D-Link Forums
Announcements => Security Advisories => Topic started by: brunoaduarte on April 26, 2018, 09:29:03 PM
-
The security issue that was fixed on v1.09 (DAP-1520_REVA_FIRMWARE_PATCH_1.09.B01_BETA04) was not included on the latest KRACK patched firmware v1.10 (DAP-1520_REVA_FIRMWARE_PATCH_v1.10B04_BETA).
Firmware: v1.09.B01 [BETA04] Hardware: A1 Date: 2016/08/01
Note: None
Problems Resolved:
Fixed Security vulnerability listed below:
Added the ability to enable/disable PIN WPS - Discovered by: Cedric Conti - Reported by: Tommi Vänninen tommi@vanninen.orgi
WPS PIN is disabled by default
That was an important fix, because this device is vulnerable to WPS attacks (Pixie Dust method).
Can you please include it on the release version of 1.10 ?
Thanks
-
Newer version firmware almost always has all the fixes/features of all the previous versions (i.e. v1.10 will have 1.09 and all older).
Were you told it does not have the fix?
-
v1.09 has enable/disable WPS pin and PBC on Extended Wifi page, and WPS pin was disabled by default.
on v1.10 the options are gone, and WPS pin is ENABLED by default...
(https://i.imgur.com/mqtjZKR.png)
(https://i.imgur.com/JYuYV3N.png)
-
Ok I will send this to D-Link techs to investigate. Thanks for the information.
-
Ok thanks, i updated the previous post with images from the configuration page.
-
What did you use to scan if the WPS-PIN was enabled?
Make sure you factory reset after updating to 1.10.
-
There's a tool for linux that shows the status of WPS of the scanned router
Here's v1.09 scan
(https://i.imgur.com/mahagdO.png)
As you can see WPS is LOCKED
Here's v1.10 scan
(https://i.imgur.com/HTfAJd5.png)
WPS wide open
-
The tech let me know he finished testing. He will send this info to headquarters for the developers. Thanks again for posting this. I will post any new firmware here when released.