I live in an apartment building that provides cable internet via an ethernet cable that reaches my place. I connect this cable to my WAN port and distribute it internally via wifi through my password-protected router.
Can computers on this WAN, in a regular network workflow (that is, without using any exploit) connect to devices connected to my LAN?
Also, if there are, what types of attacks can be done this way? (exploit or not)
I connect this cable to my WAN port and distribute it internally via wifi through my password-protected router.
Such a setup almost certainly means that your router is performing NAT, Network Address Translation. One advantage of NAT is that you must explicitly define rules that allow incoming traffic from the WAN to be able to access something on the LAN. Therefore,
Can computers on this WAN, in a regular network workflow (that is, without using any exploit) connect to devices connected to my LAN?
By default the answer to this is no.
There is one minor case to consider - who owns the router? If you own the router, then you have full control over how it behaves. But if the ISP owns your router, then they may have access to your LAN. I've known people paranoid enough to put a SOHO router behind their ISP router to protect their LAN from the ISP.
Also, if there are, what types of attacks can be done this way? (exploit or not)
You'll want to ensure that your admin interface is only available from the LAN, not the WAN. Most routers have a checkbox for this.
Other than that, exploits of the router is the biggest concern. Monitor the news in case something pops up; SANS NewsBites is a good semi-weekly wrap-up that often mentions things like router exploits becoming known.
It's hard to say without knowing the details of your network topology. Technically all tenants may be on the same wire but there are ways to segregate the traffic, for example VLANs at switch level. Even if isolation is properly enforced between participants, the person who manages the switch (if there is one) could still spy on the traffic. Managed switches also provide a mirroring (aka SPAN) function to copy traffic from one or several interfaces to a dedicated port.
I am not sure this a real WAN, what you describe looks like a consumer-grade, shared LAN in reality. In that context your wifi router probably acts as a switch too. Maybe you could do with a firewall in order to filter access to your own part of the network.
Even assuming nothing has been done to segregate traffic flows, a malicious user will probably not be able to sniff all the traffic that goes through the wire, because the switch does not move packets to all ports (unlike a hub), but broadcast traffic will still be visible.
However people can still probe your systems and attempt to gain unlawful access...
Just out of curiosity, look at your IP address configuration and your ARP table. That should give you an idea. Your neighbors may be registered in your ARP table and there may be some kind of signalling traffic already going on.
