[ale] Strong home wireless router?

Solomon Peachy pizza at shaftnet.org
Sun Jun 4 13:35:53 EDT 2023 

On Sun, Jun 04, 2023 at 10:34:27AM -0400, DJPfulio--- via Ale wrote:
> A few years ago (perhaps 3?), a flaw in wifi was discovered that had 
> been in the code since the beginning - over 20 yrs.

The original Wifi WEP "security" was abysmally bad, and was considered 
completely broken 20 years ago, with the network keys capable of being 
recovered in less than an hour of passive sniffing.

What was recently (2017) discovered ("KRACK") was a flaw in many 
*implementations* of the WPA/WPA2 key exchange protocol.  Unlike the 
orginal WEP attacks, this one didn't allow for the key data to be 
recovered, and instead relied on forcing one end of the exchange to 
install what effectively amounted to a null key.

Another difference -- the underlying protocol itself was fine, and 
implementations were easily(and rapidly) fixed.  Assuming the vendor 
ever shipped an update, that is.  (Yet another reason why you should be 
using Free Software on your infrastructure & devices!)

> My CMMI training says, that if 1 bug is found, there's an 86% 
> likelihood of another bug existing in the same software.

Pfft.  If you assume anything other than 100% probability of eventually 
finding a flaw, you're a fool.  So you have to design your system to 
asusming it's going to need to be updated.

> If you want strong security, assume the protocols have bugs (known and 
> unknown) and take necessary steps to mitigate those.  1 method is to 
> use a full VPN. IPSec is the most secure VPN today.

Yeah, you have to layer stuff.  FWIW, even with KRACK, if you used 
encrypted network protocols, the worst the attacker could do is DOS you.

> If you just want to protect against the neighbor's kid and don't want 
> to worry about more sophisticated attacks, that's fine, but that 
> wouldn't count as "strong" in any book on security as a description 
> for wifi security.

Again, "strong" is a relative definition.  What's "strong" against a 
neighbor's kid is effectively tissue paper for a state-sponsored agency, 
and what's "strong" for said agency is most likely completely unusable
for a layperson.

> Where I've worked, we never trusted wifi without our corporate VPN, 
> using 2FA, even on systems that we'd provisioned inside our buildings. 
> This was the requirement by our data security team which wasn't 
> exactly small for this F-10 company.

Meanwhile, at most places I've worked, internal corporate communications 
emails were, more often than not, indistinguishable from phishing based 
on the training said corporate policies required us to undergo.  This 
was particularly ironic given that phishing (and related 
social-engineering stuff) remains the primary threat vector for internal 
system compromise.

 - Solomon
-- 
Solomon Peachy			      pizza at shaftnet dot org (email&xmpp)
                                      @pizza:shaftnet dot org   (matrix)
Dowling Park, FL                      speachy (libra.chat)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://mail.ale.org/pipermail/ale/attachments/20230604/2ff024f5/attachment.sig>

More information about the Ale mailing list