brent saner on 24 Jun 2015 18:09:23 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Home wifi access point & router recommendation

I really with Google Inbox let you properly inline-reply.

http://www.howtogeek.com/176124/wi-fi-protected-setup-wps-is-insecure-heres-why-you-should-disable-it/ is a good introduction to the evils of WPS.

Pay close attention, though- some models give you an option to disable WPS, but *it does nothing*. Nada. Zilch. Exploits against the WPS spec still work fine.

And honestly, I wouldn't even trust the button method either- if someone (aherm.) happened to have a static station and a good card with an external antenna attached (say, an alfa awus036neh, and a directional 9 or 15dB antenna pointed at your AP....), they can push auth packets at your router till the cows come home. As soon as you press that little button, guess whose auth packets get there first? Hint: not who you want.

That's why I always, always flash with OpenWRT. And why I *always* pentest new wireless kit before putting it live on my network.

On that note, would anyone want a wifi pentesting preso or anything like that?


On Wed, Jun 24, 2015, 19:52 Rich Freeman <r-plug@thefreemanclan.net> wrote:
On Wed, Jun 24, 2015 at 5:31 PM, Michael Zaleski
<michael.zaleski@gmail.com> wrote:
> Yes, WPS is bad, even if the router does rate limiting,  UPnP is also not
> too safe.

Note that some routers let you turn off WPS, in which case having the
feature is harmless.  Also, if you can at least turn off the PIN side
of WPS then you're fine - the push-button part of WPS is secure, well,
aside from the window of opportunity it creates.  The problem is that
routers rarely let you have the one without the other, and if PIN mode
is enabled you are very unsafe.

Also, if your router isn't updated I'd be wary of heartbleed.  I
believe some routers use openssl for WPA2 key exchange, and this could
be vulnerable.  However, I've seen very little attention given to this
so I'm not certain about the risk here.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug