yes sir
exactamundo yesYou mean the Node is doing wps procedure all the time?
我從使用 Tapatalk 的 ASUS_Z012DA 發送
exactamundo yesYou mean the Node is doing wps procedure all the time?
我從使用 Tapatalk 的 ASUS_Z012DA 發送
Strangely. Will check.yes sir
exactamundo yes
How do you clarify the WPS procedure are always proceeding ?yes sir
exactamundo yes
This is exactly the issue here. I apologize that I even brought anything other than WPS into this, as it seems to have confused the matter. Let's all forget about KRACK and just focus on WPS.OK you are right in the sense one is a function and one is a security but:
Krack vulnerability= ability to sniff packets on a single client and we agree it was fixed
WPS vulnerability = ability to sniff entire network NOT FIXED and left ON on node side
IN MY mind these are both security issues
One question for WPS ON, how do you know that the WPS is ON? UI or capture the packet by WiFi sniffer tools?This is exactly the issue here. I apologize that I even brought anything other than WPS into this, as it seems to have confused the matter. Let's all forget about KRACK and just focus on WPS.
The problem is WPS is on for all nodes regardless if it is off at the router or not. That is a problem, as WPS being on is a known security risk. Pretty much everyone under the sun suggests turning WPS off for this very reason, and most security experts would question why it still even exists as a standard.
Bottom line: we need to be able to turn off WPS on our nodes to close this security gap in the existing AiMesh setup/firmware. I would like @arthurlien to confirm that this will be looked at and worked on and eventually patched, as leaving it open is a vulnerability, and it is not something we, as end users, can currently close (at least not from the GUI/settings for the router).
I use the WiFiAnalyzer app on my phone.One question for WPS ON, how do you know that the WPS is ON? UI or capture the packet by WiFi sniffer tools?
我從使用 Tapatalk 的 ASUS_Z012DA 發送
This is my wifi analyzer. It clearly shows WPS enabled on the 2.4 GHz band for the node. I have it disabled on both bands in the router. Additionally, @dabears has said he is seeing the same, and has successfully been able to connect to WPS on his node, despite WPS being disabled on the router.One question for WPS ON, how do you know that the WPS is ON? UI or capture the packet by WiFi sniffer tools?
我從使用 Tapatalk 的 ASUS_Z012DA 發送
There is at least one more. I haven't had time to really look at it but I would suspect one property per band since you can turn wps on/off per band. Try nvram show | grep wps_enable it will limit the results more.I tried the suggestion of logging-in to my node and entering
nvram set wps_enable=0
nvram commit
It worked for my 5G band (RT-AC68P) but it is still on for 2.4Ghz. Is there another nvram setting? I ran nvram show | grep wps and got dozens of wps settings but I've no clue which to try.
BTW, will this persist over a node (or router) reboot? I can reboot my network till this evening to experiment.
Update: Ooopps - seems quad verified 2.4G as our posts crossed.
Could you tell me the APP name ?This is my wifi analyzer. It clearly shows WPS enabled on the 2.4 GHz band for the node. I have it disabled on both bands in the router. Additionally, @dabears has said he is seeing the same, and has successfully been able to connect to WPS on his node, despite WPS being disabled on the router.
To be clear...
I want to ensure WPS is shut off for all bands on all nodes/routers.
- WPS is disabled for both bands on my router.
- WPS is disabled for my node's 5 GHz band.
- WPS is active for my node's 2.4 GHz band.
https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzerCould you tell me the APP name ?
我從使用 Tapatalk 的 ASUS_Z012DA 發送
I use the WiFiAnalyzer app on my phone.
You're obviously far more of an expert than I, but I've never known the insecurity of WPS to only be a threat if the WPS was open/the button was pressed. If that was the case, the only way to exploit it would be to have physical access to the router (which in most cases significantly reduces the risk). My (weak) understanding is that if WPS is enabled, it can be brute forced (and possibly other methods) to expose the wifi password.There's a difference between "WPS is on/active", and "WPS is supported".
AFAIK, the end-user has to manually press the WPS button for WPS to start accepting new clients, during a limited time period.
Are you able to connect over WPS without pressing the button on your router? If not, then you are not at risk.
A lot of the security concern about WPS are based on old, vulnerable implementation. Modern WPS implementations are not as insecure any longer.
Good to know. I've never researched this WPS "issue". But I hardly ever use WPS. Only saves few seconds. So I'll just leave it off for now.There's a difference between "WPS is on/active", and "WPS is supported".
AFAIK, the end-user has to manually press the WPS button for WPS to start accepting new clients, during a limited time period.
Are you able to connect over WPS without pressing the button on your router? If not, then you are not at risk.
A lot of the security concern about WPS are based on old, vulnerable implementation. Modern WPS implementations are not as insecure any longer.
You're obviously far more of an expert than I, but I've never known the insecurity of WPS to only be a threat if the WPS was open/the button was pressed.
One question for WPS ON, how do you know that the WPS is ON? UI or capture the packet by WiFi sniffer tools?
我從使用 Tapatalk 的 ASUS_Z012DA 發送
I'd assume you're correct (for multiple reasons), but it would be nice to either get a confirmation from @arthurlien or to just close it up. The latter would be preferred, because if I set it to off, it should be off on all the nodes. Period. There shouldn't be a need to guess the actual status or to have to manually crawl into and tweak the settings.It depends on the implementation. Some devices indeed do accept WPS connection attempts all the time, without requiring the press of the WPS button, and without implementing any brute-force protection either to protect PIN-based connection.
I haven't looked at it in years, but from what I remember, Asuswrt can be told to allow either button-based WPS, or PIN-based WPS, with the latter having some brute-force protection measures in place (at least, the source code comments do contain extended notes relative to brute-force protection). Ultimately tho, wps_monitor is closed source, so only Broadcom would know for sure how safe (or not) their implementation is.
I'd assume you're correct (for multiple reasons), but it would be nice to either get a confirmation from @arthurlien or to just close it up. The latter would be preferred, because if I set it to off, it should be off on all the nodes. Period. There shouldn't be a need to guess the actual status or to have to manually crawl into and tweak the settings.
All that said, since I've never used WPS for anything and only really know about it in concept, it would appear Asus is PIN based as I see the attached in my GUI. Am I correct in saying that, based on your analysis, there is some protection built in (though how much is unclear)?
Well, @arthurlien has not stated that it is necessary, so unless they were hiding this fact, then I assume it's not actually necessary for the mesh to work. If it *is* necessary, they really shouldn't hide that fact because a) apparently even a dummy like myself can quickly tell it's on, b) it is a security threat that people should be fully aware of, and c) it goes completely counter to the manual user settings (i.e., it doesn't give the behavior a user would expect, thus looks like a bug).I agree that if possible, WPS should simply be kept disabled for best security. It depends however on whether AiMesh relies on the WPS mechanism for its own use - something only Asus's engineers would know (and they might not be willing to share too much information there, to protect their IP).
Note that this is currently the Lunar New Year holiday in Taiwan, so you might not get an answer for a while.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!