ASUS RT-AC87U WPA2 key cracked in 2 seconds

[zerodegrekelvin]

and people give me hell for railing against having embedded web servers and other services on what should be a bullwark of security in a SOHO network.

D-Link folks might not like this - this is what happens when a determined Firmware Engineer starts stepping thru code...

http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/

sfx

Thanks for the link to devttys0, he wrote "binwalk" cool, I will give it a try, I use IDA

 

[sfx2000]

but of course I am not breaking WPA2 key, I let that privilege to the NSA. Also there is another tool similar to reaver, it is 'bully', and I was lucky with the WPS pin, nonetheless I found the vulnerability.

nice catch in any event... but everything is eventually vulnerable with a determined attacked - it's all about finding an edge to peel up. Security engineers do this all the time...

The true test - not running pre-canned scripts... Reaver is well known... find something truly exploitable that isn't something that is already known.

To the rest of the community - don't expose yourself uneededly, and assume that for everything you add to your AP/Router, there's likely a problem that can, and at some point, will expose anything connected to it directly, and perhaps the rest of your network...

sfx

 

[fax]

So please if you can reproduce this bug, add your comments.

@zerodegrekelvin

Have you tested it with WPS OFF? I see reports in which you turn OFF WPS, you reboot the router and after reboot the WPS on 5Ghz is still ON. Can you check with Reaver if this is really the case? As it can be even a more serious issue if you can't fully turn OFF the WPS. I can't testing it currently as the system I am using just crash with reaver (wifi card driver issues).

 

[zerodegrekelvin]

Have you tested it with WPS OFF? I see reports in which you turn OFF WPS, you reboot the router and after reboot the WPS on 5Ghz is still ON. Can you check with Reaver if this is really the case? As it can be even a more serious issue if you can't fully turn OFF the WPS. I can't testing it currently as the system I am using just crash with reaver (wifi card driver issues).

@fax, very good question you ask, I like that.
I ran the test as per your request and you are not going to like what I found, basically turn OFF WPS turn it OFF alright, but if you reboot, WPS is back, WTF!! the web interface shows WPS is OFF but it is ON under the hood (you can look for its presence in beacon packet or thru 'Wash' tool).
And guess what, "the vulnerability of WPS to retrieve WPA2 key still remain".
It is nice that @fax you tried to check for WPS ON/OFF I am only your hands here.

 

[fax]

Thanks a lot for checking this! I am afraid I can't do much about it. The only workaround I can suggest, waiting for ASUS fix, is to always remember to turn ON/OFF the WPS everytime you reboot the router.

 

[CiscoX]

@zerodegrekelvin

Hi, thanks for testing this out. I have been complaining about this WPS issue for some time now. When i turn if off and reboot my router it's still "ON" when i use WiFi Analyzer. It shows that the WPS on 5Ghz band is still enable.
Maybe is time to let ASUS know about his issue since there are other here with same problem.
So the only workaround here is like @fax describing, turn it OFF and ON after every reboot.

 

[zerodegrekelvin]

Thanks a lot for checking this! I am afraid I can't do much about it. The only workaround I can suggest, waiting for ASUS fix, is to always remember to turn ON/OFF the WPS everytime you reboot the router.

@fax, WPS is really OFF for radio2.4G even after reboot, the bug seems to be more of radio5G, not pointing finger at Quantenna here, simply bad integration of 2 different radio vendors.
I tested on both the latest build 5134 and beta build from ASUS.

 

[fax]

Thanks! Yeap, its only for the 5Ghz... the 2Ghz is off and stay off.

 

[W4RH34D]

Can you toggle the wps on and back off to get it to turn off again?

 

[satamusic]

thanks for sharing this problem. did they prohibit sharing the private firmware they sent you?

 

[fax]

Can you toggle the wps on and back off to get it to turn off again?

Yes, you need to remember to do that everytime you reboot the router.

 

[zerodegrekelvin]

thanks for sharing this problem. did they prohibit sharing the private firmware they sent you?

@satamusic , they did not specifically tell me to not sharing that beta firmware, however I feel as a professional engineer the firmware must come from ASUS.
You ping them to let them know I have the fix and you don't, let me ping ASUS on that matter to save you all the trouble with ASUS level-1 support.

 

[zerodegrekelvin]

@satamusic , they did not specifically tell me to not sharing that beta firmware, however I feel as a professional engineer the firmware must come from ASUS.
You ping them to let them know I have the fix and you don't, let me ping ASUS on that matter to save you all the trouble with ASUS level-1 support.

I got the response from ASUS Product Manager:

Dear Thanh,
Sorry that we haven't put official firmware on website till now, because we want to confirm other functions can work as normal. We'll release the official firmware after verifying.
Sure you can share this beta firmware to your friends for urgent use.
...
​

So here is the link for RT-AC87U_3.0.0.4b_378_0-g43bd0a4.trx
https://www.asuswebstorage.com/navigate/s/44F6DBE959C44CDEBD8014B0E5FC1E04Y

Cheers!

 

[jerry6]

@fax, very good question you ask, I like that.
I ran the test as per your request and you are not going to like what I found, basically turn OFF WPS turn it OFF alright, but if you reboot, WPS is back, WTF!! the web interface shows WPS is OFF but it is ON under the hood (you can look for its presence in beacon packet or thru 'Wash' tool).
And guess what, "the vulnerability of WPS to retrieve WPA2 key still remain".
It is nice that @fax you tried to check for WPS ON/OFF I am only your hands here.

S0 to turn it off after reboot you have to go to wireless >5.0 and turn it on >off and hit apply ?
Does this apply to the AC 3200 as well ?

 

[Vyrl]

In the AC3200 if the SSID is hidden, WPS is not available.

 

[sfx2000]

Make sure it's actually turned off - the only way one can really tell is to do a wirecap on the beacon frames - WPS is either there or not.. just because it's turned off in the GUI.. (or option not available due to hidden SSID)...

 

[sfx2000]

Look for this in the beacon...

 

[sfx2000]

So... let's see now - Asus RT issues that I've seen over the past 4-6 weeks...

1) The weak WPS implementation that started this thread - this needs to be fixed
2) Looking over at the RT3200 and SmartConnect, looks like we have an issue here with WPA2/WPA key rotation - this needs to be fixed
3) There's another thread where Admin passwords over 16 chari will crash the GUI, wonder if this has been fixed yet, as this is a buffer-overflow issue with the www app.cgi, this should never/ever happen if someone it paying attention.

Seems like lots of development to deploy features, but a poor security mindset...

 

[W4RH34D]

So... let's see now - Asus RT issues that I've seen over the past 4-6 weeks...

1) The weak WPS implementation that started this thread - this needs to be fixed
2) Looking over at the RT3200 and SmartConnect, looks like we have an issue here with WPA2/WPA key rotation - this needs to be fixed
3) There's another thread where Admin passwords over 16 chari will crash the GUI, wonder if this has been fixed yet, as this is a buffer-overflow issue with the www app.cgi, this should never/ever happen if someone it paying attention.

Seems like lots of development to deploy features, but a poor security mindset...

Yeah, I'm glad they stick with their devices and support them for a long time.

 

[zerodegrekelvin]

In the AC3200 if the SSID is hidden, WPS is not available.

Same for RT-AC87U.

But don't do this step 'disable WPS' follow by 'Hide SSID', the router will stop beaconing as radio is turn off? don't know why. Just do 'Hide SSID' and WPS is kind of OFF, you still see WPS but Locked. If reboot then WPS disappear completely from beacon.