[Gino Cerullo]

According to this article on Lifehacker all routers that include the new Wi-Fi Protected Setup (WPS) are vulnerable to attack. Wi-Fi Protected Setup, or WPS, is a new feature of some Wi-Fi routers to make adding devices to your network easier. Unfortunately it also makes your network vulnerable attack with an ease not seen since the days of WEP security.

If you own a wireless router that includes Wi-Fi Protected Setup (WPS) check its settings to see if you can disable it. If not, then keep an eye on the manufacturers web site for a firmware update that will hopefully address this problem.

 

[Jake]

In a phone conversation, Craig Heffner said that the inability to shut this vulnerability down is widespread. He and others have found it to occur with every Linksys and Cisco Valet wireless access point they've tested. "On all of the Linksys routers, you cannot manually disable WPS," he said. While the Web interface has a radio button that allegedly turns off WPS configuration, "it's still on and still vulnerable.

This could be interesting. Are companies going to rewrite their firmware to handle this? I am doubtful.

 

[hugh]

If you own a wireless router that includes Wi-Fi Protected Setup (WPS) check its settings to see if you can disable it

I have always been suspicious of this feature. I have two NetGear Routers 3500 and 3700 which let you shut down this feature. It seems most (such as D-LInk) do not.

From a NetGear statement this week

Today, NETGEAR routers go beyond the requirements of the WiFi Alliance WPS standard to deter such attacks. NETGEAR routers are the only ones mentioned in this article to have implemented a 'lock-down' feature, which locks down WPS PIN on the router after a number of failed attempts to connect using the PIN method. This hampers the brute force attack, but it doesn't completely eliminate the possibility of a brute force attack. Therefore NETGEAR recommends that customers manually turn off the WPS-PIN feature on their routers by following the simple steps posted below and on NETGEAR's support site. NETGEAR is one of the few networking vendors to have the capability to manually turn off WPS-PIN (WPS Push Button will still work), thus eliminating the possibility of the brute force attack mentioned in the article.

http://support.netgear.com/app/answers/detail/a_id/19824
To disable the Router PIN method:
1. Login to the router GUI by typing www.routerlogin.net on an Internet browser's address bar. Note: Default logins are: Username = admin, Password = password.
2. Go to Advanced Setup menu and select Wireless Settings.
3. Under WPS settings, put a check mark on Disable Router's PIN box.
4. Hit Apply button to save settings.