Monday, September 7, 2015

WPS on Buffalo APs with DD-WRT

I have a Buffalo 802.11n dual-band router (WZR-600DHP) that comes with a Buffalo-customized version of the DD-WRT firmware. It's worked pretty well for me for more than a year and half, the exceptions being: 1) the 5 GHz range is so bad that it's basically useless. 2) by default, it advertises over Wi-FI that WPS is available, even if WPS is disabled.

In case you don't know, WPS (which stands for Wi-Fi Protected Setup) is a technology that was designed to make it easier to connect to a Wi-Fi network. Unfortunately, it is very easy for someone to gain unauthorized access to a Wi-Fi network with WPS enabled due to a well-known vulnerability.

One of the DD-WRT developers (BrainSlayer) says the implementation of WPS in the Buffalo firmware is not susceptible to a brute-force PIN attack (aka the Reaver attack after the automated tool of the same name):
we know the reaver attack and we immediatly modified the code to solve that issue at the time reaver was comming out. no dd-wrt based product is affected of it
That's sort of reassuring, although there's no documentation of which version of the firmware blocked the attack and which older versions of firmware are vulnerable. Furthermore, later research showed that it was possible to calculate the WPS PIN based on a single guess on certain implementations of WPS, though I don't know if Buffalo DD-WRT is affected by that issue.

Since I never use the WPS functionality anyway, I just went ahead and disabled it altogether.

To disable WPS in Buffalo DD-WRT:
  • Log into your router and go to Wireless > AOSS/WPS.
  • Under WPS, select the Disable radio buttons next to WPS Button and PIN Method.
  • Click the Apply Settings button at the bottom.
Here's the annoying thing: Even if you disable WPS, DD-WRT will persist in advertising to any interested Wi-Fi device that your network supports WPS. I might not be vulnerable to a WPS attack, but I'd rather not attract potential attackers to my network.

Fortunately, some smart people on the DD-WRT forums came up with a workaround:
  • Log into your router and go to Administration > Commands
  • Under Startup, click the Edit button. Paste the below into the Commands field at the top:
/bin/sed s/wps_state\=1/wps_state\=0/g -i /tmp/ath0_hostap.conf
/bin/sed s/wps_state\=1/wps_state\=0/g -i /tmp/ath1_hostap.conf
/bin/ps | /bin/grep '[h]ostapd' | /usr/bin/awk -F" " {'print $1'} | /usr/bin/xargs /bin/kill -HUP 
  • Click the "Save Startup" button at the bottom.
  • Go to Administration > Management and click the "Reboot Router" button at the bottom.
Once your router is done rebooting, you should see that your SSIDs no longer appear to support WPS. w00t!

If it didn't work, try this version of the script instead:
/bin/sed s/wps_state\=2/wps_state\=0/g -i /tmp/ath0_hostap.conf
/bin/sed s/wps_state\=2/wps_state\=0/g -i /tmp/ath1_hostap.conf
/bin/ps | /bin/grep '[h]ostapd' | /usr/bin/awk -F" " {'print $1'} | /usr/bin/xargs /bin/kill -HUP
Note that because the script runs at startup, if you toggle your radios off and on, WPS will start showing up again. To make it go away, you'll either need to restart the router or run the commands manually:
  • Go to Administration > Commands.
  • Click the Edit button below the Startup field to copy the script into the Commands field.
  • Click the Run Commands button at the bottom.

No comments: