1 "*Reset* There are two ways to reset the Router¢s factory defaults. Either press and hold the Reset Button for approximately five seconds, or restore the defaults from Administration > Factory Defaults in the Router¢s web-based utility. Page 2 "The Linksys default password is admin."
So how secure was yours after changing it? How strong was the password?
How long is the WPA shared key or WEP passphrase? Are they *strong* keys and not some easily guessed (easily dictionary attacked)?
Did you enable MAC filtering and add the MAC addresses for just your intranet hosts so only they can connect to the router?
Settings in the router are retained by using NVRAM (non-volatile random accessed memory) when power is off. Could be the flash memory is going bad and isn't retaining the settings. However, since the flash memory is inside the microprocessor (e.g., Atmega88), it means the unit is kaput. Cooling is by convection only (no fans inside, just holes in the case). If the ventilation holes get blocked then the parts inside overheat. Once the unit goes flaky, dusting out the holes and inside won't help. Could be someone (kid?) installed DD-WRT and then reinstalled the factory or update firmware without first clearing the NVRAM. Reinstalling the latest firmware might fix it (but then if the reset was caused by flashin in new firmware then you already have it).
After entering strong keys/passwords for all the settings (to avoid hacking), you'll have to watch the unit to see it if screws up again. Could be it's getting flaky in its old age. So far with the routers that have died for me, they always exhibit some flakiness in operation before a catastrophic failure.
If they can get to the admin web pages, they can reset it to defaults.
However, that's probably not what happened. Some (not all) WRT54G v5 and v6 routers are junk.
They will hang, reboot spontaneously, reset themselves, or do other disgusting things. Installing DD-WRT sometimes cures the problems, but not always. Oddly, only some WRT54G v5 and v6 routers are like this. Some actually work quite well.
I'm constantly seeing various routers reset to defaults for no obvious reason. It's not hackers. It's usually AC power glitches. Give the power plug the right waveform, and the router thinks the reset button has been depressed. I had this problem on a different product that I worked on. The original design had the reset pin on the CPU set to normally high and using level triggering. If the DC power went down slowly or erratically, it will look like the reset pin was grounded, thus causing a reset. It was solved by setting the line to normally low, using the reset button to pull up the line. The firmware guys also added additional debouncing to the reset pin. We were tempted to try edge triggering, but ran out of time.
Hi Jeff, I know you're one of (if not the) most respected guy on this forum so I do appreciate your advice. I'm in the Santa Cruz mountains (like you) and we do get glitches in the power a lot. Seems to go down once a month sometimes, and other times it lasts for six months before the generator kicks in.
So, maybe that's what happened.
But, now it's even worse. With the router reset to defaults, I had no problem logging in. I decided to update the firmware, just in case, using the file FW_WRT54Gv5v6_1.02.8.001_US_20091005.bin downloaded from the Linksys site for the v5 that I have.
This process went on for hours ... from about 11:00 to about 1:30 when I finally gave up and pulled the plug. (BTW, how long 'should' a firmware upgrade take anyway?).
Here's a picture of what showed for hours (the lines were moving and repeating themselves over and over and over again):
Then, after rebooting and resetting a few times, here's what then showed up:
Now I can't get anything to work on the Linksys router. No connection.
Two questions: Q1: How long should it take for firmware to install itself? (I gave up after almost 3 hours) Q2: Should the power light be constantly blinking or should it be steady? (Mine is blinking)
I've read much of what Jeff L. has said time and time again, so ... a) I don't bother hiding the SSID b) I don't bother with MAC address filtering c) I use a non-dictionary SSID & passphrase
Of course, if I have a keylogger trojan on the network, that will negate everything ... or it may have been a glitch in the power that reset the router to defaults. I'm surprised - because it never happened before and I've had the router for years ... but ... either way ...
My problem now is that the router is (apparently) bricked.
Q: Does anyone know if the router power light should be flashing or solid? Q: How long 'does' it take to do a firmware upgrade?
