[Official Release] AiMesh Firmware v3.0.0.4.384.10007 for All Supported Products

[dabears]

yes sir

You mean the Node is doing wps procedure all the time?

我從使用 Tapatalk 的 ASUS_Z012DA 發送

exactamundo yes

 

[arthurlien]

yes sir

exactamundo yes

Strangely. Will check.

我從使用 Tapatalk 的 ASUS_Z012DA 發送

 

[arthurlien]

yes sir

exactamundo yes

How do you clarify the WPS procedure are always proceeding ?

我從使用 Tapatalk 的 ASUS_Z012DA 發送

 

[Quad80]

OK you are right in the sense one is a function and one is a security but:
Krack vulnerability= ability to sniff packets on a single client and we agree it was fixed
WPS vulnerability = ability to sniff entire network NOT FIXED and left ON on node side
IN MY mind these are both security issues

This is exactly the issue here. I apologize that I even brought anything other than WPS into this, as it seems to have confused the matter. Let's all forget about KRACK and just focus on WPS.

The problem is WPS is on for all nodes regardless if it is off at the router or not. That is a problem, as WPS being on is a known security risk. Pretty much everyone under the sun suggests turning WPS off for this very reason, and most security experts would question why it still even exists as a standard.

Bottom line: we need to be able to turn off WPS on our nodes to close this security gap in the existing AiMesh setup/firmware. I would like @arthurlien to confirm that this will be looked at and worked on and eventually patched, as leaving it open is a vulnerability, and it is not something we, as end users, can currently close (at least not from the GUI/settings for the router).

 

[arthurlien]

This is exactly the issue here. I apologize that I even brought anything other than WPS into this, as it seems to have confused the matter. Let's all forget about KRACK and just focus on WPS.

The problem is WPS is on for all nodes regardless if it is off at the router or not. That is a problem, as WPS being on is a known security risk. Pretty much everyone under the sun suggests turning WPS off for this very reason, and most security experts would question why it still even exists as a standard.

Bottom line: we need to be able to turn off WPS on our nodes to close this security gap in the existing AiMesh setup/firmware. I would like @arthurlien to confirm that this will be looked at and worked on and eventually patched, as leaving it open is a vulnerability, and it is not something we, as end users, can currently close (at least not from the GUI/settings for the router).

One question for WPS ON, how do you know that the WPS is ON? UI or capture the packet by WiFi sniffer tools?

我從使用 Tapatalk 的 ASUS_Z012DA 發送

 

[Ronald Schwerer]

One question for WPS ON, how do you know that the WPS is ON? UI or capture the packet by WiFi sniffer tools?

我從使用 Tapatalk 的 ASUS_Z012DA 發送

I use the WiFiAnalyzer app on my phone.

 

[Quad80]

One question for WPS ON, how do you know that the WPS is ON? UI or capture the packet by WiFi sniffer tools?

我從使用 Tapatalk 的 ASUS_Z012DA 發送

This is my wifi analyzer. It clearly shows WPS enabled on the 2.4 GHz band for the node. I have it disabled on both bands in the router. Additionally, @dabears has said he is seeing the same, and has successfully been able to connect to WPS on his node, despite WPS being disabled on the router.

To be clear...

• WPS is disabled for both bands on my router.
• WPS is disabled for my node's 5 GHz band.
• WPS is active for my node's 2.4 GHz band.

I want to ensure WPS is shut off for all bands on all nodes/routers.

 

[Ronald Schwerer]

I tried the suggestion of logging-in to my node and entering
nvram set wps_enable=0
nvram commit

It worked for my 5G band (RT-AC68P) but it is still on for 2.4Ghz. Is there another nvram setting? I ran nvram show | grep wps and got dozens of wps settings but I've no clue which to try.

BTW, will this persist over a node (or router) reboot? I can reboot my network till this evening to experiment.

Update: Ooopps - seems quad verified 2.4G as our posts crossed.

 

[RandomName23]

I tried the suggestion of logging-in to my node and entering
nvram set wps_enable=0
nvram commit

It worked for my 5G band (RT-AC68P) but it is still on for 2.4Ghz. Is there another nvram setting? I ran nvram show | grep wps and got dozens of wps settings but I've no clue which to try.

BTW, will this persist over a node (or router) reboot? I can reboot my network till this evening to experiment.

Update: Ooopps - seems quad verified 2.4G as our posts crossed.

There is at least one more. I haven't had time to really look at it but I would suspect one property per band since you can turn wps on/off per band. Try nvram show | grep wps_enable it will limit the results more.

wps_enable_x=0

 

[arthurlien]

This is my wifi analyzer. It clearly shows WPS enabled on the 2.4 GHz band for the node. I have it disabled on both bands in the router. Additionally, @dabears has said he is seeing the same, and has successfully been able to connect to WPS on his node, despite WPS being disabled on the router.

To be clear...

• WPS is disabled for both bands on my router.
• WPS is disabled for my node's 5 GHz band.
• WPS is active for my node's 2.4 GHz band.

I want to ensure WPS is shut off for all bands on all nodes/routers.

Could you tell me the APP name ?

我從使用 Tapatalk 的 ASUS_Z012DA 發送

 

[Quad80]

Could you tell me the APP name ?

我從使用 Tapatalk 的 ASUS_Z012DA 發送

https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer

It's a pretty popular WiFi scanner for Android.

 

[RMerlin]

I use the WiFiAnalyzer app on my phone.

There's a difference between "WPS is on/active", and "WPS is supported".

AFAIK, the end-user has to manually press the WPS button for WPS to start accepting new clients, during a limited time period.

Are you able to connect over WPS without pressing the button on your router? If not, then you are not at risk.

A lot of the security concern about WPS are based on old, vulnerable implementation. Modern WPS implementations are not as insecure any longer.

 

[Quad80]

There's a difference between "WPS is on/active", and "WPS is supported".

AFAIK, the end-user has to manually press the WPS button for WPS to start accepting new clients, during a limited time period.

Are you able to connect over WPS without pressing the button on your router? If not, then you are not at risk.

A lot of the security concern about WPS are based on old, vulnerable implementation. Modern WPS implementations are not as insecure any longer.

You're obviously far more of an expert than I, but I've never known the insecurity of WPS to only be a threat if the WPS was open/the button was pressed. If that was the case, the only way to exploit it would be to have physical access to the router (which in most cases significantly reduces the risk). My (weak) understanding is that if WPS is enabled, it can be brute forced (and possibly other methods) to expose the wifi password.

Example: https://null-byte.wonderhowto.com/how-to/hack-wifi-using-wps-pixie-dust-attack-0162671/

Nowhere does it mention that a button push needs to happen. In fact, it only states "The easiest way to find a target with WPS enabled is..." then goes on to state how to crack it. But all it says is that WPS needs to be enabled, which, as far as I can tell, it is on the node's 2.4 band. I've never seen WPS on my previous WiFi setups with it disabled in settings. This is the first time I've ever seen it displayed, and I should think that would be enough to exploit, based on the fact that physical access does not seem necessary.

These may not be the most practical attacks in the world, but they are vulnerabilities nonetheless, and should be closed accordingly.

All that said, I'm not even close to an expert on these things, so if I'm misunderstanding things, please send me straight.

 

[Ronald Schwerer]

There's a difference between "WPS is on/active", and "WPS is supported".

AFAIK, the end-user has to manually press the WPS button for WPS to start accepting new clients, during a limited time period.

Are you able to connect over WPS without pressing the button on your router? If not, then you are not at risk.

A lot of the security concern about WPS are based on old, vulnerable implementation. Modern WPS implementations are not as insecure any longer.

Good to know. I've never researched this WPS "issue". But I hardly ever use WPS. Only saves few seconds. So I'll just leave it off for now.

 

[RMerlin]

You're obviously far more of an expert than I, but I've never known the insecurity of WPS to only be a threat if the WPS was open/the button was pressed.

It depends on the implementation. Some devices indeed do accept WPS connection attempts all the time, without requiring the press of the WPS button, and without implementing any brute-force protection either to protect PIN-based connection.

I haven't looked at it in years, but from what I remember, Asuswrt can be told to allow either button-based WPS, or PIN-based WPS, with the latter having some brute-force protection measures in place (at least, the source code comments do contain extended notes relative to brute-force protection). Ultimately tho, wps_monitor is closed source, so only Broadcom would know for sure how safe (or not) their implementation is.

 

[dabears]

One question for WPS ON, how do you know that the WPS is ON? UI or capture the packet by WiFi sniffer tools?

我從使用 Tapatalk 的 ASUS_Z012DA 發送

This is why the issue needs to be addressed because most wont even know its on. Use pen test tools to test it for yourself or as @Quad80 said to use an app many of them on playstore will show all the security protocols including WPS that are being broadcast from any SSID , you might have to turn this feature on in the app on some.

 

[Quad80]

It depends on the implementation. Some devices indeed do accept WPS connection attempts all the time, without requiring the press of the WPS button, and without implementing any brute-force protection either to protect PIN-based connection.

I haven't looked at it in years, but from what I remember, Asuswrt can be told to allow either button-based WPS, or PIN-based WPS, with the latter having some brute-force protection measures in place (at least, the source code comments do contain extended notes relative to brute-force protection). Ultimately tho, wps_monitor is closed source, so only Broadcom would know for sure how safe (or not) their implementation is.

I'd assume you're correct (for multiple reasons), but it would be nice to either get a confirmation from @arthurlien or to just close it up. The latter would be preferred, because if I set it to off, it should be off on all the nodes. Period. There shouldn't be a need to guess the actual status or to have to manually crawl into and tweak the settings.

All that said, since I've never used WPS for anything and only really know about it in concept, it would appear Asus is PIN based as I see the attached in my GUI. Am I correct in saying that, based on your analysis, there is some protection built in (though how much is unclear)?

 

[RMerlin]

I'd assume you're correct (for multiple reasons), but it would be nice to either get a confirmation from @arthurlien or to just close it up. The latter would be preferred, because if I set it to off, it should be off on all the nodes. Period. There shouldn't be a need to guess the actual status or to have to manually crawl into and tweak the settings.

I agree that if possible, WPS should simply be kept disabled for best security. It depends however on whether AiMesh relies on the WPS mechanism for its own use - something only Asus's engineers would know (and they might not be willing to share too much information there, to protect their IP).

Note that this is currently the Lunar New Year holiday in Taiwan, so you might not get an answer for a while.

All that said, since I've never used WPS for anything and only really know about it in concept, it would appear Asus is PIN based as I see the attached in my GUI. Am I correct in saying that, based on your analysis, there is some protection built in (though how much is unclear)?

Once enabled, you get these additional options:

Based on the description there however, I'm unsure as to whether the Push Button method applies ONLY when you are initiating the connection from the router, or if it also includes initiating the connection from the client.

The only time I have ever used WPS personally were:

1) A customer had an el-cheapo wireless printer that didn't allow entering the WPA key - WPS was the only method supported
2) Another customer had lost his WPA2 key, and the laptop we had at hand didn't have an Ethernet connection. I used WPS to connect to his router, and then I was able to retrieve the WPA key.

How secure and how extensive are Asuswrt's security measure (and these might vary from model to model as well)? I must admit I wouldn't know for sure either.

 

[Quad80]

I agree that if possible, WPS should simply be kept disabled for best security. It depends however on whether AiMesh relies on the WPS mechanism for its own use - something only Asus's engineers would know (and they might not be willing to share too much information there, to protect their IP).

Note that this is currently the Lunar New Year holiday in Taiwan, so you might not get an answer for a while.

Well, @arthurlien has not stated that it is necessary, so unless they were hiding this fact, then I assume it's not actually necessary for the mesh to work. If it *is* necessary, they really shouldn't hide that fact because a) apparently even a dummy like myself can quickly tell it's on, b) it is a security threat that people should be fully aware of, and c) it goes completely counter to the manual user settings (i.e., it doesn't give the behavior a user would expect, thus looks like a bug).

Really, I can't think of any reason we can't have it closed up or, if it is required, confirmation of such a requirement from official sources. I guess we'll have to wait and see what @arthurlien has to say when he gets back from partying.

 

[RMerlin]

I must admit that my security views don't always align with Asus's own. For instance, their IFTTT/Alexa feature requires you to expose your router's webui to the WAN, something I have always been strongly against, due to Asuwrt's past track record in security issues tied to the httpd daemon. But marketing too often overrules engineering decisions I fear.

(and let's not add the security implications of IFTTT itself. TV ads causing Alexa devices to do stuff are another scary example...)