Michael Horowitz

Wi-Fi routers: Oldies are goodies

January 10, 2012 1:12 PM EST

If you haven't heard, the landscape for wireless router security has drastically changed.  

The most important things to know in the old days (two weeks ago) were fairly simple: chose WPA2 security in combination with AES or CCMP (two names for the same thing) and a long password.

Of course, there is more to configuring a router than just that, but these three things were the definition of safety. WPA2 is the third generation of Wi-Fi encryption/security and it has stood the test of time. It's safe.  

But, it turns out that a router is like a house with great locks on the front door, but a side window left open.

Routers are computers and do many things in addition to WPA2. One of these other things is a simplified setup method  for people unable to deal with logging in to the router and choosing WPA2, AES and password longer than 12 characters (router configuration for dummies, if you will).

This alternate configuration protocol, Wi-Fi Protected Setup (WPS), is broken. It was designed poorly. Bad guys can exploit the design flaws to learn the Wi-Fi network password, even if the router is using WPA2-AES with a long password. The bug is in WPS (the side window left open), not in WPA2 (the impossible to crack lock on the front door).

Needless to say, when this news broke, I went logged in to my ancient Linksys WRT54GL router to disable WPS. But I couldn't find it. The only thing that seemed like configuration-for-dummies was something called SES. But all the news stories spoke of WPS, not of SES.

Configuring SES on a Linksys WRT54GL router 

The documentation in the router says nothing about SES. Perhaps it was explained in hardcopy but the setup instructions that came with the router are long gone. So too is the CD that came with it. All I could come up with was that SES stood for Secure Easy Setup.  

One credible source of security information is the U.S. Computer Emergency Readiness Team (US-CERT). At the bottom of their Vulnerability Note describing the bug in WPS is a link for feedback. So, I asked whether SES was related to WPS.

Someone at CERT was kind enough to reply:

SES is a precursor to WPS.  It has the push-button configuration but not the external registrar PIN feature so it is not vulnerable to having a PIN brute forced remotely.

And thus the title of this blog posting. Older routers that do not support WPS at all are the safest ones available.

Go figure.

UPDATE:

Perhaps the worst aspect of the WPS security flaw is that on many routers, even when WPS appears to be disabled, it's not. Which routers really disable WPS and which do not? It's hard to know, which makes the lack of WPS support all the more appealing.

WPS was released in January 2007. Routers released earlier, probably don't support it. The Wi-Fi Alliance, the governing body for Wi-Fi, publishes a list of certified routers that includes the date of certification.

My router, the Linksys WRT54GL, is still being sold, new, at major retailers. It does not, however, support Wi-Fi N.