What's new

ASUS RT-AC87U WPA2 key cracked in 2 seconds

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

zerodegrekelvin

Regular Contributor
Dear ASUS RT-AC87 fans,

I saw in this forum lots of traction for the router, so I post my findings here and at https://t.co/WtpeI4zLzE

I found a flaw in the WPS implementation of the ASUS RT-AC87U 802.11ac Wave2 router about a month ago, I reported the problem to ASUS and Quantenna. You can look at my finding in a poorly made Youtube at https://t.co/WtpeI4zLzE to demonstrate how the WPA2 is compromised by WPS pin.

Using reaver tool, you can crack the WPA2 key with the first WPS pin reaver sends to the router, i.e. pin 12345670.
Very easy to crack, just change any preshared key, Apply the change and go to reaver, it will succeed on the first attempt as reaver used pin 12345670 as the first pin!!

So everytime you change the key, you are vulnerable!

I often run basic audit on commercial wifi devices only by my own initiative, and it is also fun learning experience. I found by using the tool 'reaver' to brute force WPS pin, the ASUS AC87 gives away the WPA2-PSK key on the first attempt 'reaver' sends the pin of '12345670' .
I found if you just change the WPA2-PSK key like you would when you configure the first time the router, the pin '12345670' works all the time, this is a nightmare case because this is what a typical user would do, so every time you change the key and right after run reaver, it seems the router authenticate '12345670' instead of the "hard coded configured" WPS pin in the router.

Unfortunately, the first pin sends by reaver is '12345670' brute force the WPS pin!
If you reboot or power cycle the router then you are safe, the router would use only the "hard coded WPS pin" that is not '12345670', the router would lock WPS after 3 attempts, this is what all the vendors do to mitigate WPS pin attack.
On the ASUS AC87 radio2.4 is ok regarding WPS mitigation, that is after 3 attempts WPS is lock until reboot.

The ASUS RT-AC87U uses 2 chipset vendors, it is the 5Ghz radio that has the bug. FCCID of the router is MSQ-RTAC87U, you guy figure out who is who in the FCC report.

I have upgraded ASUS firmware to the latest version date April 23, 2015 3.0.0.4.378_5134 and problem persists.

Last Friday April 24,2015, ASUS gave me an private firmware that fixed the WPS issue, however that fix is not yet available for public, I don't know what ASUS is waiting after to put that firmware on their support site.

During the past month, I tried to raise the awareness of this bug by first publishing in Linkedin, Twitter and Youtube, I even alert the CERT, only last week some manager from ASUS responded to my bug, so far so good as they gave me a fixe but not to you, so ask them about this bug.

So please if you can reproduce this bug, add your comments.

@zerodegrekelvin
 
Anyone with access to a Netgear R7500 who could try the same test? They also use the same Quantenna chip as Asus, they use a slightly older SDK (unless it was updated since last time I checked, a few weeks ago). There's a good chance it has the same vulnerability.

Another "great" week for home router security it seems, with the TP-Link/DLink issue published yesterday.
 
I guess I'm from the old school (?) I've never used WPS and keep it disabled on my router.
Hopefully ASUS will fix this though with their next release.
 
So disable WPS? Welcome to 2005. :)

Thanks for reminding me why I don't use it. I made the decision a long time ago.
 
Are you referring to this?

That's the one.

I lost track of the number of security issues revealed in the past 2 years that were specific to home routers (that means excluding the Poodle/Shellshock/other generic issues that also affected some of them). DLink's backdoors, Asus's infosvr, and so on...
 
Nope! D-link issue is different, it is about remote execution of code.
The one I presented here is about WPA2 WPS vulnerability.

I think Tim meant the issue I was referring to in my reply.
 
I guess I'm from the old school (?) I've never used WPS and keep it disabled on my router.
Hopefully ASUS will fix this though with their next release.

Exactly! I am doing the same. The old school (I am 54) is always paranoid. And this is a point of discussion between me and my daughter. Even she is going to graduate Computer Science it seems to be that she don't care about. May be this is normal for the "Facebook generation" :)
 
I guess I'm from the old school (?) I've never used WPS and keep it disabled on my router.
Hopefully ASUS will fix this though with their next release.
Same here , from day one I stated WPS was not secure , I always turn it off .
 
Exactly! I am doing the same. The old school (I am 54) is always paranoid. And this is a point of discussion between me and my daughter. Even she is going to graduate Computer Science it seems to be that she don't care about. May be this is normal for the "Facebook generation" :)
The problem is you are old school :cool:, I am old school and totally against the stupidity of WPS, how ever we only represent a super small group of people "techies nerd", the rest of the population they just buy the router and use it as is, the worse thing is they don't even know what the :cool: WPS switch is used for!
 
The problem is you are old school :cool:, I am old school and totally against the stupidity of WPS, how ever we only represent a super small group of people "techies nerd", the rest of the population they just buy the router and use it as is, the worse thing is they don't even know what the :cool: WPS switch is used for!

Maybe the new generation is so well protected from paranoid techs like us that it doesn't even occur to them that this stuff can be set up poorly.
 
Can you
The problem is you are old school :cool:, I am old school and totally against the stupidity of WPS, how ever we only represent a super small group of people "techies nerd", the rest of the population they just buy the router and use it as is, the worse thing is they don't even know what the :cool: WPS switch is used for!

Can you please link the fixed firmware so we all can be protected?

CC
 
So disable WPS? Welcome to 2005. :)

Thanks for reminding me why I don't use it. I made the decision a long time ago.
Problem with that is if I turn WPS off it keeps enabled on 5Ghz band...

Replied through TapaTalk
 
That's the bigger challenge - WPS is a security concern, and the last time that Reaver showed up, it was one, limited code-sets, and two, many devices didn't actually turn it off which left the hole open.

Friends don't let friends use WPS.

the OP isn't breaking WPA2/PSK, he's breaking a weak WPS implementation...
 
That's the one.

I lost track of the number of security issues revealed in the past 2 years that were specific to home routers (that means excluding the Poodle/Shellshock/other generic issues that also affected some of them). DLink's backdoors, Asus's infosvr, and so on...

and people give me hell for railing against having embedded web servers and other services on what should be a bullwark of security in a SOHO network.

D-Link folks might not like this - this is what happens when a determined Firmware Engineer starts stepping thru code...

http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/

sfx
 
Can you


Can you please link the fixed firmware so we all can be protected?

CC
Hi CC!
I prefer you get the firmware from ASUS officially from their support site. I already told them the beta they gave me fixed the bug. You bug them, after all it is their bug. It feels more legit and fair that way for everybody, the customers and the vendor.
 
That's the bigger challenge - WPS is a security concern, and the last time that Reaver showed up, it was one, limited code-sets, and two, many devices didn't actually turn it off which left the hole open.

Friends don't let friends use WPS.

the OP isn't breaking WPA2/PSK, he's breaking a weak WPS implementation...
:cool: but of course I am not breaking WPA2 key, I let that privilege to the NSA. Also there is another tool similar to reaver, it is 'bully', and I was lucky with the WPS pin, nonetheless I found the vulnerability.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top