Security Advisory : WPS Router Pincode Exploit


Security Advisory : WPS Router Pincode Exploit

WPS is a facility used by WiFi devices to make pairing easier, instead of having to manually enter long WPA keys. WPS uses either a physical button on the router/device or by entering a pincode on either the router or the device (laptop/phone etc.).

In December 2011, a flaw was discovered in the WPS protocol affecting the 'router pincode' method. This vulnerability, known by reference VU#723755. As this vulnerability is part of the WPS specification, any device supporting 'WPS pincode' could be affected. The vulnerability is only in the router (or access point) pincode method - client pincode, or physical button WPS is not affected and can continue to be used.

Products Affected

The vulnerable WPS Router Pincode method has never been supported by any DrayTek products running DrayOS (which is most products sold including Vigor 2820, 2830, 2920, 2925, 2860, 3200 series). Those products are therefore not at risk from this vulnerability. DrayTek products running Linux which did support WPS router pincode are shown below.

The WPS Router Pincode feature was removed in the firmware versions shown below (and later firmware). You should upgrade to that firmware version (or later). Alternatively, you can disable WPS in the Web Interface, but using the latest firmware is always recommended:

  • VigorFly 200 (Not sold in the UK)
  • VigorFly 210 (Not sold in the UK)
  • Vigor 2130 Series - Firmware or later
  • Vigor 2750 Series - Firmware or later
  • Vigor AP-700 v1 - Firmware 1.1.5 or later
  • Vigor AP-700 v2 - Firmware 1.0.3 or later
  • Vigor AP-800 - Firmware or later

All products launched after 2013 never supported WPS Router/AP Pincode and therefore do not need a specific firmware or upgrade (but we always recommend using latest firmware anyway).

How do I check if an older AP has AP Pin disabled?

If you have an AP-700 or one of the other products listed above running old firmware, you can check if the product supports an AP PINcode (the vulnerable method) by looking the WPS menu: If it has a AP / router pin listed in the WPS setup menu then it supports the 'AP Pincode' method, allowing entering of the AP PINcode on the WiFi client's WPS setup page.

WPS Menu

Products from other vendors

This vulnerability is within the WPS protocol itself and is not particular to a specific vendor (manufacturer). You should therefore check any other products you have with their respective vendor and take action as appropriate if the device supports WPS.

External Links

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.