What's new

ASUS RT-AC87U WPA2 key cracked in 2 seconds

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

and people give me hell for railing against having embedded web servers and other services on what should be a bullwark of security in a SOHO network.

D-Link folks might not like this - this is what happens when a determined Firmware Engineer starts stepping thru code...

http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/

sfx
Thanks for the link to devttys0, he wrote "binwalk" cool, I will give it a try, I use IDA :cool:
 
:cool: but of course I am not breaking WPA2 key, I let that privilege to the NSA. Also there is another tool similar to reaver, it is 'bully', and I was lucky with the WPS pin, nonetheless I found the vulnerability.

nice catch in any event... but everything is eventually vulnerable with a determined attacked - it's all about finding an edge to peel up. Security engineers do this all the time...

The true test - not running pre-canned scripts... Reaver is well known... find something truly exploitable that isn't something that is already known.

To the rest of the community - don't expose yourself uneededly, and assume that for everything you add to your AP/Router, there's likely a problem that can, and at some point, will expose anything connected to it directly, and perhaps the rest of your network...

sfx
 
So please if you can reproduce this bug, add your comments.

@zerodegrekelvin
Have you tested it with WPS OFF? I see reports in which you turn OFF WPS, you reboot the router and after reboot the WPS on 5Ghz is still ON. Can you check with Reaver if this is really the case? As it can be even a more serious issue if you can't fully turn OFF the WPS. I can't testing it currently as the system I am using just crash with reaver (wifi card driver issues).
 
Have you tested it with WPS OFF? I see reports in which you turn OFF WPS, you reboot the router and after reboot the WPS on 5Ghz is still ON. Can you check with Reaver if this is really the case? As it can be even a more serious issue if you can't fully turn OFF the WPS. I can't testing it currently as the system I am using just crash with reaver (wifi card driver issues).
@fax, very good question you ask, I like that.
I ran the test as per your request and you are not going to like what I found, basically turn OFF WPS turn it OFF alright, but if you reboot, WPS is back, WTF!! the web interface shows WPS is OFF but it is ON under the hood (you can look for its presence in beacon packet or thru 'Wash' tool).
And guess what, "the vulnerability of WPS to retrieve WPA2 key still remain".
It is nice that @fax you tried to check for WPS ON/OFF :cool: I am only your hands here.
 
Thanks a lot for checking this! I am afraid I can't do much about it. The only workaround I can suggest, waiting for ASUS fix, is to always remember to turn ON/OFF the WPS everytime you reboot the router. ;)
 
@zerodegrekelvin

Hi, thanks for testing this out. I have been complaining about this WPS issue for some time now. When i turn if off and reboot my router it's still "ON" when i use WiFi Analyzer. It shows that the WPS on 5Ghz band is still enable.
Maybe is time to let ASUS know about his issue since there are other here with same problem.
So the only workaround here is like @fax describing, turn it OFF and ON after every reboot.
 
Thanks a lot for checking this! I am afraid I can't do much about it. The only workaround I can suggest, waiting for ASUS fix, is to always remember to turn ON/OFF the WPS everytime you reboot the router. ;)
@fax, WPS is really OFF for radio2.4G even after reboot, the bug seems to be more of radio5G, not pointing finger at Quantenna here, simply bad integration of 2 different radio vendors.
I tested on both the latest build 5134 and beta build from ASUS.
 
thanks for sharing this problem. did they prohibit sharing the private firmware they sent you?
@satamusic , they did not specifically tell me to not sharing that beta firmware, however I feel as a professional engineer the firmware must come from ASUS.
You ping them to let them know I have the fix and you don't, let me ping ASUS on that matter to save you all the trouble with ASUS level-1 support.
 
@satamusic , they did not specifically tell me to not sharing that beta firmware, however I feel as a professional engineer the firmware must come from ASUS.
You ping them to let them know I have the fix and you don't, let me ping ASUS on that matter to save you all the trouble with ASUS level-1 support.
I got the response from ASUS Product Manager:
Dear Thanh,
Sorry that we haven't put official firmware on website till now, because we want to confirm other functions can work as normal. We'll release the official firmware after verifying.
Sure you can share this beta firmware to your friends for urgent use.
...
So here is the link for RT-AC87U_3.0.0.4b_378_0-g43bd0a4.trx
https://www.asuswebstorage.com/navigate/s/44F6DBE959C44CDEBD8014B0E5FC1E04Y

Cheers!
 
@fax, very good question you ask, I like that.
I ran the test as per your request and you are not going to like what I found, basically turn OFF WPS turn it OFF alright, but if you reboot, WPS is back, WTF!! the web interface shows WPS is OFF but it is ON under the hood (you can look for its presence in beacon packet or thru 'Wash' tool).
And guess what, "the vulnerability of WPS to retrieve WPA2 key still remain".
It is nice that @fax you tried to check for WPS ON/OFF :cool: I am only your hands here.
S0 to turn it off after reboot you have to go to wireless >5.0 and turn it on >off and hit apply ?
Does this apply to the AC 3200 as well ?
 
Make sure it's actually turned off - the only way one can really tell is to do a wirecap on the beacon frames - WPS is either there or not.. just because it's turned off in the GUI.. (or option not available due to hidden SSID)...
 
Look for this in the beacon...

wps.png
 
So... let's see now - Asus RT issues that I've seen over the past 4-6 weeks...

1) The weak WPS implementation that started this thread - this needs to be fixed
2) Looking over at the RT3200 and SmartConnect, looks like we have an issue here with WPA2/WPA key rotation - this needs to be fixed
3) There's another thread where Admin passwords over 16 chari will crash the GUI, wonder if this has been fixed yet, as this is a buffer-overflow issue with the www app.cgi, this should never/ever happen if someone it paying attention.

Seems like lots of development to deploy features, but a poor security mindset...
 
So... let's see now - Asus RT issues that I've seen over the past 4-6 weeks...

1) The weak WPS implementation that started this thread - this needs to be fixed
2) Looking over at the RT3200 and SmartConnect, looks like we have an issue here with WPA2/WPA key rotation - this needs to be fixed
3) There's another thread where Admin passwords over 16 chari will crash the GUI, wonder if this has been fixed yet, as this is a buffer-overflow issue with the www app.cgi, this should never/ever happen if someone it paying attention.

Seems like lots of development to deploy features, but a poor security mindset...
Yeah, I'm glad they stick with their devices and support them for a long time.
 
In the AC3200 if the SSID is hidden, WPS is not available.
Same for RT-AC87U.

But don't do this step 'disable WPS' follow by 'Hide SSID', the router will stop beaconing as radio is turn off? don't know why. Just do 'Hide SSID' and WPS is kind of OFF, you still see WPS but Locked. If reboot then WPS disappear completely from beacon.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top