What are the dangers of running a wireless router with no encryption?

3

1

I have an Airport Extreme and I've been having trouble running with WPA2 encryption. It intermittently loses the connection to the router. I turned encryption off and the problem seems to have gone away. I used to run with an open network all the time, and never really worried about it because I'm on a VPN most of the time. However, my new roommates aren't so keen on the idea. They're worried that it might be possible to connect to the same router and gain access to whatever they're working on. Would doing something like running under promiscuous mode give an attacker this kind of access, or do they have nothing to worry about?

Update: How much would MAC-address checking give me?

Bob Aman

Posted 2009-10-26T04:00:59.573

Reputation: 152

Are you sure you don't have a bad router or wireless NIC? WPA2 should not drop your connection. If it is, it could be your router's CPU is overheating because it's bad. – churnd – 2009-10-26T10:47:14.260

I'm quite sure. It's an issue of nasty signal-to-noise ratio. Too many walls. The problem doesn't happen when I'm closer to the router, but the location isn't something I can change without drilling holes in the wall, and I can't move my room someplace else. Current plan is to extend the network with an Airport Express and see if that helps. – Bob Aman – 2009-10-26T22:55:24.053

Answers

6

Though, I don't personally agree that WEP is no security, it's better than nothing. We can agree that easily hacked, but, I don't believe that there are WEP cracking gremlins running up and down the street hacking WEP encrypted APs (if there are, I demand pics!). Will it stop the average person from mistakingly connecting to your AP? Yes. Is it a good form of encrypting your data over the wire? No. WEP just uses a single key and XORs your data with it...it may be easily hacked but its better than nothing. WEP is like going to a jousting with just your clothes on, it may not help but its better than going there naked.

Having NO SECURITY is like leaving your front door open. Izzy made some good points. And to expand on MITM attacks, assuming there are gremlins who really want to mess with you, they can change DNS servers to their servers. This means that when you goto chase.com you will query their DNS server which will take you to a fake site. SSL wont even be able to protect you in this case either because the attackers chase.com wont have a certificate to present. The average person won't ever notice this.

If you don't want to use ANY encryption, then MAC address checking would be the best bet. I would personally try WPA and see if that is any better. Again, your data will be sent in the clear over the air if you just use MAC address checking, which any of the gremlins can possibly sniff.

Now the other question is really location. Are you in the middle of nowhere with the nearest neighbor miles away? I would say it would be safe to run without any protection. If you live in downtown Chicago and you can touch your neighbors house by just reaching outside your window, I would highly recommend that you use WPA2 or get a new router.

Natalie Adams

Posted 2009-10-26T04:00:59.573

Reputation: 2 071

How would someone swap my DNS? My router has the DNS servers I want to use hard-coded. (OpenDNS) – Bob Aman – 2009-10-26T22:46:45.960

This is downtown Mountain View. I can see about 6-8 other wireless networks from my room. I really don't want to be running an open router unless everything else is impractical. – Bob Aman – 2009-10-26T22:53:41.920

@Bob - You just answered your own question. If you can change it so can an attacker. Even if you have the admin panel password protected, there are ways to brute force and eventually get it if you don't use WEP, WPA, or MAC filtering.

Now, if you put the DNS servers on your desktop, that is a different story and a lot hard for an attacker to change. As it is no longer just a web interface. – Natalie Adams – 2009-10-28T02:12:47.167

It's an Airport Extreme... so no web interface. But you're right, it would still be vulnerable to exploit if someone reverse engineered the protocol that the Airport Utility uses to talk to the router. In any case, the problem was solved by moving the router closer. Now WPA2 isn't failing anymore, so we're back to using that. – Bob Aman – 2009-11-09T22:04:09.553

2

A linkpost about wi-fi security, in the begining of the "Security Now" podcasts series they discussed this topic (and it is quite good intro even thou it's from 2005).

The episodes I am thinking about is

  • Episode #10 Open Wireless Access Points
  • Episode #11 Bad WiFi Security (WEP and MAC address filtering)
  • Episode #13 Unbreakable WiFi Security

Update: MAC-address filtering is pointless since it is false security, better to stay open and knowing the problems but to think you are safe when you are not...

Johan

Posted 2009-10-26T04:00:59.573

Reputation: 4 827

There are full transcripts for all episodes if you feel that you don't have the time to listen and just want to skim. – Doug Harris – 2009-10-26T16:09:41.177

1

If you use nothing (or WEP - same thing) you are open to other people connecting to your network, browsing your machine shares, and worse. It's a very real possibility that someone will use your connection to engage in illegal activities. To the outside world (read: the police) it's you that broke the law until you can prove otherwise. Downloading pirated materials, child porn etc.

It's also possible for man-in-the-middle attacks to be initiated this way.

Izzy

Posted 2009-10-26T04:00:59.573

Reputation: 166

Could you explain exactly how a man-in-the-middle attack could be performed on an open wireless router? – Bob Aman – 2009-10-26T04:18:00.927

Nathan outlined a classic example – Izzy – 2009-10-26T05:22:59.453

If you live in a civilised country the police has to prove who has done the crime! not who owned the internet connection... – Johan – 2009-10-26T05:32:01.480

You still have to deal with the cops stomping through your house, possibly confiscating your equipment, etc. – Kurt – 2009-10-26T06:11:29.980

1

Ettercap, SSL Sniff, Driftnet pick one or all for your MITM attack: http://www.thoughtcrime.org/software/sslsniff/ http://www.ex-parrot.com/~chris/driftnet/ http://ettercap.sourceforge.net/

– Registered – 2009-10-26T07:25:26.320

0

WEP is uncrackable under these conditions:

If your pass-phrase is > 21 characters, whoever plans to crack your wireless AP or wireless router better have mad patient skills.

In the paper "Practical Attacks Against WEP & WPA" the authors emphasize that the PSK key has to be "weak" in order for this to work at the begining of the paper; in addition, to the fact that the clients must be using WPA+TKIP to associate to the AP or wireless router .

However, In 2003 Robert Moskowitz of ISCA Labs detailed the potential problems of deploying weak passwords/passphrases with WPA in his paper: "Weakness in Passphrase Choice in WPA Interface," where Moskowitz points out that a short passphrase < 21 characters is susceptible to a dictionary attack.

Furthermore, I also thought that this was an interesting statement at the end of the paper: " Practical attacks against WEP and WPA,"- "Our attack on TKIP in Section 5 shows that even WPA with a "strong" password is not 100% secure and can be attacked in a real world scenario."

So one would have to ask, how long was the password/passphrase they tested in their paper "Practical attacks against WEP and WPA."

And how long will it take to crack a passphrase that is greater than 21 characters, especially in Cynicalpsycho's case where the passphrase has a combination of alphanumeric characters+space+and other random symbols.

Maybe a lab is in order , never mind will never happen, I use WEP with a passphrase > 21 characters. Patiently waiting for someone to hack my AP/Router never going to happen, maybe I will be lucky and get hacked via my web browser or some zero-day vulnerability for one of my unpatched applications.

http://forums.remote-exploit.org/latest-public-release-backtrack4-beta/22280-wpa2-cracking-can-cracked-how.html

Mac filtering is silly if you want to secure you router this could help in combination with other strong security measures; however, if you think just using this with your AP/Router open, this might be a bad idea.

https://web.archive.org/web/1/http://blogs.techrepublic%2ecom%2ecom/security/?p=395

Solution: regardless if you plan to filter you MAC's or not, you can use WPA or WEP, just make sure you have a strong pass-phrase not a password.

Get creative:http://www.iusmentis.com/security/passphrasefaq/strength/

Tools to test you newly created pass-phrase:

Video sucks, you can just Google Gerix Wifi Cracker on Youtube for a live demo, we went from typing commands to crack WEP/WPA to using scripts, now we are using GUI driven tools on Linux :-).

Or try this:

http://security-sh3ll.blogspot.com/2009/06/gerix-wifi-cracker.html

Only requirement: Gerix runs on Linux or Windows if you are into virtualization and whatnot.

Happy testing people, and stay secure...

Registered

Posted 2009-10-26T04:00:59.573

Reputation: 261

A "pass-phrase is > 21 characters" is only possible with 256-bit WEP which is not standard and only supported by some vendors. – Dave Webb – 2009-10-26T07:17:10.720

Dave Webb, a Linksys router is standard, go to Wal-Mart and you will find one, I am not talking about CISCO routers. – Registered – 2009-10-26T07:20:43.617

My setup, I have a standard Linksys WRTG54GS, don't even ask about my WRT54G with DD-WRT. – Registered – 2009-10-26T07:22:56.327

WEP is completely compromised. If there is a user connected to the AP and the attacker knows how to inject, breaking WEP only takes 5 minutes. – OliverS – 2009-10-26T07:30:31.163

Weather the user is connected or not does not really matter buddy, do you guys just talk or test? Cause I test...everything on my lab. – Registered – 2009-10-26T09:48:18.140

"Uncrackable" isn't a word I like. I +1'd you because I thought the -1 was unfair, but very little outside the quantum cryptography realm is "uncrackable", merely "uncrackable within a useful timeframe". – Bob Aman – 2009-10-26T22:51:18.867

0

MAC-address checking will give some additional protection, proof against most people, but not against professionals using MAC spoofing.

See for example:
How to Change or Spoof MAC Address in Windows XP, Vista, Server 2003/2008, Mac OS X, Unix and Linux

However, I believe that in the event you are MAC spoofed, you'll probably notice some weird behavior when the hacker and you are both online at the same time.

Conclusion: It adds to your protection and is easy to parameter, which is good, but is no barrier to a professional with the right tools.

harrymc

Posted 2009-10-26T04:00:59.573

Reputation: 306 093

Asked: 2009-10-26T04:00:59.573

Viewed: 3 625 times

Active: 2009-10-26T07:22:07.153