<<< Date Index >>>     <<< Thread Index >>>

Serious flaw in Linksys wireless AP password security



It appears that firmware version 4.50.6 for the Linksys WRT54GS (hardware
version 1) wireless router allows wireless clients to connect and use the
network without actually authenticating. With WPA Personal/TKIP authentication
enabled, the unit allows both clients using encryption with the correct
settings and key, and clients not using any encryption. It disallows clients
attempting to use encryption with the wrong settings and/or key.

In other words, even if you think you've secured your wireless network from
unauthorized access, anyone can access it. It actually shows up as having no
password security on a Macstumbler scan, which is how I noticed the problem.
I verified that anyone can access the network without needing to know the key.

I did not check security modes other than WPA/TKIP. Other modes may have
different behavior. Changing the "Authentication Type" setting had no effect
on this problem. I believe it should be set to "Shared Key", but the setting
used does not appear to matter.

I only verified the problem on firmware 4.50.6. It is unknown if other
firmware versions exhibit the problem. However, at least one older firmware
does not exhibit the problem, as my router functioned correctly until I
updated to 4.50.6.

The problem appears to be fixed in version 4.70.6. No expliclit notice of
this problem or the fix appears in the release notes for version 4.70.6.
Strangely, the "Authentication Type" must be set to "Auto" for the unit to
function properly. Should it be set to "Shared Key", which one might expect
to be the correct value, the wireless functionality appears to be entirely
disabled.

It is unknown if this problem is seen with other hardware versions, or with
other models. I suspect it may, given the similarity between many of the
Linksys models and their firmware.


-- 
Steve Scherf
bugtraq@xxxxxxxxxxxx