12

I am planning to purchase a program that comes with an App that allows you to control the program via phone. The developer told me that the connection will be done via an extra WIFI box connecting to my computer. I plan to give this WIFI's password to friends and family.

Questions:

  1. Does this open my PC to attacks?

  2. My pc connects to the home network via cable. Does opening up a WIFI like this expose my home network to attacks?

  3. Is there a way to stop people from connecting to this WIFI network with devices other than a phone (I am mostly worried about infected laptops)

Shurmajee
  • 7,285
  • 5
  • 27
  • 59
user1296058
  • 185
  • 1
  • 2
  • 6

3 Answers3

7

Mayank's answer had the most important part right: use WPA2 (not WEP and not no-password). However, I want to add some points.

  1. You should not use a "non-dictionary based word" for your AP "password", but instead use a multi-word passphrase. Don't reuse this passphrase for anything else (that you want to keep private) as you will be sharing this password (visiting friend needs to connect their laptop) and your devices will be storing this in a recoverable way. (And some devices will even by default store your wifi passwords in the cloud for you!) I suggest passphrase as it's easier to tell someone "correct horse battery staple" (all lowercase spaces, between words), than "Capital T, lowercase r, zero, lowercase u-b, number four, lowercase d-o-r, ampersand, number three" and the passphrase has higher entropy (also see discussion here). Attacks on observed wifi handshakes can be done offline, so strong passphrases are needed.

  2. MAC address filtering is trivial to bypass and annoying to manage. MAC addresses are used for layer-2 (link level) addressing; so in wifi that's the radio signal between your router and any listening receiver. Even when you have an encrypted connection; the data is being encrypted not the layer-2 packet headers. Hence, if a router is using MAC address filtering, its quite easy to collect one packet sent from the router (to an allowed MAC address) and the attacker can then change their MAC address to clone the observed allowed MAC address. (Yes, two different computers using the same MAC address at the same time would cause problems, but you can wait until they no longer are using it.) Furthermore, MAC address filtering is annoying to manage, because you'll have to go into your router settings every time you add a new device to your network and copy the 12 hexademical digit MAC address (and bother with figuring out how to pull up a MAC address on every random wifi device). People who use MAC address filtering also get suckered into thinking its very secure and then make weak choices for passphrase or think its ok to use WEP or WPS or other vulnerabilities.

  3. Disabling SSID broadcast leads to a loss of features for no concrete gain in security. Your mobile devices will not be able to automatically connect to the wifi network. Your cell phone can't switch from 3G/4G radio to faster less-power hungry wifi when you get home, unless you manually press buttons to switch to the unbroadcast network, or if the device is configured to frequently broadcast I'm looking for SSID 'sdfasdfasdf' that which leaves you vulnerable to attackers with rogue access points that will reply that's me. (Granted with WPA2 they should not be able to complete the 4-way handshake with you; but depending on your device - it may allow a connection to the same SSID that's suddenly not WPA2). Like MAC addresses, you can eavesdrop the SSID from observing other clients connecting to the non-broadcasting network even if WPA2 is enabled.

  4. Make sure WPS (Wifi Protected Setup) is disabled. Many routers come with WPS enabled by default, and this allows an attacker to break into your network in under 11000 guesses. Granted newer routers may have timeouts on consecutive attempts that may make this more difficult; but the standard suggests only a 60s timeout which only delays an attackers attempts to break in by a couple days).

As an aside, for a tad bit of extra security, I'd suggest changing your access point's SSID from the default (e.g., linksys / NETGEAR) to something uncommon. The access point is used as the salt of the PMK (pairwise master key) in WPA2-PSK before it goes through the HMAC, hence an attacker who has observed a four-way handshake and has attacked a similar network previously can potentially save themselves some time by storing the PMKs from various common passwords with the known salt (granted they'll still have to find the PMK that generates the PTK to match the observed 4-way handshake).

TL;DR - Use WPA2 with a strong passphrase, disable WPS on your router (and change your SSID to not be something super common). If you want you can use MAC address filtering or disable SSID broadcast, though any patient eavesdropper can easily bypass either protection.

Community
  • 1
dr jimbob
  • 38,768
  • 8
  • 92
  • 161
5

Yes. Having an access point does make your home network vulnerable because ultimately the devices connecting to your PC through wifi will become a part of your home network (part of the same subnet). Some security measures to consider while configuring an access point are

  1. DO NOT use WEP(Wired Equivalent Privacy) - It can easily be hacked by a script kiddie. Use WPA2 (this is the best you will get out there) or WPA (WiFi Protected Access).
  2. Always change the default password for AP.Use a non-dictionary based password.
  3. Enable MAC filtering : As you mentioned you are going to connect to your AP using a limited number of devices (smartphones belonging to you and your family). This will restrict the network to only allow connections from the devices whose MAC address you have entered.(MAC addresses can be spoofed by a skilled person)
  4. You may want to enable HTTPS for managing your access point, So that your usernames and passwords are not transmitted in clear text.
  5. You should also disable SSID broadcast ( AP sends broadcasts so that wireless stations searching for a network connection can discover it). You can manually connect to your wireless devices. This will protect you from wardriving to a certain extent but again it can not prevent you from a sophisticated attack.

from the comment :

Can you please tell me if using a different subnet on the WIFI box helps?

Basically your phone app needs to communicate with the main app (installed on your PC). As far as I can understand you cannot keep them in different subnets. If they are in different subnets you will need a layer 3 device (router) to enable their communication.

I would recommend configuring your access point keeping in mind the above points and keep changing your passwords on a regular basis. People get lazy and they keep the same password for ages.and yes, share your password with trusted people only.

Shurmajee
  • 7,285
  • 5
  • 27
  • 59
  • Hi Mayank I only have basic knowledge regarding subnets. Can you please tell me if using a different subnet on the WIFI box helps? The phone app is basically a remote control program, it does not need to access any thing on my LAN and it will only communicate with the main program. However the main program itself does require access to some files on the network. – user1296058 Mar 26 '13 at 14:26
  • Here is a diagram of my setup for those confused by my wording. http://i.imgur.com/Q3B1yd0.jpg – user1296058 Mar 26 '13 at 15:16
  • 1
    A couple of things to note on this. MAC filtering can be useful as a protection for non-technical users, but it's trivial for a tech-savvy person to change the MAC address of PC, so don't rely on it. Also on broadcasting it's worth noting that this is a security trade-off, if you turn of broadcasting the clients will have to use directed probes to find the network, which can leave them more open to spoofing attacks. Also a lot of wardrivers will use something like kismet which can pick-up non-broadcasting networks if there's any traffic on them. – Rory McCune Mar 27 '13 at 08:40
  • I agree with you on your main point of wifi security (use WPA2 with a strong password), but added some important clarifying points that I summarized as: Use WPA2 with a strong **passphrase**, **disable WPS** on your router (and change your SSID to not be something super common). If you want you can use MAC address filtering or disable SSID broadcast, though any patient eavesdropper can easily bypass either protection. – dr jimbob Mar 29 '13 at 18:57
3

Many of the risks have already been covered in the post by Mayank Sharma. I just want to add on this by saying that wifi clients trust relationship with the access point is highly influenced by signal strength, i.e. the proximity between client and access point.

Such is the case when your laptop with wifi enabled and set up to automatically connect (its default setting), when put near an open access point will always attempt to connect to that station.

You should always be vigilant about this behavior as in many cases it happens without any user interaction. The best way to prevent this is to configure your client to always connect only to preferred access point (you can do that in the settings options)Something similar to what is given over here (notice the "Ask to join" check box)

George
  • 2,813
  • 2
  • 23
  • 39
Saladin
  • 1,547
  • 3
  • 14
  • 23