That's fairly typical for a low end consumer router. I have a home made power line logger running at my palatical office looking for power line glitches. It's fairly crude and only catches the big glitches. We've had major two power glitches in the area during the last week. I've been getting calls for dealing with hung routers, modems, and computahs all week. It sometimes takes several days for the effects of the glitch to show up. All that needs to happen is for the glitch to trip one bit in RAM. No problem until the device needs to use that bit. Then, it goes nuts. ECC RAM is not used on commodity routers.
Highly likely. I can see a wireless attack in a crowded metro area, but not in the sparcely populated hills. Attacks from the internet are possible, but unless the router has some built in vulnerabilities, is grossly misconfigured, or is sensitive to malformed packets, it's not going to happen. Just in case, try:
It's old and incomplete, but I'm still finding modern routers that fail some of the exploit tests.
The update should take about 60 seconds plus reboot time. Something went wrong. Hopefully, you didn't try to do the upgrade via a wireless connection. That's usually a guaranteed disaster.
Checking the web site, you have the correct version:
No checksum, so I have no way to verify if it was correctly downloaded. You might want to try another download just to be sure.
It's bricked, but probably not fatal.
About 60 seconds plus a reboot.
Nope. That means there's a checksum error in the firmware.
I would normally consider this a great opportunity to purchase a new router and get rid of the v5 abomination. However, if you want to raise the dead, try this simple test:
Power OFF the router.
Temporarily set your computah to a static IP address of
Start a continuous ping to 192.168.1.1 For Windoze, that's ping -t 192.168.1.1 Don't worry if you see errors at this point. If you don't have TFTP:
IP=192.168.1.1 no password - leave blank select the firmware set retries to 99
Apply power to the router. You should see proper returns from the pings after about 8 seconds. The returns will revert to errors after about 5 more seconds. Try to record the times. You'll need them.
If you get proper returns in the previous step, there is hope.
Rename the firmware to "code.bin". This might also be a good time to try loading the mini version of DD-WRT.
Under Windoze, type the following onto the command line (in a cmd window): tftp -i 192.168.1.1 PUT code.bin code.bin Do not hit enter quite yet. Do not hit enter quite yet. Do not hit enter quite yet. Do not hit enter quite yet. Got that? If you're using tftp book, get ready to hit the start button.
Apply power to router and start counting seconds. The idea is to start the TFTP program in the middle of when the pings were correctly returned. You may have to do this several times to get it right.
When you hit enter, nothing should happen until code.bin is properly uploaded. You'll get a message about ok to reboot (it varies with the firmware). Ignore it and do nothing for at least 5 minutes. Go get some coffee and keep your fingers off the keyboard. After 5 mins, pull the power to the router, wait for it to boot, and see if you can get to the management page at 192.168.1.1.
If that works, don't foget to change the static IP address of the computah back to DHCP. If it doesn't work, try again, or just get a better router.
I found one situation where MAC filtering was needed. A customer was using about 10 assorted IBM Thinkpads of varying vintage. Some were sufficiently old that they only supported WEP. There was also a wi-fi range extender (repeater) that would only pass WEP. However, the customer was not comfortable with using easily crackable WEP. So, I added MAC address filtering to the security obstacle course. It really wasn't necessary because they live in the deep dark forest and know all the neighbors. Still, it made him feel better.
Sorta. Give me a few minutes with one of the client computers and I'll extract a usable portable hash key. Much easier than over the air pass phrase cracking.
Whew! The version 5 Linksys WRT54G is back in business!
After unplugging everything but power, I did the 30/30/30 procedure which was to hold the button for the entire 90 seconds - the first 30 while the unit is powered - the second 30 while the power cord is removed - and the third 30 seconds while the power is back on. Then I let go of the reset button.
Following Jeff's hint, I again downloaded the same file I had downloaded before - overwriting the old file for my WRT54G version 5 router:
I then pinged 192.168.1.1 and this worked (much to my surprise) even though the power light was still blinking and no other light was on (not even the "CiscoSystems" orange light).
I opened up Firefox and went to 192.168.1.1 and was surprised to see: Management Mode Firmware Upgrade
So, I hit the "Browse" button and then the "Apply" button and ... lo and behold, after about 2 minutes and much flashing of the LAN light on the router, the web page changed to "Upgrade Success".
I was worried because the power light still blinked for about two minutes or so, but then it settled down, and now is a solid green!
