WPS Flaw Vulnerable Devices - Master

Device Name
Manufacturer
Type (Router/ AP /Bridge...)
Firmware-Version
WPS enabled by default?
WPS can be Average time for penetration disabled (and it Vulnerable (yes/no) Tool (Version) *without* providing the PIN stays off!)
MI424-WR Rev.E
Actiontec
Router
20.19.8
No
No
None
n/a
Comments/Notes This is the type of router that is used for Verizon FIOS and it appears to me at least that despite there being a button for WPS on the outside of the box, Actiontec says in the user manual: "Although the WPS button is included on the FiOS Router, WPS functionality will not be WPS "functionality" enabled until a future firmware release. The button is included so that WPS can be is not enabled activated at a later date without having to physically change the FiOS Router. The GUI currently does not include the WPS option." 00:1F:90
tested by
PIN
This database is intended as an educational resource for users interested in IT-Security. I did not find the vulnerability, that honor goes to Stefan Viehbck and Craig Heffner.
ajdowns
I did a quick check. Seems to be vulnerable. WLAN 1421 Alice/Hansenet Wlan Router 1.0.16 No Yes Reaver Yes But with some kind of rate limit maybe. Every second try fails.
AirPort Extreme
Apple
Router
7.5.2
No
No
n/a
n/a
Yes, see comments
Apple seems to use the internal PIN Method, not external PIN.
60:33:4B
jagermo
Vodafone Easybox 602
Arcadyan
Router/Modem
20.02.022
Yes
No
Reaver 1.3
Yes The Router brings a Message after 10 failed logins: Warnung: Bedingt durch zu viele Fehlversuche, nimmt ihre EasyBox keine WPS PIN Registrierung von externen Teilnehmern mehr entgegen. Bitte setzten diesen WPS PIN durch einem neue zu generierenden WPS PIN Code wieder zuruck. Translation: Device locks after ten wrong attempts, user needs to create a new WPS PIN code
0:23:08
Do we have more information about this? WPS PIN is enabled, but device is not vulnerable? Why?
Vodafone EasyBox 802 Speedport W 504V Typ A
Arcadyan Arcadyan
Router/Modem Router unkown
4/20/0207 Yes Yes
Maybe Yes
Reaver 1.3, WPScrack Reaver 1.4 r122 1 sek
Yes yes
0:26:04 00:1D:19 12345670
i think there is an interesting thing between easyboxes and speedport AP's some esyboxe's use a standard key begins with spXXXXXXXXXXXXX with a 13 char length numeric key! (also some speedport aps use such a key but there is a nice script to get them with the hexdecimal mac of the target ap! [wardiving wiki!!!] that will work for a lot of speedport models ... ) Arcadyan Technology Corporation ASUS [user reports untested, so his 3sec value here removed] 1176 seconds 2 seconds per attempt/3.5 hours to crack 10min yes (not testet maybe its already ative after switching to off!) Yes
EasyBox 803 RT-N16
Router Router
30.05.211 (01.07.2011-10:36:41) 1.0.2.3
Yes Yes
Yes Yes
Reaver 1.3 Reaver 1.3
Have nice day CriticalCore
00:15:AF bc:ae:c5
CriticalCore
RT-N10 N13U v1&v2
ASUS ASUS
Router Router
1.0.0.8
Yes 2/1/2012 No
Yes No
Yes Yes ASUS N13U uses only PBC WPS configuration method . WPS is switched off automatically after two minutes . Tested on ASUS N13U v1 and v2 using latest firmwares I found this list at work and thought I can provide you with some information of my router. I filled out the parts I know and will check the clear field this evening: - Is your device vulnerable against the WPS attack? * - Wich tool did you use? * - How long did it take you? 00:24:FE You have to activate WPS manually. I's deactivated after every successful wps connection and after 2 minutes. =>Not vulnerable because of very short time limit.
Reece Arnott hA1d3R
Fritz!box 7390 Fritz!Box 7240
AVM AVM
Router Router
84.05.05 73.05.05
No No
No No
will follow soon will follow soon wpscrack, Reaver 1.2 uncrackable
Yes yes
FireFly
Hi Firefly, thanks - to fill in the missing informations, just re-do the form.
FritzBox7390
AVM
Router
ALL
No
No
Reaver 1.3
uncrackable
Yes
f.reddy
Fritz!Box WLAN 3370 n150 F9K1001v1 F6D6230-4 v1000
AVM Belkin Belkin Belkin
Router / Modem Router Router Router
103.05.07 Unknown F9K1001_WW_1.00.08 1.00.19 (Apr 22 2010)
No yes Yes Yes
No yes Yes Yes
N/A Reaver 1.2 Reaver 1.3 Reaver 1.3
N/A 12.5 hours 7765 seconds 20 min
Yes yes Yes yes
I think all current AVM devices are save as WPS with pin isn't activated on default.
No lockout, no delay needed.
0:23:15
F9K1001v1 (N150)
Belkin
Router
1.0.08
Yes
Yes
Reaver 1.3
41 minutes, 12 seconds
Yes
The F9K1001v1 is the same as the Belkin N150. I got lucky on the speed, the first 4 digits were found at 3.06% completion. 08:86:3B
Nick
21250491
F7D1301 v1 F7D2301 v1 F9K1105 v1 F9K1001 v1
Belkin Belkin Belkin Belkin
Router Router router Router
1.00.22 1.00.16 (Jul 2 2010 14:36:56) 1.00.03 (Jul 4 2011) 1.00.08
Yes Yes Yes Yes
Maybe Yes Yes Yes
none Reaver 1.3 Reaver 1.3 Reaver 1.2 1.9 Hours 3hours 11.2 Hours
yes Yes yes Yes
didn't bother to test, but i assume it's vulnerable judging by the other Belkin routers that come with WPS enabled
94:44:52 beej 94:44:52 93645348
8302441
Only vulnerable when WPS is enabled. Even though I had my attack laptop in the same room as my router, it still took 14 hours to find the PIN. 7800n BiPAC 7404VGPX Billion Billion Router AP 1.06d 6.23 No Yes Maybe Yes Reaver 1.3 reaver 1.3 Reaver via Backtrack 14 hours 3hours Yes no Disabling WPS is completely effective. 00:04:ED
WZR-HP-G300NH
Buffalo
Router
Unknown
Yes
Maybe
Within 1 hour
Yes
With WPS turned off reaver did nothing. With WPS on reaver is looking for the pin. This routers was bought and being used in Japan. WPS is enabled by default and I cannot turn it off. However, Reaver reports that the state is locked at first try. Beacon packets sometimes show WPS (and thus appear in walsh), and other time WPS is not in beacon packets and thus is not reported by walsh. So far I am unable to break wps with reaver even using the known PIN. I've never actually tested to see if wps even works properly in the first place however.
WZR-HP-AG300H
Buffalo
Access Piont
dd-wrt v24SP2-multi build 15940
Yes
No
reaver 1.4
No but it starts locked
Device Name
Manufacturer
Firmware-Version
Comments/Notes WPS LED blinking continuously during attack. Vulnerable with latest firmware, no way to disable WPS -> epic fail! Anonymous user 9308: I've also noticed that across 2 different linksys devices (don't have them on me now) the default WPS pin of 12345670 was the result of 2.5 and 6 hours cracking
tested by
PIN
Linksys E4200 v1
Cisco
Router
1.0.03 (Build 14)
yes
yes
Reaver 1.2
1 second / attempt, no antiflooding / blocking / delay
no
Valet M10
Cisco
Router
2.0.01
Yes
Yes
Reaver 1.2
5 hours
NO
A newer firmware is available (2.0.03), but the changes were fairly trivial according to the release notes.
Feedback by security@cisco.com "Issue has been identified and being worked on by product engineering. There is no ETA of a firmware release. Please continue to check support web page for the E4200v1. If you have E4200v2 you can use the auto firmware update to see if there is a new firmware update." With 1.3, use the --ignore-locks option. With r58 and over, use --lock-delay 60. The router has a 60 seconds cycle with 3 PINs. I was lucky it went as fast, it could've taken a lot longer.
Linksys E4200
Cisco
Router
1.0.0.3
Yes
Yes
Reaver Reaver 1.3 & r58 none
4h
NO
Linksys E3200 v1 WRVS4400N
Cisco Cisco
Router Router
1.0.02
Yes 1/1/2013 No
Yes No
24h
No not available
58:6D:8F
Socapex
UC320W
Cisco
Unified Communications
Current Version
yes
yes
Reported by Cisco: http://tools.cisco. com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps
Cisco
WAP4410N
Cisco
Access Point
Current Version
Yes
Yes
Cisco
RV110W
Cisco
Router
Current Version
Yes
Yes
Cisco
RV120W
Cisco
Router
Current Version
Yes
Yes
Cisco
SRP521W
Cisco
Router
Current Version
Yes
Yes
Cisco
SRP526W
Cisco
Router
Current Version
Yes
Yes
Cisco
SRP527W
Cisco
Router
Current Version
Yes
Yes
Cisco
SRP541W
Cisco
Router
Current Version
Yes
Yes
Cisco
Device Name
Manufacturer
Firmware-Version
Comments/Notes
tested by
PIN
SRP546W
Cisco
Router
Current Version
Yes
Yes
Cisco
SRP547W
Cisco
Router
Current Version
Yes
Yes
Cisco
WRP400
Cisco
Router
Current Version
Yes
Yes
Cisco
Linksys E1000
Cisco
Router
2.1.00 build 7Sep 21, 2010
Yes
Yes
Reaver 1.4
7/6/2012 No
Took aound 6.7hrs to recover the WPS Pin As stated by Cisco for firmware 1.0.03: - Added Enabled/Disabled feature for Wi-Fi Protected Setup in the web configuration - Added WPS lockdown feature Not true, still works great :) There is no new WPS lockdown, still 60s/3 pins. Anyone else can confirm this?
C0:C1:C0
aBs0lut3z33r0
Lynksis E3200 v1
Cisco
Router
1.0.03
Yes
Yes
Reaver 1.4
No
58:6D:8F
Socapex
WRT320N
Cisco Linksys
Router
unknown
Yes
Maybe
Reaver 1.4
n/a
unknown
Reaver constantly outputs 'WPS transaction failed (code: 0x2)', indicating an "Unexpected timeout or EAP failure".
WRT610N DIR-825 DIR-615
Cisco-Linksys D-Link D-Link
Router Router Router
2.00.01.15 2.02EU
Yes Yes 4,1 Yes
Yes Yes Yes
Reaver 1.4 reaver Reaver-1.1
24 hours 5h ca. 1h 45min
Not Sure Yes Yes
Chaos 00:18:e7:fb
12215676
DIR-855
D-Link
Router
1.23EU
Yes
Maybe
DIR-655 vB1
D-Link
Router
2.00NA
Yes
Maybe
Reaver 1.3 Wifi Analyzer (Android) v3. 0.2
user reported 5 minute timeout on failed registration, unknown inducement threshold
yes Can be usergenerated
Yes yes - can be completely deabled yes
5C:D9:98
DIR-300 (HV - B1) DIR-300
D-Link D-Link
Router Router
"2.05"
5/2/2012 Yes Yes
Yes Yes
4 Days 4 Days
Nsol Nsol
Device ships with WPS enabled; I normally keep disabled; older 1.22b5 firmware since more stable. Allows you to specify a different WPS PIN; When enabled took approx 4.5 hrs to recover WPS pin and WPA2 password; Router constantly re-boots (approx every 30-50 PIN attempts) during this period and was also subjected to a denial of service. Reaver continues to try pins when router recovers using -L option. Can adjust Reaver timing settings for better results. Reaver 1.3 on BackTrack 5R1. Reaver thinks router is rate limiting (it is actually crashing); restarting Reaver or using -L allowed Reaver to continue checking pins almost immediately or as soon as the router rebooted itself.
DIR-655 A3
D-Link
Router
1.22b5
Yes
Yes
Reaver 1.3
4.5hrs
Yes
DIR-300
D-Link
Router
Current
Yes
Yes
yes
tested and reported by D-Link directly
D-Link
DIR-457
D-Link
Router
Current
Yes
Yes
Yes
D-Link
DIR-501
D-Link
Router
Current
D-Link
DIR-600
D-Link
Router
Current
Yes
Yes
Yes
D-Link
Device Name
Manufacturer
Firmware-Version
Comments/Notes
tested by
PIN
DIR-615 Rev D+ H
D-Link
Router
Current
Yes
Yes
Yes
D-Link
DIR-615 Rev. B
D-Link
Router
Current
Yes
Yes
yes
D-Link
DIR-635 Rev B
D-Link
Router
Current
Yes
Yes
yes
D-Link
DIR-645
D-Link
Router
Current
Yes
Yes
Yes
D-Link
DIR-652
D-Link
Router
Current
Yes
Yes
yes
D-Link
DIR-655
D-Link
Router
Current
Yes
Yes
Yes
D-Link
DIR-657
D-Link
Router
Current
Yes
Yes
Yes
D-Link
DIR-815
D-Link
Router
Current
Yes
Yes
yes
D-Link
DIR-852
D-Link
Router
Current
Yes
Yes
yes
D-Link
DIR-855
D-Link
Router
Current
Yes
Yes
yes
D-Link
DAP-1360
D-Link
Access Point
Current
Yes
Yes
yes
D-Link
DAP-1522
D-Link
Access Point
Current
Yes
Yes
yes
D-Link
DIR-625
D-Link
Router
3,04 Yes
Yes
Reaver 1.4
4 hours
Yes
Hardware version (very relevant for some D-Link devices): C2 This is the first device that I've successfully recovered the PIN from!
00:1E:58
DIR-615
D-Link
Router
2,23 Yes
No
Reaver 1.3
n/a
Yes
Hardware version B2. This device appears to enter a WPS "blocked" state after approximately 60 failed PIN attempts (consistently around 0.60% progress in Reaver). It does not unblock until a system reboot.
DIR-628
DLink
Router/access point
11/1/2012 Yes
Yes
reaver 1.3
Didn't let it run
yes
I didn't bother letting reaver run until it cracked the PIN -- I just wanted to confirm that it was vulnerable, and that turning off WPS fixed it. Walsh listed it as vulnerable before turning off WPS, but not after.
DWA125 with Ralink2870 / 3070
Dlink
USB
1 No
No
Reaver 1.4
i don't know
DWA125 with Ralink2870 / 3070
Dlink
USB
1 No
No
Reaver 1.4
i don't know
3G-6200nL ECB9500 EchoLife HG521 BtHomeHiub3
Edimax Engenius Huawei Huawei
Router Wireless Gigabit Client Bridge Router Router/ADSL
1.06b
No 02.02.2009 Yes 1,02 yes Yes
No Yes yes Yes
N/A Reaver 1.3 > Reaver 1.1 Reaver 1.3
N/A 4 hours 5-6 hours 50 minutes
Yes Yes yes Unknown
Router has a Push Button to Enable WPS More information about this can be found here: http://www.virtualistic.nl/archives/691 TalkTalk ISP UK Unknown virtualistic.nl
Can you verify, that push button is the only method they are using?
Unknown
E3000
Linksys
Router
1.0.04
Yes
Maybe - see Comments
Reaver 1.3
24h
Yes
WPS lockdown after 20 attemps (power cycle needed). Testet with reaver -p "PIN" ->got WPA Key. =>not vurlnerable because of automatic lockdown.
58:6D:8F:0A
f.reddy
more information about this router and the WPS-DoS: http://www.reddit. 69382161 com/r/netsec/comments/nzvys/wps_brute_force_i_started_public_google_doc_so_we/c3domfn
Device Name
Manufacturer
Firmware-Version
Comments/Notes
tested by
PIN
WRT350N
Linksys
Router
2.0.3 i think (newest!)
Yes
Maybe - see Comments
Reaver 1.3
Yes
Reaver gives thousands of errormessages when I try to crack this type of AP. Tried several parameters... Strange WPS implementation!?!?
00:1D:7E:AD
f.reddy
66026402
E2500
Linksys
Router
1.0.02
Yes
Maybe
Reaver 1.3
I stopped Reaver after 16 hrs with no success. See comments
No
I left Reaver running overnight, it was stuck in an error the next day after 16 hours. It kept trying to attempt to send a PIN, but every time it would return the error "[!] WARNING: Receive timeout occurred". The WPS LED on the back of the router is normally solid green; it starts to flash on and off during the attack, and when this error is hit the LED turns off and stays off. The only way to fix this is to unplug the router and plug it back in. I was only able to retrieve the pin after resetting the router a few times by unplugging/replugging it and restarting Reaver from where it left off. 58:6D:8F
Nick
WRT120N WRT160Nv2
Linksys Linksys
Router Router
v1.0.01 2.0.03
Yes Yes
Yes Yes
Reaver 1.3 Reaver
4h 5 hours
no no
had to restart the router after 29%, because reaver stuck at the same pin and received timeouts
00:25:9C
E1000
Linksys
Router
unknown
Yes
Yes
Reaver 1.3
7h
No
2 seconds/attempt - I let it run all night, had a few hiccups (timeout warnings), but psk was eventually found. c0:c1:c0
E1200 E4200
Linksys Linksys
Router Router
1.0.02 build 5 1.0.02 build 13 May 24, 2011
Yes No
Yes Yes
Reaver 1.4 Reaver v1.3
5 hrs, 20 mins 4 hours
No No, it doesn't appear to be
2 secs/attempt; Never locked up EVER!
58:6D:8F 58:6D:8F
Molito txag 47158382
WRT54G2
Linksys / Cisco
Router
unknown
Yes
Yes
Reaver
6 hours
Yes, but not sure if This information ist from this Arstechnica article http://arst.ch/s0i - filled in by jagermo - but it stays off it seems that Linksys does not have a standard-pin
Sean Gallagher
8699183
E4200 WRT350Nv2.1
Linksys / Cisco Linksys / Cisco
Router Router
unknown 2.00.20
Yes Yes
Yes Maybe
Reaver 1.3 with PINOption Reaver 1.4
WAG160Nv2 WRT100
Linksys by Cisco Linksys-Cisco
ADSL Modem Router, Wifi AP Router
2.0.0.20 1.0.05
Yes Yes
Yes Yes
5.5 Hrs 76 minutes
Confirmed that PIN-Method stays switched on, even if you turn WPS off in the No, see comments management interface. This is really a problem. Starts testing PINs and after 2 attempts I supose it lock you out. No Testet with reaver -p "PIN" ->got WPA Key. It took about 1.5 seconds per attempt when the router was not doing any activity, took around 5 hrs for the first half of PIN and few mins for rest. The Linksys WAG160Nv2 router doesn't have any lock down and no option to disable WPS either. The Router didn't crash No. Though the and the PIN was cracked on first attempt, though the mon0 interface on BT5r1 crashed. router's web portal The Reaver was started again with earlier instance. has an option to not choose WPS, it When the router was active with couple of wired and wireless users with LAN and Internet still remains active. activity, it took about 40 seconds per attempt. cracked PIN was not the same as the PIN displayed in the router's security settings. looks No like pin can be customized but there is also a default PIN hard coded into the router. 00:1D:7E cracked PIN was not the same as the PIN displayed in the router's security settings. looks like pin can be customized but there is also a default PIN hard coded into the router. 00:1D:7E n/a
jagermo Inakiuy
@_Niranjan
WRT100 NP800n
Linksys-Cisco Netcomm
Router Wireless Router
1.0.05 1.0.14
Yes Yes
Yes Yes
76 minutes 10 hours
No yes
ISP rep
CG3100
Netgear
Cable Modem (with built in Gateway/AP)
3.9.21.9.mp1.V0028
No
No
Reaver 1.2
Yes
This device has support for WPS, turned off by default, and only through the Push-Button and Registrar PIN method (i.e. enter the Wireless Adapters PIN at the AP side, as opposed to enter the APs PIN at the Wireless Adapter side)
c4:3d:c7
Device Name
Manufacturer
Firmware-Version
CG3100D
NETGEAR
Cable/router
unknown
Yes
Yes
reaver svn rev. 52 5 hours
yes
Comments/Notes Is a router provided by very popular ISP, at least in my country. Was tested with options: -r 5 -x 30 -w Signal was about -60 Sometimes reaver enters in a loop and tries the same PIN 10 or 15 times, but luckly continues as normal after these 10-15 tries. Router has a timeout built in afet approx 20 attempts; using default delay (315 secs) will allow resume - but does significantly slow down the number of attempts/sec. Device locks after WPS Flodding, if you wait for like half an hour and use Reaver 1.3, you can resume the attack. Returns PIN, but WPA2-Passphrase is gibberish
tested by
PIN
gorilla.maguila@gmail. com
DGND3700 WNDR3700
Netgear Netgear
Modem/Router Router
V1.0.0.12_1.0.12 1.0.7.98
Yes yes
Yes yes, but.... see comments
Yes
20:4E:7F
I'm seeing something similar on the WNDR3700
DGN1000B MBRN3000 WNDR3700
Netgear NetGear Netgear
Router Router (ADSL + 3G) Router
1.00.45 1.0.0.43_2.0.11WW V1.0.7.98
No Yes Yes
Maybe Yes Yes
WPScrack Reaver 1.3 Reaver 1.3 3h 9hrs
is deactivated by default yes yes
WPS is only enabled for approx. 2 min when you use push 'n' connect to connect a new device to WLAN. dankwardo
DGN1000B WNDR3700
Netgear NETGEAR
Router Router
1.1.00.43 v1.0.4.68
Yes Yes
Maybe Yes
reaver 1.2 Reaver 1.3
est. 24h
No (there is a checkbox, but it's disabled) unkown
I haven't got any WPS client, but reaver started guessing PINs so I assume that WPS is enabled by default. Anyway after 12 PINs there seems to be a rate limit with a timeout greater than 315 seconds. So I think it is possible to get the PIN but it would take much longer than 10 hours. First test, with WPS PIN enabled: router was responding to PIN requests. Reaver was cycling through attempted PINs. I only attempted to attack the router for a few minutes, but it appeared Reaver would have found the PIN eventually. Second test, with WPS PIN disabled: router responded to PIN requests with a lock immediately. I allowed reaver to run for 2 hours and the lock never terminated. It appears the WPS PIN disable feature works as intented. I would prefer that Netgear would allow WPS to be disabled completely. WPS always has been a weaking of the wireless security to ease connections. I'm looking forward to DDWRT becoming available for my router.
00:26:F2 Nsol
WNDR3700v3
Netgear
Router
V1.0.0.18_1.0.14
Yes
Maybe
Reaver 1.3
PIN can be disabled, but WPS cannot be switched off completely
CGD24G
Netgear
Cable Modem Router
unknown
Yes
Yes
Reaver 1.3
12 Hours
No
Router supplied by very large ISP in my country for all cable users.
WGR614v8
Netgear
Router
1.1.11_6.0.36
Yes
Yes
Reaver 1.3
1 day
Yes, PIN can be locked out but WPS remains on
Factory/stock firmware 1.1.11_6.0.36 has a bug that revealed PSK after Reaver had obtained only the first 4 digits of the PIN. The router accepted PIN 16075672, but the correct PIN is actually 16078710.
16078710
WGR614v8
Netgear
Router
1.2.10_21.0.52
Yes
Maybe
Reaver 1.3
1 day
Yes, PIN can be locked out but WPS remains on
Router locks down WPS PIN for ~5min after around 30 attempts, but only while Reaver was cycling the first four digits. Once the first four correct digits were found, the router did not lock down at all while reaver was cycling the last three digits.
WNR1000 (N150) WNR3500L
Netgear Netgear
Router Router
unknown V1.2.2.44_35.0.53NA
Yes Yes
Maybe Yes
n/a 18hrs
Yes Yes
"version 3" of this device. This device is vulnerable to a DoS condition, but seemingly not PIN disclosure. The router stopped providing connectivity to all clients after approximately two hours of testing, and service was not restored until the system was rebooted. 20:4e:7f blue team consulting
WNR3500v2 (N300) Netgear WNR200V2 Netgear
Router Router
V1.2.2.28_25.0.85 v2
Yes Yes
Probably Yes
Reaver v4.0
24 hours
Yes yes
Not yet tested, but siblings being vulnerable suggests exploitable over longer periods of time. To be tested soon. 90889301
Device Name WNDR3700v1
Manufacturer NetGear
Type (Router/ AP /Bridge...) Router
Firmware-Version 1.0.16.98 - BETA
WPS enabled by default? No
WPS can be Average time for penetration disabled (and it Vulnerable (yes/no) Tool (Version) *without* providing the PIN stays off!) deactivated by No Reaver 1.4 default
Comments/Notes WPS is LOCKED by default with this firmware confirmed with WASH 2.1.00.52 is a beta firmware that Netgear have not officially released. It allows the WPS Pin to be disabled - the 2.1.00.48 (latest available) firmware will not save the disabled setting. Even with the pin disabled the exploit will return the PIN and WPA password.
tested by grik
PIN
DGND3300v2
Netgear
ADSL Router
2.1.00.52
Yes
Yes
reaver
under 3 hours
No
WNR1000 (N150)
Netgear
Router
V1.0.2.28_52.0.60NA
Yes
WNR3500V2
Netgear
Router
V1.2.2.28_25.0.85
Yes
WNR3500V2
Netgear
Router
V1.2.2.28_25.0.85
Yes
Maybe Yes (though does slow down attack considerably) Yes (though does slow down attack considerably)
Reaver 1.4
< 1 Day
Yes
Both 2.1.00.48 and 2.1.00.52 firmwares are exploitable. The PIN was a high number, so the attack would take some time due to the brute force method. If you run reaver with no/little delay, the AP would lock you out for quite some time. Using the "-d 7" argument, I was able to try pins continuously without being locked out. A suggestion would be to start at given PIN ranges, for either/both of the first 4 and last 4 digits. See http://support.netgear.com/app/answers/detail/a_id/19824 for Netgear's response and recommendation about this. See http://support.netgear.com/app/answers/detail/a_id/19824 for Netgear's response and recommendation about this.
@RiseKB
7097xxxx
n/a
n/a
Yes
n/a
n/a
Yes
F@st 3504
Sagem
Router
Bbox firmware - 8.4.M.O (not sure)
Yes
Yes
Reaver 1.3
More than 5h
Unknown
SX763 Sitecom 300N WL363
Siemens Gigaset Sitecom
Router/Modem Router/Modem
4.3.52.21.07 2.00.01
Yes Yes
Yes Yes
45 minutes 2~3 hours
Yes Yes No (A 2-MinuteInterval Button is used)
It was crawling slowly for 40 mins until it jumped from ~5% to 91% and then to 100% in a minute or two.
0:21:04 neuromancer
Speedport w720v
T-Online
Router
1.61.000
No
No
Reaver 1.1
00-1D-19
Speedport W 723V TG784n TG784
T-Online Thomon Thomson
Router Router Router
1.00.080 8.4.H.F 8.4.2.Q
Yes Yes Yes
Yes Yes Yes
Reaver r65 Reaver 1.4 Reaver 1.3
2-3 hours 3 days? (needs more testing) 15 hours
yes Yes (Please correct This) unkown
Wireless Chipset: Atheros AR5001X+
Driver: ath5k
84:A8:E4 Snayler
Please correct last comment, WPS can be disabled on ALL thomson routers by telnet. Guide to do so here: http://npr.me.uk/telnet.html Used reaver 1.3. Crucial to use the flags -E -L and adjust the timeout (-t) to be greater or equal than 2 seconds. Used Reaver 1.3. Took quite a few hours to break with many error messages like "receive timeout occurred" and "re-transmitting last message". The attack was slow like 430sec/attempt but the result was good. Couldn't find any settings to disable WPS... This router uses a firmware modded by the ISP so is no upgradable. Using JTAG its possible to turn off the WPS but needs some knowledge. The router uses a button to unlock the WPS feature by I run the attack without pressing it so its useless. I used this tags: -E -L -T 2 08:76:FF
TG782
Thomson
Modem/Router
8.2.2.5
Yes
Yes
Reaver 1.3
24h
Probably no
TG784n
Thomson
Router
8.4.H.F
Yes
Yes
Reaver 1.3
18hours
maybe
MG
TL-WR1043ND
TP-Link
Router
Yes
WPScrack
Video: http://vimeo.com/34402962 WPS-Service seems to lock down after 12 attempts, Restart required. If you crack the code in this time or if you add the key to the tool, it can be cracked
TL-WR2543ND
TP-Link
Router
3.13.6 Build 110923 Rel 53137n
Yes
Yes, see comment
Reaver 1.2
yes
f8:d1:11
@jagermo
TL-WR1043N
TP-Link
Router
3.12.2 Build 100820 Rel.41891n
Yes
Yes
Reaver 1.1
5h
Yes
Nice work guys...
F4:EC:38
Mannheim
26599625
TL-WR2543ND
TP-Link
Router
3.13.4 Build 110429 Rel.36959n
Yes
Yes
Reaver 1.3
8h
yes
F4-EC-38
prslss
TD-W8950ND
TP-Link
Router,Bridge, Modem
1.2.9 build 110106 Rel.59540n
Yes
Yes
Reaver
30 Minutes
Yes.But Reaver still gets in.
Reaver got in in 30 minutes on a basic adapter with no injection,but it actually took LONGER when using an ALFA injection card...
00:0C:F1
TheDarkGlove96
30447028
TL-MR3420 WR841N TL-WR841ND WR841ND TL-WR841N
TP-LINK TP-Link TP-Link TP-Link TP-Link
Router Router Router Router Router
3.12.8 Build 110418 Rel.43954n 3.10.4 Build 100326 Rel.42446n 3.10.4 Build 100326 Rel.42446n 3.10.4 Build 100326 Rel.42446n 3.10.4 Build 100326 Rel.42446n
Yes Yes Yes Yes Yes
Yes Yes Yes Yes Yes
Reaver 1.4 Reaver Reaver Reaver Reaver
10 hours 3 Hours 3 Hours 3 Hours 3 Hours
yes Yes Yes Yes Yes
Just add the flag -L and whait :) Called QSS instead of WPS Called QSS instead of WPS Called QSS instead of WPS Called QSS instead of WPS
cenoura
TL-WR740N EVW3200
TP-LINK Ubee
Router Router/Modem
3.12.4 Build 100910 Rel.57694n unknown
Yes Yes
Yes Yes
3h 6-8 hours
Yes No
XWR100
Vizio
Router
1/1/2002 Yes
Maybe
Reaver 1.2
N/A
No, see notes
Called QSS instead of WPS Run reaver with option --no-nacks Router appears to lockdown and disable WPS after approximately 20 failed attempts. Power cycle reenables. Not sure if WPS will reenable automatically after some unknown time period. I waited a few hours and it did not reenable.
0:27:22
P-660W-T1 v3 ZyXEL Corporation Modem/Router TALKTALK-F03653 Router/Modem
V3.70(BRI.2) | 02/09/2011 Unknown
Yes Yes
Yes Yes
3hours (stopped at 31,75%) yes 1 hour yes
It was a slow attack, about 2 seconds/attempt The WPS feature could be easily deactivated and changed. TalkTalk ISP UK
50:67:F0
MG
20064525
Device Name
Manufacturer
Firmware-Version
Comments/Notes
tested by
PIN
Comments and background information start here
Relevant Links and additional information:
How to add a new device: Use this form:
Stefan Viehbck Research and WPScrack:
https://docs.google. com/spreadsheet/viewform? formkey=dFFRMlF1MjBybG5aSGFndHJFX2JMenc6MQ
http://sviehb.wordpress.com/2011/12/27/wi-fiprotected-setup-pin-brute-force-vulnerability/
Another Disclaimer: These entries are not verified - we simply don't have enough tests and devices (yet). So, please, don't base your PHD on it or anything...
to whomever posted the list about cisco devices. Thanks. I'll add them
Craig Heffner Blog Entry and Reaver:
Reddit-Link to discuss stuff:
http://www.tacnetsol. com/news/2011/12/28/cracking-wifi-protectedsetup-with-reaver.html
http://www.reddit. com/r/netsec/comments/nzvys/wps_brute_force_i_started_public_google_doc_so_we/
Theiver, fork of Reaver: http://code.google. com/p/theiver/
want to talk about this? Please do and use the hashtag #WPSDoc
Dan Kaminsky collects WPS-data in Berlin:
want to contact me? @jagermo on twitter or jagermo@hushmail.com
http://dankaminsky. com/2012/01/02/wps/
I've added a second sheet "Comments", that is free for all - if you want to chat or add suggestions, please do it there - keep in mind it might get vandalized.
Anonymous user 9308: I've also noticed that across 2 different linksys devices (don't have them on me now) the default WPS pin of 12345670 was the result of 2.5 and 6 hours cracking
By the way: you can also add devices, that can't be attacked by brute forcing wps.
WPS BRUTE FORCE THOUGHTS AND VIDEO
this document is licensed under CC-BY-3.0
http://www.simplywifi.co/blog/2012/1/1/wpsbrute-force-thoughts-and-video.html
ArsTechnica: Hands-on: hacking WiFi Protected setup with Reaver
http://arstechnica. com/business/news/2012/01/hands-on-hackingwifi-protected-setup-with-reaver.ars
Device Name
Manufacturer
Firmware-Version
Comments/Notes
tested by
PIN
SimplyWiFi: Is your Router running WPS (Video, demonstration of the Walsh-Tool)
http://www.simplywifi.co/blog/2012/1/4/is-mywireless-router-running-wps.html Reaver: Official Screencast
http://www.tacnetsol. com/news/2011/12/30/official-reaver-screencast. html
Disabling WPS on Wireless APs via Firmware Modification
http://blog.nullmethod.com/2012/01/disablingwps-on-wireless-aps-via.html Nice Writeup by Safegadget
http://www.safegadget. com/72/major-wirelessnetwork-vulnerability-wpsbug/

WPS Flaw Vulnerable Devices - Master

Uploaded by

Copyright:

Available Formats

WPS Flaw Vulnerable Devices - Master

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WPS Flaw Vulnerable Devices - Master

Uploaded by

Copyright:

Available Formats

Device Name

Type (Router/ AP /Bridge...)

WPS enabled by default?

Yes, see comments

Vodafone Easybox 602

Vodafone EasyBox 802 Speedport W 504V Typ A

Router/Modem Router unkown

4/20/0207 Yes Yes

Reaver 1.3, WPScrack Reaver 1.4 r122 1 sek

0:26:04 00:1D:19 12345670

EasyBox 803 RT-N16

30.05.211 (01.07.2011-10:36:41) 1.0.2.3

Reaver 1.3 Reaver 1.3

Have nice day CriticalCore

RT-N10 N13U v1&v2

Reaver 1.3 Reaver 1.3

Reece Arnott hA1d3R

Fritz!box 7390 Fritz!Box 7240

Fritz!Box WLAN 3370 n150 F9K1001v1 F6D6230-4 v1000

AVM Belkin Belkin Belkin

Router / Modem Router Router Router

103.05.07 Unknown F9K1001_WW_1.00.08 1.00.19 (Apr 22 2010)

No yes Yes Yes

No yes Yes Yes

N/A Reaver 1.2 Reaver 1.3 Reaver 1.3

N/A 12.5 hours 7765 seconds 20 min

Yes yes Yes yes

No lockout, no delay needed.

F7D1301 v1 F7D2301 v1 F9K1105 v1 F9K1001 v1

Belkin Belkin Belkin Belkin

Router Router router Router

1.00.22 1.00.16 (Jul 2 2010 14:36:56) 1.00.03 (Jul 4 2011) 1.00.08

Yes Yes Yes Yes

Maybe Yes Yes Yes

yes Yes yes Yes

94:44:52 beej 94:44:52 93645348

dd-wrt v24SP2-multi build 15940

No but it starts locked

Type (Router/ AP /Bridge...)

WPS enabled by default?

1.0.03 (Build 14)

1 second / attempt, no antiflooding / blocking / delay

Reaver Reaver 1.3 & r58 none

Linksys E3200 v1 WRVS4400N

Reported by Cisco: http://tools.cisco. com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

Reported by Cisco: http://tools.cisco. com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

Reported by Cisco: http://tools.cisco. com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

Reported by Cisco: http://tools.cisco. com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

Reported by Cisco: http://tools.cisco. com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

Reported by Cisco: http://tools.cisco. com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

Reported by Cisco: http://tools.cisco. com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

Reported by Cisco: http://tools.cisco. com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

Type (Router/ AP /Bridge...)

WPS enabled by default?

Reported by Cisco: http://tools.cisco. com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

Reported by Cisco: http://tools.cisco. com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

Reported by Cisco: http://tools.cisco. com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

2.1.00 build 7Sep 21, 2010

WRT610N DIR-825 DIR-615

Cisco-Linksys D-Link D-Link