Your router’s security may not be as secure as you think it is

I read a report from Sophos that there is a fairly critical security flaw in many consumer wireless routers. I’ve gone on before about how you should use the strongest encryption method available for your equipment to use (WPA2 if all your stuff can handle it). However, while these routers support that, they also have a feature called WPS (for Wi-Fi Protected Setup) which makes it easy for you to set this up by either pressing a button or entering a PIN on either the device connecting to the network or the router.

Using the PIN method is potentially risky if all you have to do is enter the PIN on your computer or other device. It seems the authentication method for the pin results in a mere 11,000 options remaining which can be brute-forced in less than two days.

When I setup a new router, I’ve always gone for the manual approach and determine a wireless network name (SSID) and key which the clients can remember or have easily available. I don’t even install the software which came with the router but instead go to its web-based administration. I’ll turn off WPS so that it’s not accidentally used (the first and only time I tried using WPS, it scrambled what I’d previously set to something random for both SSID and key).

This falls in line with how security decreases as convenience increases. I advise to disable WPS and do it by hand.

Comments are closed.