MI424-WR Rev.EActiontecRouter20.19.8NoNoNonen/aWPS "functionality"is not enabledcurrentlyThis is the type of router that is used for Verizon FIOS and it appears to me at least thatdespite there being a button for WPS on the outside of the box, Actiontec says in the user manual:"Although the WPS button is included on the FiOS Router, WPS functionality will not beenabled until a future firmware release. The button is included so that WPS can beactivated at a later date without having to physically change the FiOS Router. The GUIdoes not include the WPS option."00:1F:90ajdownsWLAN 1421Alice/HansenetWlan Router1.0.16NoYesReaverYesI did a quick check. Seems to be vulnerable. But with some kind of rate limit maybe. Every second try fails. AirPort ExtremeAppleRouter7.5.2NoNon/an/aYes, seecommentsApple seems to use the internal PIN Method, not external PIN.60:33:4BjagermoVodafone Easybox602ArcadyanRouter/Modem20.02.022YesNoReaver 1.3Yes0:23:08Do we have more information about this? WPS PIN is enabled, but device is not vulnerable? Why?Vodafone EasyBox802ArcadyanRouter/Modem4/20/0207YesMaybeReaver 1.3,WPScrackYesThe Router brings a Message after 10 failed logins:Warnung:Bedingt durch zu viele Fehlversuche, nimmt ihre EasyBox keine WPS PIN Registrierungvon externen Teilnehmern mehr entgegen. Bitte setzten diesen WPS PIN durch einem neue zu generierenden WPS PIN Code wieder zuruck.Translation: Device locks after ten wrong attempts, user needs to create a new WPS PINcode0:26:04Speedport W 504VTyp AArcadyanRouterunkownYesYesReaver 1.4r1221 sekyes00:1D:1912345670EasyBox 803 ArcadyanTechnologyCorporationRouter30.05.211 (01.07.2011-10:36:41)YesYesReaver 1.3[user reports untested, sohis 3sec value hereremoved]yes (not testetmaybe its alreadyative after switching to off!)i think there is an interesting thing between easyboxes and speedport AP'ssome esyboxe's use a standard key begins with spXXXXXXXXXXXXXwith a 13 char length numeric key! (also some speedport aps use such a key but there is anice script to get them with the hexdecimal mac of the target ap! [wardiving wiki!!!] that willwork for a lot of speedport models ... ) Have nice dayCriticalCore00:15:AFCriticalCoreRT-N16ASUSRouter220.127.116.11YesYesReaver 1.31176 secondsYesbc:ae:c5RT-N10ASUSRouter18.104.22.168YesYesReaver 1.32 seconds per attempt/3.5hours to crackYesReece ArnottN13U v1&v2ASUSRouter2/1/2012NoNoReaver 1.310minYes ASUS N13U uses only PBC WPS configuration method . WPS is switched off automatically after two minutes . Tested on ASUS N13U v1 and v2 using latest firmwareshA1d3RFritz!box 7390AVMRouter84.05.05NoNowill follow soonwill follow soonYesI found this list at work and thought I can provide you with some information of my router. I filled out the parts I know and will check the clear field this evening:- Is your device vulnerable against the WPS attack? *- Wich tool did you use? *- How long did it take you?FireFlyHi Firefly, thanks - to fill in the missing informations, just re-do the form.Fritz!Box 7240AVMRouter73.05.05NoNowpscrack,Reaver 1.2uncrackableyes00:24:FEFritzBox7390AVMRouterALLNoNoReaver 1.3uncrackableYesYou have to activate WPS manually. I's deactivated after every successful wps connectionand after 2 minutes. =>Not vulnerable because of very short time limit.f.reddyFritz!Box WLAN3370AVMRouter / Modem103.05.07NoNoN/AN/AYesI think all current AVM devices are save as WPS with pin isn't activated on default.n150BelkinRouterUnknownyesyesReaver 1.212.5 hoursyesF9K1001v1BelkinRouterF9K1001_WW_1.00.08YesYesReaver 1.37765 secondsYesF6D6230-4 v1000BelkinRouter1.00.19 (Apr 22 2010)YesYesReaver 1.320 minyesNo lockout, no delay needed.0:23:15F9K1001v1 (N150)BelkinRouter1.0.08YesYesReaver 1.341 minutes, 12 secondsYesThe F9K1001v1 is the same as the Belkin N150. I got lucky on the speed, the first 4 digitswere found at 3.06% completion.08:86:3BNick21250491F7D1301 v1BelkinRouter1.00.22YesMaybenoneyesdidn't bother to test, but i assume it's vulnerable judging by the other Belkin routers thatcome with WPS enabled94:44:52beejF7D2301 v1BelkinRouter1.00.16 (Jul 2 2010 14:36:56)YesYesReaver 1.31.9 HoursYes94:44:5293645348F9K1105 v1Belkinrouter1.00.03 (Jul 4 2011)YesYesReaver 1.33hoursyesF9K1001 v1BelkinRouter1.00.08YesYesReaver 1.211.2 HoursYes83024417800nBillionRouter1.06dNoMaybeReaver 1.314 hoursYesOnly vulnerable when WPS is enabled. Even though I had my attack laptop in the sameroom as my router, it still took 14 hours to find the PIN. Disabling WPS is completely effective.00:04:EDBiPAC 7404VGPXBillionAP6.23YesYesreaver 1.33hoursnoWZR-HP-G300NHBuffaloRouterUnknownYesMaybeReaver viaBacktrackWithin 1 hourYesWith WPS turned off reaver did nothing. With WPS on reaver is looking for the pin. Thisrouters was bought and being used in Japan.WZR-HP-AG300HBuffaloAccess Piontdd-wrt v24SP2-multi build 15940YesNoreaver 1.4No but it startslockedWPS is enabled by default and I cannot turn it off. However, Reaver reports that the stateis locked at first try. Beacon packets sometimes show WPS (and thus appear in walsh),and other time WPS is not in beacon packets and thus is not reported by walsh. So far I am unable to break wps with reaver even using the known PIN. I've never actuallytested to see if wps even works properly in the first place however.Device NameManufacturer Type (Router/ AP/Bridge...)Firmware-VersionWPS enabled by default?Vulnerable (yes/no)Tool (Version) Average time for penetration*without* providing the PINWPS can bedisabled (and itstays off!)Comments/Notes
tested byPINThis database is intended as an educational resource for users interested in IT-Security. I did not find thevulnerability, that honor goes to Stefan Viehböck and Craig Heffner.