Serious flaw in Linksys wireless AP password security

Type securityvulns
Reporter Securityvulns
Modified 2005-08-18T00:00:00


It appears that firmware version 4.50.6 for the Linksys WRT54GS (hardware version 1) wireless router allows wireless clients to connect and use the network without actually authenticating. With WPA Personal/TKIP authentication enabled, the unit allows both clients using encryption with the correct settings and key, and clients not using any encryption. It disallows clients attempting to use encryption with the wrong settings and/or key.

In other words, even if you think you've secured your wireless network from unauthorized access, anyone can access it. It actually shows up as having no password security on a Macstumbler scan, which is how I noticed the problem. I verified that anyone can access the network without needing to know the key.

I did not check security modes other than WPA/TKIP. Other modes may have different behavior. Changing the "Authentication Type" setting had no effect on this problem. I believe it should be set to "Shared Key", but the setting used does not appear to matter.

I only verified the problem on firmware 4.50.6. It is unknown if other firmware versions exhibit the problem. However, at least one older firmware does not exhibit the problem, as my router functioned correctly until I updated to 4.50.6.

The problem appears to be fixed in version 4.70.6. No expliclit notice of this problem or the fix appears in the release notes for version 4.70.6. Strangely, the "Authentication Type" must be set to "Auto" for the unit to function properly. Should it be set to "Shared Key", which one might expect to be the correct value, the wireless functionality appears to be entirely disabled.

It is unknown if this problem is seen with other hardware versions, or with other models. I suspect it may, given the similarity between many of the Linksys models and their firmware.

-- Steve Scherf