[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
- To: "Zach C." <fxchip@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
- From: Dan Kaminsky <dan@xxxxxxxxxxx>
- Date: Fri, 10 Feb 2012 14:41:37 -0500
According to the Reaver people, DD-WRT doesn't support WPS at all :)
On Fri, Feb 10, 2012 at 2:00 PM, Zach C. <fxchip@xxxxxxxxx> wrote:
> Solution: use DD-WRT? Or is that vulnerable too? (Or are there worse
> problems? :))
> On Feb 10, 2012 10:12 AM, "Dan Kaminsky" <dan@xxxxxxxxxxx> wrote:
>
>> "Fixing a vulnerability like this with all the bureoucratic, QA and legal
>> process wouldn't take no more than 2 weeks"
>>
>> If bureaucratic, QA, and legal issues emerge, you can't even get the
>> names of the people you need to speak to in less than 2 weeks, let alone
>> schedule a conference call. Fixing? Heh.
>>
>> Aside from rate limiting WPS, there isn't much of a fix, and you can't
>> turn it off either.
>>
>> Sent from my iPhone
>>
>> On Feb 10, 2012, at 2:40 AM, farthvader@xxxxxxx wrote:
>>
>> Don't buy Linksys Routers they are vulnerable to Wifi unProtected Setup
>> Pin registrar Brute force attack.
>> No patch or workaround exist at the making of this post.
>>
>> Vulnerable list and alleged patch availability:
>> source:http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=25154
>>
>> E1000 To Be Disclosed (aka we don't have idea)
>> E1000 v2 To Be Disclosed
>> E1000 v2.1 To Be Disclosed
>> E1200 v1 early March
>> E1200 v2 early March
>> E1500 early March
>> E1550 mid March
>> E2000 To Be Disclosed
>> E2100L mid March
>> E2500 early March
>> E3000 To Be Disclosed
>> E3200 early March
>> E4200 v1 early March
>> E4200 v2 To Be Disclosed
>> M10 To Be Disclosed
>> M20 To Be Disclosed
>> M20 v2 To Be Disclosed
>> RE1000 early March
>> WAG120N To Be Disclosed
>> WAG160N To Be Disclosed
>> WAG160N v2 To Be Disclosed
>> WAG310G To Be Disclosed
>> WAG320N To Be Disclosed
>> WAG54G2 To Be Disclosed
>> WAP610N To Be Disclosed
>> WRT110 To Be Disclosed
>> WRT120N To Be Disclosed
>> WRT160N v1 To Be Disclosed
>> WRT160N v2 To Be Disclosed
>> WRT160N v3 To Be Disclosed
>> WRT160NL To Be Disclosed
>> WRT310N v1 To Be Disclosed
>> WRT310N v2 To Be Disclosed
>> WRT320N To Be Disclosed
>> WRT400N To Be Disclosed
>> WRT54G2 v1 To Be Disclosed
>> WRT54G2 v1.3 To Be Disclosed
>> WRT54G2 v1.5 To Be Disclosed
>> WRT54GS2 v1 To Be Disclosed
>> WRT610N v1 To Be Disclosed
>> WRT610N v2 To Be Disclosed
>> X2000 To Be Disclosed
>> X2000 v2 To Be Disclosed
>> X3000 To Be Disclosed
>>
>> The question is why a big company like Cisco/Linksys didn't release a
>> patch since almost 1 month and a half ?.
>>
>> Well i have circumstantial evidence that Cisco outsource some of their
>> Linksys firmware routers to other companies (Arcadyan for example.) in some
>> cases source code is only available through NDA's or not available at all.
>> That's why they are taking so long to release a fix to the WPS
>> vulnerability. Fixing a vulnerability like this with all the bureoucratic,
>> QA and legal process wouldn't take no more than 2 weeks. I found some GPL
>> violations by the way but this is beyond the scope of this message
>> (obfuscating firmware it's useless you now).
>>
>> I apologize if i offended someone but IT security it's serious business
>> specially if someone use your wifi to commit crimes.
>> This vulnerability contains public and very easy to use exploit code,
>> it's not a Denial of Service.
>>
>>
>> Farth Vader.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/