Wireless Security
Re: Bruce doesn't secure his wireless Jun 18 2008 11:41PM
Rob Fuller (jd mubix gmail com) (1 replies)
Re: Bruce doesn't secure his wireless Jun 19 2008 12:05AM
Blaine Fleming (groups digital-z com) (1 replies)
You got me with point #5. As for #3, I have a Buffalo model that can
not be upgraded without doing a physical power cycle or using a signed
firmware. I also have some early WRT54G models that even if you use a
bad firmware you can still tftp a working one during the 5 second
window. In addition, JTAG is an option on many devices. It's a hassle
to do but it's still cheaper than replacing the AP. I remember
installing hardware write switches in a device (Buffalo I think) for a
friend that was paranoid about someone changing the config on a WPA2
protected AP.

On the flip side, how many people have been in a location where they
connected to the first open access point they found? How do you know
that you are connecting to a legitimate AP and not a malicious
honeypot? People still do this in airports all the time. I appreciate
the people like Bruce that leave it open and allow others to use it. I
also hate it when people don't secure it because they are too lazy. In
fact, I'm using some random connection right now. If it wasn't for my
VPN I wouldn't even consider it.


Rob Fuller wrote:
> Blaine,
> I completely agree with a number of your points, and I don't expect
> everyone to go out and setup WPA2 w/ Radius servers in their home.
> However, no matter who is in front of my house, I am not
> underestimating them. But I would personally be more worried that
> since my wireless was unsecured that I would be in the realm of "crime
> of convince". Even providing WEP deters the passerby child porn
> surfer. So to get back on topic:
> 1. Yes, the logging might not be there but in the attacker mindset,
> I'm not going to take that chance. Attack surface area should be the
> #1 thought in the attackers mind, save denial of service attacks.
> 2. I again call on the "don't underestimate them" adage.
> 3. Why makes/models have this fail switch? I haven't run into any. As
> for the malicious malware, there is code out there that simply bricks
> APs. The WRT54G for example has googlable firmwares out there that
> will perma brick them.
> 4. I slightly disagree with you on the MAC filtering analogy. If joe
> blow hacker comes during the night and you are sleeping with your only
> wireless device (your laptop) turned off, they are not going to guess
> which MAC is 'authorized'.
> 5. Yes, I'm adding a point. Just to one up you... So... HA!
> mubix
> Blaine Fleming wrote:
>> What bubble? I'm well aware of the fact that devices have security
>> holes and nothing is truly that secure. But when it comes down to
>> it, how many times has your local coffee shop or other public access
>> point been shutdown because of someone being malicious? Yes it
>> happens but not that much. Attacking the nodes on the network will
>> provide more valuable information so unless the intent is to cause a
>> Denial of Service then they have done nothing of value. As for the
>> details:
>> 1. I assumed the attacker was connected as a normal client since the
>> message I was responding to says "...if I take my laptop, connect to
>> his network, type in (or do a host scan and look for a
>> dhcp server)..." If they can just "type in" then they
>> are attached to the network and have an IP. Since most AP's are dumb
>> devices the only logging that will probably happen is showing the
>> hostname that asked for the IP or somewhere else in their clients list.
>> 2. Cheap devices has crappy security. No argument from me there.
>> However, based on the skill level of the attacker assumed in #1, they
>> probably won't bother with an attack other than trying the default
>> password (the method of access described in the message I
>> referenced). In addition, these devices have several security holes
>> on the WAN side but yet they are still considered secure enough.
>> 3. While several consumer AP's support custom firmware, even more
>> don't or require physical access to the device such as a local power
>> cycle to bootstrap a new firmware. Restoring from a malicious
>> firmware can be difficult but still not impossible to recover from.
>> Most of the devices I've played with support a power on recovery mode
>> and that part of the bootloader can not be upgraded or altered by the
>> firmware.
>> 4. Yes, I'm adding a point. Even with security enabled your data
>> may not be very well protected. WEP is easy to break. MAC address
>> filtering is like putting a lock on a window. WPA is currently
>> somewhat secure but the passwords people use are typically weak.
>> Phone numbers, addresses and dictionary words make it possible to
>> gain access in hours at most. I just demonstrated that to someone
>> that told me that nobody could ever gain access to their WPA
>> protected AP.
>> Security is relative and is only "best effort". You do what is best
>> for you and Bruce will do what is best for him. Personally, I'm more
>> concerned with the legal issues from someone using your connection
>> and doing bad things.
>> --Blaine
>> All things said in good humor. There's nothing wrong with a good
>> clean debate. ;-P

[ reply ]
Re: Bruce doesn't secure his wireless Jun 19 2008 02:16AM
Peter (peter1512 gmail com)


Privacy Statement
Copyright 2010, SecurityFocus