Yesterday, while waiting for a dentist, I took out my phone, turned on the Wi-Fi and poked around. What I found was depressing.
First, let me not gloss over the initial step, turning on the Wi-Fi. Good Defensive Computing demands that Wi-Fi be off when not in use. If there was anything I learned last summer attending the BSides and DEF CON conferences, it was to turn off Wi-Fi when your not using it. Trust me on this.
The phone saw two networks, one private and one for guests. The guest network was password protected, the only mistake not made by whoever set things up. As for the mistakes they did make:
1. WPS was enabled on each wireless network.
WPS (Wireless Protected Setup) is a security disaster, something that first came to light at the end of 2011. Enabling WPS is the virtual equivalent of putting a “Hack Me” sign on a wireless network.
2. The networks did not require WPA2-AES.
When it comes to over-the-air encryption, there is only one right answer: WPA2-AES (a.k.a. WPA2-CCMP). WPA should not be allowed. TKIP should not be allowed.
3. Guest users were not isolated from each other.
I was able to run a couple LAN scanning apps and see other devices on to the network, which opens us up to all sorts of attacks.
The very next day, there were reports of new critical bugs in Android that let a malicious device sharing the same network totally take over a vulnerable device. And, considering the way Android bug fixes never get distributed, almost every Android device with a Broadcom chip is vulnerable.
This particular flaw lets a bad guy hack into a vulnerable device without the victim doing anything. No malicious links or fake domains are needed, all that is necessary is for the bad guy to share a Wi-Fi network with the victim — and for the router not to employ isolation.
This is just the latest in a long line of bad things that an attacker might do to another device on the same network. There is no excuse for letting guest users see each other.
Whoever set this up might argue that the router firmware doesn’t offer this level of isolation, but that’s a bad excuse, since many routers do offer it, even cheap consumer models (see screenshots of TP-LINK and TRENDnet).
4. Guest users can logon to the router.
At this point, I’m thinking a 12-year-old child could have setup better security.
No guest user should ever be able to logon to the router. More to the point, guest users should never even see a router logon prompt. As shown below, I did see one and was able to try my luck at logging in.
You don’t have to be a hacker to learn the IP address of the router you are connected to. My instructions for doing so are the most popular blog I’ve written.
5. No user ID was needed to login to the router, just a password.
As you can see in the screen shot above, the user ID for logging in to the router was pre-filled in. All I needed to supply was the password.
6. Using the most common router userid
Using “admin” as a router user ID is akin to using “password” as your password. It is the first, if not the only thing, an attacker would try.
Here too, whoever set this up may gripe that the router only supports the “admin” user. Again, I would reply to use another router.
Guest user isolation and support for multiple user IDs, are but two of dozens of features that make one router more secure than another. There is a long checklist of router security features on my RouterSecurity.org site.
7. After entering a bunch of wrong passwords, I was not blocked.
Any secure device should lock out users after a certain number of invalid passwords. Even the fairly low end D-Link DIR860L adds a CAPTCHA to its logon page after a dozen wrong passwords.
This is so disappointing, but since a license isn’t needed to setup a Wi-Fi network, not that surprising. Instead of paying a charlatan, the dentist would have been better off with a 12-year-old child configuring things.
The classic Defensive Computing response to public Wi-Fi is a VPN. But, even with a VPN in my pocket, I am hesitant to use any public Wi-Fi network, WPA2 or no WPA2. There is always a vulnerability window between getting on-line and the VPN kicking in.
To minimize this window, look for VPN software that will automatically connect.
- – –
Update Feb. 5, 2016. Twitter user @WiFivomFranMan reminds me to point out that password protected public Wi-Fi networks, such as this one at a dental office, should have their password rotated periodically. If a qualified attacker learns the password, they can do bad things to others on the network.