The Norman Transcript

February 9, 2014

How hackable is your wireless network router?


The Norman Transcript

NORMAN — Most everyone these days uses some sort of wireless network to distribute an Internet connection around their house or business to multiple devices. Most people also know they should password-protect their wireless network to keep away unwanted guests.

But, what if there is something wrong with the wireless router, itself? What if it is flawed in a way that all the passwords in the world won’t protect?

In early December 2011, reports began to surface about a fundamental flaw that had been revealed in some of the most commonly used wireless routers found in millions of homes and businesses around the world.

This flaw, called Wi-Fi Protected Setup (WPS), allows any bad guy with a semi-fast computer and half an ounce of brains to hack right into a wireless network, steal its password, sign right in and set up shop.

Not all wireless routers have the problem, and some can actually be fixed. For some, the fix simply involves changing a setting in the routers’ internal configuration.

Some can be fixed by downloading and installing new “firmware,” available from the manufacturer, a process akin to installing a new operating system. Some can be fixed by installing firmware made by independent, third-party programmers.

In all cases, the “fix” results in some way of turning off the flawed WPS capability.

WPS was originally designed as an easy way for technically challenged folks to set up their own “secure” wireless network.

Instead of having to fiddle about with obscure things called WPA2-PSK AES, Joe Sixpack could just push a button, type in a four-digit PIN code from the sticker on the bottom of the router and, suddenly, easily, “with the push of a button,” his wireless network was secure. Except, it wasn’t.

It wasn’t until the WPS flaw was fully revealed by a humble researcher named Stefan Viehboch that the major wireless router manufacturers had their “Oh, no. Duh!” moment and realized that protecting a secure wireless network with a four-digit PIN number is like protecting Fort Knox with a trillion-dollar vault door on the front but a two-dollar padlock on the back.

By then, though, it was too late, as countless millions of the defective routers had already been sold and were (and still are) in use.

The flaw affects wireless routers from such esteemed brands as D-Link, Netgear, Cisco, Linksys, Belkin and many others. The problem is so bad that US-CERT, the U.S. Computer Emergency Response Team, a division of the Homeland Security Department, issued a mostly ignored alert around Christmas 2011 that users of affected routers needed to take the problem seriously.

So, here we are, over a year later, and I am still coming across defective wireless routers that have not been fixed or replaced. I was confronted with one today, a dangerously insecure but otherwise functional Cisco Linksys router that could not be upgraded or repaired to turn off the WPS flaw.

When told about it, the owner replied, “Well, I’ve been using it all this time and never had a problem until now.” What they meant to say was, “Well, I’ve been getting away with it all this time, up until now.”

To find out if your wireless router needs to be upgraded, repaired or replaced, go to Google and search for “WPS Flaw Vulnerable Devices.” Somewhere on your router, a model number is listed, usually on a sticker on the bottom. Compare your model with the Google Docs list your search uncovers and take appropriate action.

Dave Moore has been performing computer consulting, repairs, security and networking in Oklahoma since 1984. He also teaches computer safety workshops. He can be reached at 919-9901 or the site davemoorecomputers.com.

Breaking news, severe weather alerts, AMBER alerts, sports scores from The Norman Transcript are available as text messages right to your phone or mobile device. You decide which type of alerts you want to receive. Find out more or to signup, click here.