I was able to log into the router at 192.168.1.1 and immediately noticed I was at version 1.02.8 (plus the blue color changed in tone).
Thanks for all your help! I've disabled wireless access to the router just in case it 'was' an intruder. Also I noticed this setting by default: Wireless->Advanced Wireless Settings->Secure Easy Setup->Enable
Googling for "Linksys Secure Easy Setup" I find PC Magazine loves the feature ...
I also find a 1/21/2012 Cisco security vulnerability bulletin:
It's also described by Cert:
Note VU#723755 WiFi Protected Setup (WPS) PIN brute force vulnerability
So, I disabled the "Secure Easy Setup" and the orange Cisco light went out!
I wasn't sure if this flaw was related to WPA2/PSK but apparently it is. According to Wikipedia
"The flaw allows a remote attacker to recover the WPS PIN and, with it, the network's WPA/WPA2 pre-shared key in a few hours".
UPDATE: Apparently my Linksys WRT54G v5 router 'can' be reset by an intruder and/or by a glitch in the power line. Drat!
To make it harder for the 'next' intruder, I realized belatedly we should all turn OFF the Linksys/Cisco/ "Secure Easy Setup" feature!
Beware, it's not only Linksys that is affected by the SES vulnerability.
According to CERT, these companies are affected by the vulnerability:
Belkin, Inc. Affected - 10 May 2012
Buffalo Inc Affected - 10 May 2012
Cisco Systems, Inc. Affected - 10 May 2012
D-Link Systems, Inc. Affected 05 Dec 2011 10 May 2012
Linksys/Cisco Affected 05 Dec 2011 10 May 2012
Netgear, Inc. Affected 05 Dec 2011 10 May 2012
Technicolor Affected - 10 May 2012
TP-Link Affected - 10 May 2012
The CERT advisory is:
Here is a pictorial look at what I did AFTER my router was bricked:
I ran the 30/30/30 procedure which left the power light blinking but allowed me to ping the router. This was a good sign.
In a browser, I went to 192.168.1.1 and was happy to see the Management Mode Firmware Upgrade page. I downloaded a 'new' Firmware upgrade and browsed to it and hit the "apply" button.
After only a couple of minutes, I saw the Upgrade Success notification in the browser:
Logging into 192.168.1.1, I immediately noticed a different shade of blue and that the firmware had been updated to version 1.02.8.
In my googling, I had found the CERT vulnerability so I disabled Wireless -> Advanced Wireless Settings -> Secure Easy Setup -> Disabled
Hopefully, with a new non-dictionary SSID, non-dictionary password, a rather long WPA2-PSK/AES key, & with remote management and wireless web access disabled, I'm a bit more secure from outside hacking (if that's what had happened).
I didn't bother hiding the SSID or filtering the MAC address based on advice previously provided in this forum.
Minor question: Q: Does setting the administrator access to https buy me any security over http?
No. All that does is prevent anyone from sniffing the wireless traffic and extracting your admin password and WPA2 key if they were able to capture a WPA2 setup session.
Congrats. What the 30/30/30 did was wipe the firmware completely leaving only the TFTP loader and in your case, the initial firmware loader. I forgot about that. It doesn't appear in all models.
Maybe, but I don't think so. I've always assumed that using WPS requires that the button on the router be pressed in order to start the WPS session. I can't currently determine if it's really required, or if WPS is running all the time. I'll check later (time permitting).
"Further, some access points don't provide an option to disable WPS or don't actually disable WPS when the owner tells it to." Groan...
Linksys has only fixed the WPS vulnerability problem on newer models. I don't expect a fix for the WRT54G.
That's from Jan 27, 2012. Since then there have been fixes for E1200 v2, E1500, E3200, and E4200 v1. Note that the WRT54G is not listed, probably because it's not a currently selling product. If you must use WPS/SES/AOSS/EZ-SETUP, I suggest you get an alternative firmware, such as DD-WRT.
11,000 attempts works out to 9 hrs maximum. When I tried Reaver, I was able to recover the PIN in about 6 hrs at about 1.5 seconds per attempt. I only tried it once:
It generated considerable wireless traffic, which was easily detected. More: