News Wi-Fi Alliance launches EasyMesh certification

It depends on the onboarding process. