zerodegrekelvin
Regular Contributor
Dear ASUS RT-AC87 fans,
I saw in this forum lots of traction for the router, so I post my findings here and at https://t.co/WtpeI4zLzE
I found a flaw in the WPS implementation of the ASUS RT-AC87U 802.11ac Wave2 router about a month ago, I reported the problem to ASUS and Quantenna. You can look at my finding in a poorly made Youtube at https://t.co/WtpeI4zLzE to demonstrate how the WPA2 is compromised by WPS pin.
Using reaver tool, you can crack the WPA2 key with the first WPS pin reaver sends to the router, i.e. pin 12345670.
Very easy to crack, just change any preshared key, Apply the change and go to reaver, it will succeed on the first attempt as reaver used pin 12345670 as the first pin!!
So everytime you change the key, you are vulnerable!
I often run basic audit on commercial wifi devices only by my own initiative, and it is also fun learning experience. I found by using the tool 'reaver' to brute force WPS pin, the ASUS AC87 gives away the WPA2-PSK key on the first attempt 'reaver' sends the pin of '12345670' .
I found if you just change the WPA2-PSK key like you would when you configure the first time the router, the pin '12345670' works all the time, this is a nightmare case because this is what a typical user would do, so every time you change the key and right after run reaver, it seems the router authenticate '12345670' instead of the "hard coded configured" WPS pin in the router.
Unfortunately, the first pin sends by reaver is '12345670' brute force the WPS pin!
If you reboot or power cycle the router then you are safe, the router would use only the "hard coded WPS pin" that is not '12345670', the router would lock WPS after 3 attempts, this is what all the vendors do to mitigate WPS pin attack.
On the ASUS AC87 radio2.4 is ok regarding WPS mitigation, that is after 3 attempts WPS is lock until reboot.
The ASUS RT-AC87U uses 2 chipset vendors, it is the 5Ghz radio that has the bug. FCCID of the router is MSQ-RTAC87U, you guy figure out who is who in the FCC report.
I have upgraded ASUS firmware to the latest version date April 23, 2015 3.0.0.4.378_5134 and problem persists.
Last Friday April 24,2015, ASUS gave me an private firmware that fixed the WPS issue, however that fix is not yet available for public, I don't know what ASUS is waiting after to put that firmware on their support site.
During the past month, I tried to raise the awareness of this bug by first publishing in Linkedin, Twitter and Youtube, I even alert the CERT, only last week some manager from ASUS responded to my bug, so far so good as they gave me a fixe but not to you, so ask them about this bug.
So please if you can reproduce this bug, add your comments.
@zerodegrekelvin
I saw in this forum lots of traction for the router, so I post my findings here and at https://t.co/WtpeI4zLzE
I found a flaw in the WPS implementation of the ASUS RT-AC87U 802.11ac Wave2 router about a month ago, I reported the problem to ASUS and Quantenna. You can look at my finding in a poorly made Youtube at https://t.co/WtpeI4zLzE to demonstrate how the WPA2 is compromised by WPS pin.
Using reaver tool, you can crack the WPA2 key with the first WPS pin reaver sends to the router, i.e. pin 12345670.
Very easy to crack, just change any preshared key, Apply the change and go to reaver, it will succeed on the first attempt as reaver used pin 12345670 as the first pin!!
So everytime you change the key, you are vulnerable!
I often run basic audit on commercial wifi devices only by my own initiative, and it is also fun learning experience. I found by using the tool 'reaver' to brute force WPS pin, the ASUS AC87 gives away the WPA2-PSK key on the first attempt 'reaver' sends the pin of '12345670' .
I found if you just change the WPA2-PSK key like you would when you configure the first time the router, the pin '12345670' works all the time, this is a nightmare case because this is what a typical user would do, so every time you change the key and right after run reaver, it seems the router authenticate '12345670' instead of the "hard coded configured" WPS pin in the router.
Unfortunately, the first pin sends by reaver is '12345670' brute force the WPS pin!
If you reboot or power cycle the router then you are safe, the router would use only the "hard coded WPS pin" that is not '12345670', the router would lock WPS after 3 attempts, this is what all the vendors do to mitigate WPS pin attack.
On the ASUS AC87 radio2.4 is ok regarding WPS mitigation, that is after 3 attempts WPS is lock until reboot.
The ASUS RT-AC87U uses 2 chipset vendors, it is the 5Ghz radio that has the bug. FCCID of the router is MSQ-RTAC87U, you guy figure out who is who in the FCC report.
I have upgraded ASUS firmware to the latest version date April 23, 2015 3.0.0.4.378_5134 and problem persists.
Last Friday April 24,2015, ASUS gave me an private firmware that fixed the WPS issue, however that fix is not yet available for public, I don't know what ASUS is waiting after to put that firmware on their support site.
During the past month, I tried to raise the awareness of this bug by first publishing in Linkedin, Twitter and Youtube, I even alert the CERT, only last week some manager from ASUS responded to my bug, so far so good as they gave me a fixe but not to you, so ask them about this bug.
So please if you can reproduce this bug, add your comments.
@zerodegrekelvin
