What bubble? I'm well aware of the fact that devices have security
holes and nothing is truly that secure. But when it comes down to it,
how many times has your local coffee shop or other public access point
been shutdown because of someone being malicious? Yes it happens but
not that much. Attacking the nodes on the network will provide more
valuable information so unless the intent is to cause a Denial of
Service then they have done nothing of value. As for the details:

1. I assumed the attacker was connected as a normal client since the
message I was responding to says "...if I take my laptop, connect to his
network, type in 192.168.1.1 (or do a host scan and look for a dhcp
server)..." If they can just "type in 192.168.1.1" then they are
attached to the network and have an IP. Since most AP's are dumb
devices the only logging that will probably happen is showing the
hostname that asked for the IP or somewhere else in their clients list.

2. Cheap devices has crappy security. No argument from me there.
However, based on the skill level of the attacker assumed in #1, they
probably won't bother with an attack other than trying the default
password (the method of access described in the message I referenced).
In addition, these devices have several security holes on the WAN side
but yet they are still considered secure enough.

3. While several consumer AP's support custom firmware, even more don't
or require physical access to the device such as a local power cycle to
bootstrap a new firmware. Restoring from a malicious firmware can be
difficult but still not impossible to recover from. Most of the devices
I've played with support a power on recovery mode and that part of the
bootloader can not be upgraded or altered by the firmware.

4. Yes, I'm adding a point. Even with security enabled your data may
not be very well protected. WEP is easy to break. MAC address
filtering is like putting a lock on a window. WPA is currently somewhat
secure but the passwords people use are typically weak. Phone numbers,
addresses and dictionary words make it possible to gain access in hours
at most. I just demonstrated that to someone that told me that nobody
could ever gain access to their WPA protected AP.

Security is relative and is only "best effort". You do what is best for
you and Bruce will do what is best for him. Personally, I'm more
concerned with the legal issues from someone using your connection and
doing bad things.

--Blaine
All things said in good humor. There's nothing wrong with a good clean
debate. ;-P

Rob Fuller wrote:
> Blaine,
> Not to burst your bubble a bit, but..
>
> 1. Because if you receive an IP that means you have been logged one
> more place. Now, most likely it is the router that gave you that
> IP, but it could be forwarding those logs or the DHCP server could
> be hosted on a completely different server. The best way is to sit
> and listen, watch the ARP traffic, after a short while you will
> get the idea of what IP addresses are out there and the range they
> are in. Statically assign yourself and IP and you are off to the
> races.
> 2. There are web app hacks that allow you to issue certain commands
> to a WAP without having authenticated. Just yesterday there was a
> password set hack found on the routers that Verizon FiOS uses
> regularly that allowed one to SET the Administrator password
> without authenticating and without typing in the "old password".
> Linksys routers have a number of these vulnerabilities. 3. See
> Jesse Michaels post: "Doesn't necessarily help if the attacker
> has flashed the device with malicious firmware."
>
> mubix

[ reply ]