the whole process along with restoring from a saved conf file on my WRT54G v1.1. I'll be upgrading the firmware from v3.03.6 to v4.20.6. I don't have a 'virgin' client, though, so I'd have to wipe one to give this a try. I may also be able to grab my nextdoor neighbour's laptop.]]> http://www.dslreports.com/forum/remark,14155597 Wed, 17 Aug 2005 15:07:09 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14154999 Bill : It gives me something to do until school starts again :p

Greg_Z

, I'm also interested in seeing which other WRT's this applies to. If I had another WRT54G, or WRT54GS, I'd test it out :(.
--
Folding Monitor
Network Status
Weather Stats]]> http://www.dslreports.com/forum/remark,14154999 Wed, 17 Aug 2005 13:58:29 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14154632 Greg_Z : Definitely he is doing something that is going to help everyone out in the long run. I am wondering how far into the WRT line this problem goes..
--
One man's customer loyalty is another man's misguided arrogance.]]> http://www.dslreports.com/forum/remark,14154632 Wed, 17 Aug 2005 13:14:43 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14152419 jebz :

said by nwrickert

:

With WPA Personal/TKIP authentication enabled, the unit allows both clients using encryption with the correct settings and key, and clients not using any encryption.

This happened to me on my WRT54G v2.2 when upgrading from 4.00.7 to 4.20.6 .

I checked all my security settings and they were in place after the upgrade and the wireless network was operating well. I tried to connect a second laptop but it developed a wireless hardware fault. I substituted another card and it reported the wireless network was insecure. This was quite a surprise. This was confirmed by Netstumbler.

I looked at the security settings again and found the latest version of the firmware has a button icon with a lock in it in the Wireless/Basic Wireless Settings. The button showed an open lock. I clicked on the lock and all hell broke loose. It changed all my security settings. I then re-entered my security settings to restore operation. The network then indicated secure on the clients and all operations continued as per the old firmware version.]]> http://www.dslreports.com/forum/remark,14152419 Wed, 17 Aug 2005 06:54:13 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14151649 funchords : Isn't Bill

the best for putting in the time on this one?

Great job!!]]> http://www.dslreports.com/forum/remark,14151649 Wed, 17 Aug 2005 01:12:07 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14150964 Bill : I was able to produce this problem on both Linksys 4.50.6 and DD-WRT v22.

I'm not sure which Linksys version DD-WRT v22 is based on.]]> http://www.dslreports.com/forum/remark,14150964 Tue, 16 Aug 2005 23:22:07 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14150451 Nerdtalker :

said by Bill

:

•Flash from Linksys 4.50.6 to DD-WRT.
•I looked in the web GUI after the flash and the WPA settings from my previous Linksys firmware were still in there.
•I set my wireless card to "Disabled" for security settings

I was able to connect right up (see attached image).

I'm guessing that even though the WRT54GS web config is reporting WPA is enabled, it's not really enabled.

Wow, interesting vulnerability.

Are 3rd party firmware distros built on the 4.50.6 linux-GPL code also affected?
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn

I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 8800+ messages currently using 268 MB (11%) of my 2442 MB]]> http://www.dslreports.com/forum/remark,14150451 Tue, 16 Aug 2005 22:19:37 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14148315 Greg_Z : If you are just changing the Wifi A/P MAC, are you changing the MAC on the NIC at the time of reboot. MAC address scheming can work both ways, and if the A/P is still associating the MAC of the NIC at the time of reboot, then you may still have problems.

The problem lies that the A/P still remembers the MAC of the NIC at the time of the reboot along with the Key that it has to send to confirm the key on the A/P and the MAC of the A/P. Unless the IPTables is being flushed at the time of reboot, everything stays in the memory of the A/P.

There is going to defiantly be a good White paper out of this.
--
One man's customer loyalty is another man's misguided arrogance.]]> http://www.dslreports.com/forum/remark,14148315 Tue, 16 Aug 2005 17:38:00 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14148214 Bill : Still letting me on after a reboot, SSID change, wireless MAC change.

See picture.

]]> http://www.dslreports.com/forum/remark,14148214 Tue, 16 Aug 2005 17:25:59 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14147917 funchords :

said by Bill

:

I should have been more specific; I cloned the wireless APs MAC address, not the wireless card. That should make a difference, right?

It will only make a difference one way.

WPA authenticates both sides: STA auth's the AP, AP auth's the STA

If I were you, I'd repeat your previous steps, but power-cycle the router and reboot the laptop after that point I mentioned above. That way any prior auths or lockouts are forgotten.
--
Robb Topolski ;) http://www.funchords.com/ :D Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!!]]> http://www.dslreports.com/forum/remark,14147917 Tue, 16 Aug 2005 16:44:11 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14147884 Bill : I should have been more specific; I cloned the wireless APs MAC address, not the wireless card. That should make a difference, right?

I can try it with my Linux laptop and see what happens.
--
Folding Monitor
Network Status
Weather Stats]]> http://www.dslreports.com/forum/remark,14147884 Tue, 16 Aug 2005 16:39:13 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14147669 funchords :

said by Bill

:

•I set my wireless card to "Disabled" for security settings

"Greg Z" mentioned this above --

Just changing the SSID and Wireless NIC MAC address will not do it. The machine that is being used still remembers the MAC address of the device that you are connecting to.

...and I just want to back him up on this fact...

If you started with an EAP protocol, then switched the card to disabled, the EAPOL authenitcation service continues to run -- perhaps stupidly, but it does.

And as long as that MAC address is out there, it will enforce its last instructions.

I agree -- we need to test this with a reboot after the above step mentioned in »Re: Ouch! Security problem in linksys routers
--
Robb Topolski ;) http://www.funchords.com/ :D Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!!]]> http://www.dslreports.com/forum/remark,14147669 Tue, 16 Aug 2005 16:09:47 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14147526 justageek : Ask SW Bill and you shall receive

I can't recreate the issue on the G...
using 4.00.7 = No issue
using 4.20.6 = No issue

Dare I speculate that this bug is confined to the GS routers or am I just not testing things right??

Equipment Tested
1 Dell C600
1 Linksys WPC54G version 2 with no firmware updates and standard Linksys drivers
1 Linksys WRT54G version 3

1.) Flashy Flashy to 4.20.6
2.) Run Netstumbler
3.) Found other networks, mine was "missing".
4.) Flashy Flashy to 4.00.7
5>) See step 2
6.) See step 3
7.) Flashy Flashy to 4.20.6
8.) Router cranky at first, but works fine now.

Laptop is a unit that I took out of work and has never been wireless.
XP installed on it from ground zero (No slipstreamed SP2)
After I got all the fun fun stuff on it (at the office), I popped in the NIC and gave it the drivers.

Maybe I have a sooper router???]]> http://www.dslreports.com/forum/remark,14147526 Tue, 16 Aug 2005 15:50:48 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14147518 Greg_Z : Just changing the SSID and Wireless NIC MAC address will not do it. The machine that is being used still remembers the MAC address of the device that you are connecting to. You really have to use something like Knoppix or another machine in order to see if there is a vulnerbility out there.
--
One man's customer loyalty is another man's misguided arrogance.]]> http://www.dslreports.com/forum/remark,14147518 Tue, 16 Aug 2005 15:49:40 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14147472 Bill : I only have one machine with wireless.

I changed the SSID and wireless MAC address on the router prior to connect to it with my laptop, so that should make it like the computer has never seen it before, hopefully.

If anyone else has a WRT54GSv1, or even a regular WRT54G, I'd be interested in seeing what results you get.
--
Folding Monitor
Network Status
Weather Stats]]> http://www.dslreports.com/forum/remark,14147472 Tue, 16 Aug 2005 15:42:55 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14147412 Greg_Z : What gets me is that you are reproducing the error on a machine that has already been connected to the router that is supposedly connected prior to the upgrade.

In order to do a real world test, you have to use a machine that has never been connected via wifi to the router in order to see if there is a true claim in this possible security hole.
--
One man's customer loyalty is another man's misguided arrogance.]]> http://www.dslreports.com/forum/remark,14147412 Tue, 16 Aug 2005 15:33:33 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14147046 Bill : Thanks Glen T

:)

Hopefully we'll get an answer in this thread, or via your email. At the least, Linksys has been notified of this problem and hopefully will fix it :)]]> http://www.dslreports.com/forum/remark,14147046 Tue, 16 Aug 2005 14:47:39 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14146789 Glen T : I just had a 'live' chat with Linksys support, which wasn't very helpful. He sort-of confirmed that you might want to do a factory reset after flashing a new firmware version. He had no knowledge of what the configuation management tools were used for.

I've e-mailed my question to Linksys support, including a link to this topic. We'll see what they come back with. I've asked for a definitive statement on when you would use the Configuration Managment save/restore.]]> http://www.dslreports.com/forum/remark,14146789 Tue, 16 Aug 2005 14:14:21 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14146510 funchords : With the D-Link DI-5xx/6xx/7xx routers, and the Netgear WGT/WGU-624, you generally cannot apply settings saved from a previous version to an upgraded version.

We have found a few exceptions to this rule, but we've also found that a higher rate of success is obtained my hand-entering these settings over restoring them from a file -- even under the same firmware version!
--
Robb Topolski ;) http://www.funchords.com/ :D Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!!]]> http://www.dslreports.com/forum/remark,14146510 Tue, 16 Aug 2005 13:41:12 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14146476 Glen T : I'm going to look into this a bit more -- will check with Linksys support. You would think that Save/Restore would be meant for exactly this kind of scenario. Also, it does not necessarily follow that restoring a saved firmware set is the same as flashing over top of an existing set without resetting.

I'll see what I can find out.]]> http://www.dslreports.com/forum/remark,14146476 Tue, 16 Aug 2005 13:37:39 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14146403 Bill : Mine does have a "Backup" option, but I do not know if the settings can be transferred between different firmware versions.

It warns me about using it on different firmwares/models.

I'm not willing to test out "Restore" from a different firmware version because there is a possibility it could turn my router into a paperweight.

Also, I do not know if the "backup" from a previous firmware would do any good. If you upgrade the firmware, without a reset, wouldn't that essentially be doing the same thing as flashing, resetting, then using the backup file? We've already found out settings aren't successfully transferred from one to the other, so it seems like it would be the same.
--
Folding Monitor
Network Status
Weather Stats]]> http://www.dslreports.com/forum/remark,14146403 Tue, 16 Aug 2005 13:28:58 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14146285 Glen T : Does this router not have the admin function to save/restore a configuration file, like the WRT54G has?

WRT54G config save/restore

]]> http://www.dslreports.com/forum/remark,14146285 Tue, 16 Aug 2005 13:10:07 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14145667 Bill : I used the "Factory Defaults" option in the firmware upgrade menu (see attached image).

I prefer not to do a hard-reset. The only time I'll do a hard-reset (use the reset button) is if I can't get into the web config.

There's also a stand-alone "Factory Defaults" option inside most of the Linksys firmwares, which will allow you to restore all settings to "Factory Defaults", without upgrading your firmware.
--
Folding Monitor
Network Status
Weather Stats

]]> http://www.dslreports.com/forum/remark,14145667 Tue, 16 Aug 2005 11:44:46 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14145603 WALL_E : When you say that it is necessary to restore factory defaults after upgrading the firmware, does that mean restoring defaults by pressing and holding the recessed button on the back of the router, or by restoring defaults through the router's web interface, or does that not make a difference? I have always restored the router by pressing and holding the button until the power light began to flash.

Thanks in advance.

I also believe that this is a pretty good bug, but as Linksys does highly recommend resetting after a firmware upgrade, it is not as big of an issue as I had originally thought. Perhaps in the future, Linksys can have their upgrade utility display a warning box after the firmware upgrade completes, which urges the user to reset the router, with several scolding warning messages if the user decides not to. Or they could even make the upgrade utility reset the router without asking after a firmware upgrade.]]> http://www.dslreports.com/forum/remark,14145603 Tue, 16 Aug 2005 11:36:46 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14144905 avantare : I just purchased a WRT54G from CompUSA hw is v4 and the first thing I did was check the firmware. It's the latest.

Chuck
--
A computer is not a tool. When was the last time you had to do maintenance on your screwdriver?]]> http://www.dslreports.com/forum/remark,14144905 Tue, 16 Aug 2005 09:42:38 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14144622 kpr92400 :

This is a good bug. Although it is security related, it's not likely going to be exploited.

Not likely that it's going to be exploited?!? Unless this particular firmware upgrade scenario is unlikely, it's going to happen, and it's going to get wardriven and exploited someday.

n.b. I just bought a WRT54G from newegg, and while it was hardware v4, it had some pretty ancient firmware on it...]]> http://www.dslreports.com/forum/remark,14144622 Tue, 16 Aug 2005 08:48:45 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14143878 funchords :

said by Bill

:

It's definitely a problem, but I'm not sure if it can be addressed and fixed by Linksys or the third-party providers.

Obviously, people don't want to "Restore to Factory Defaults" because they'll loose their settings and have to re-enter them, but it may have to be done to prevent this security problem.

Yes, but OTOH, there's no guarantee that one firmware version is going to use the same keywords or values as the other.

Something like that is probably what's happening here. Between version x and y, something got flipped or skipped.

This is a good bug. Although it is security related, it's not likely going to be exploited.
--
Robb Topolski ;) http://www.funchords.com/ :D Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!!]]> http://www.dslreports.com/forum/remark,14143878 Tue, 16 Aug 2005 02:18:34 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14143781 Bill : It's definitely a problem, but I'm not sure if it can be addressed and fixed by Linksys or the third-party providers.

Obviously, people don't want to "Restore to Factory Defaults" because they'll loose their settings and have to re-enter them, but it may have to be done to prevent this security problem.
--
Folding Monitor
Network Status
Weather Stats]]> http://www.dslreports.com/forum/remark,14143781 Tue, 16 Aug 2005 01:49:48 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14143639 dad123 : I always wondered if you restore factory defaults can you reapply your previously saved configuration file and not mess up the settings ?]]> http://www.dslreports.com/forum/remark,14143639 Tue, 16 Aug 2005 01:14:08 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14143325 nwrickert : Thanks to the people who have been testing this, particularly Bill

and scherf

.

Even if this is a configuration/update issue, I see it as still a problem. But it isn't as serious a problem as it might have been.]]> http://www.dslreports.com/forum/remark,14143325 Tue, 16 Aug 2005 00:18:59 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14143265 scherf : Good job reproducing this! I guess it actually is an issue with updating. I don't agree about WPA actually being disabled, though, because password validation is functioning. If your password is wrong, you can't connect. Also, my computer reports that it is connected with WPA. The bug is that WPA is "optional". :)

As for whether it is expected for this unit to keep config after updating, I'm not sure what the vendor advertises. But the unit does seem to keep config and report it exactly as it was before the update. But apparently what it reports doesn't necessarily match what's going on inside.]]> http://www.dslreports.com/forum/remark,14143265 Tue, 16 Aug 2005 00:08:55 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14143054 Bill : Anyone else out there with a WRT54GSv1 able to get the same results as me?]]> http://www.dslreports.com/forum/remark,14143054 Mon, 15 Aug 2005 23:30:32 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142941 Bill : I don't know much about the internal workings of this router, but I do know they act weird when they aren't "Restoring" after updates. I am not sure why the web config is reporting inaccurate data.

As an update, I got the same results when flashing from DD-WRT to Linksys 4.50.6, without "Restoring". When I did the flash, with "Restoring", everything worked fine (no WPA problem).
--
Folding Monitor
Network Status
Weather Stats]]> http://www.dslreports.com/forum/remark,14142941 Mon, 15 Aug 2005 23:09:40 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142913 funchords : Is it expected that this router would retain its memory across firmware updates?

-- Robb (not a Linksys router user)]]> http://www.dslreports.com/forum/remark,14142913 Mon, 15 Aug 2005 23:06:19 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142758 Bill : Ok, I was able to recreate this problem. Here's what I did:

•Flash from Linksys 4.50.6 to DD-WRT.
•I looked in the web GUI after the flash and the WPA settings from my previous Linksys firmware were still in there.
•I set my wireless card to "Disabled" for security settings

I was able to connect right up (see attached image).

I'm guessing that even though the WRT54GS web config is reporting WPA is enabled, it's not really enabled.

One more reason to be sure to "Restore Factory Defaults" after firmware upgrades :D

Edit: Fixed picture

]]> http://www.dslreports.com/forum/remark,14142758 Mon, 15 Aug 2005 22:48:10 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142722 Kabanos :

said by Bill

:

...Maybe I'm doing something wrong?

Do not use the newest Firmware Version: 4.70.6; try it with the old one (Firmware Version: 4.50.6)
--
non nova, sed nove]]> http://www.dslreports.com/forum/remark,14142722 Mon, 15 Aug 2005 22:42:32 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142701 Bill : When you upgraded the firmware from the previous version, did you "Restore Factory Defaults" after the upgrade?

If you didn't it is possible it was in a "weird state".

I upgraded a few months ago from Alchemy to DD-WRT and since I didn't "Restore Factory Defaults" some settings would not take and I was getting random errors in the web GUI. It's like random garbage was stored in memory instead of the values I tried setting.

I will try flashing to DD-WRT, then back to Linksys, without restoring defaults and see what happens.

Thanks
Bill.
--
Folding Monitor
Network Status
Weather Stats]]> http://www.dslreports.com/forum/remark,14142701 Mon, 15 Aug 2005 22:39:54 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142662 anon : Hi, I'm the original poster to Bugtraq. I wouldn't be surprised if this was a hard one to reproduce. To recount what I did in the hopes that someone else will be able to make it happen: I set the AP to use WPA personal/TKIP with a very long and random password (generated with /dev/random). At the time I was using an older firmware, perhaps a year old. I don't recall what version. I was not getting great reception, so I installed two aftermarket directional antennas. Not a lot of improvement, but not surprising given that there are something like 10 networks in my neighborhood. So I upgraded the firmware in the hope that perhaps they improved some of the connectivity issues. I upgraded through the usual web browser interface without changing any settings before or after. It all seemed to work fine, and I ran with it for a month until a friend noted that my network seemed to be open. His Win XP box showed my net as open, and he connected without a password. I cranked up Macstumbler, and it showed the network as open as well, even though my 4 Macs are configured to use TKIP and were working just fine that way. The Linksys AP was definitely configured to use TKIP, no question, but the network still showed up as open in the scans I ran. The original post tells the rest of the details. I wonder if the firmware update process put the unit into a weird state or something?]]> http://www.dslreports.com/forum/remark,14142662 Mon, 15 Aug 2005 22:35:42 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142609 funchords : My read of the test cases are this:

•Router configured for WPA-PSK TKIP
•Client profile configured for same SSID, no encryption
REPORTED RESULT: Access granted
EXPECTED: Access denied

•Router configured for WPA-PSK TKIP
•Client not configured with a profile
REPORTED RESULT: Router is listed in a site survey as an AP with no encryption enabled
EXPECTED: Router is listed in a site survey with encryption
NOTE: Macstumbler was used by the original observer
--
Robb Topolski ;) http://www.funchords.com/ :D Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!!]]> http://www.dslreports.com/forum/remark,14142609 Mon, 15 Aug 2005 22:27:41 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142536 Bill : I don't see it...

I tried setting up the wireless card with a blank WPA-PSK key. I tried setting the wireless card with no security.

Nothing.

Maybe I'm doing something wrong?]]> http://www.dslreports.com/forum/remark,14142536 Mon, 15 Aug 2005 22:17:49 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142251 seezar :

said by Bill

:

I gave it about 2 seconds of thought, then decided to do it :D

Downloading the Linksys stuff right now. Will report back..

{patiently sits by and awaits the results}]]> http://www.dslreports.com/forum/remark,14142251 Mon, 15 Aug 2005 21:38:49 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142245 funchords : Just to clarify, Sw Bill, it seems from reading the bugtraq report that the fw is allowing a blank key in the supplicant. A wrong key seems to be rejected.

Suggest you take a look at the report. The bugtraq poster also seemed to be confused as to what to expect from Auto mode.
--
Robb Topolski ;) http://www.funchords.com/ :D Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!!]]> http://www.dslreports.com/forum/remark,14142245 Mon, 15 Aug 2005 21:38:10 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142235 Bill :

said by funchords

said by Bill

:

Are you guys gonna make me flash the Linksys firmware onto my WRT54GS to test this? ;):p

C'mon, you can't tell me you're not curious. ;)

I gave it about 2 seconds of thought, then decided to do it :D

Downloading the Linksys stuff right now. Will report back..
--
Folding Monitor
Network Status
Weather Stats]]> http://www.dslreports.com/forum/remark,14142235 Mon, 15 Aug 2005 21:35:55 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142232 funchords :

said by Bill

:

Are you guys gonna make me flash the Linksys firmware onto my WRT54GS to test this? ;):p

C'mon, you can't tell me you're not curious. ;)
--
Robb Topolski ;) http://www.funchords.com/ :D Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!!]]> http://www.dslreports.com/forum/remark,14142232 Mon, 15 Aug 2005 21:35:20 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142221 Bill : Are you guys gonna make me flash the Linksys firmware onto my WRT54GS to test this? ;):p]]> http://www.dslreports.com/forum/remark,14142221 Mon, 15 Aug 2005 21:34:25 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142127 funchords : »msgs.securepoint.com/cgi-bin/get···164.html

I'd sure like to see this verified by a second party before we spread any alarm.]]> http://www.dslreports.com/forum/remark,14142127 Mon, 15 Aug 2005 21:22:01 EDT Re: Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14142006 Techless : A link ???]]> http://www.dslreports.com/forum/remark,14142006 Mon, 15 Aug 2005 21:06:13 EDT Ouch! Security problem in linksys routers http://www.dslreports.com/forum/remark,14141344 nwrickert : Quoting from a recent bugtraq message (from Steve Scherf):

Subject: Serious flaw in Linksys wireless AP password security

It appears that firmware version 4.50.6 for the Linksys WRT54GS (hardware version 1) wireless router allows wireless clients to connect and use the network without actually authenticating. With WPA Personal/TKIP authentication enabled, the unit allows both clients using encryption with the correct settings and key, and clients not using any encryption. It disallows clients attempting to use encryption with the wrong settings and/or key.]]> http://www.dslreports.com/forum/remark,14141344 Mon, 15 Aug 2005 19:39:08 EDT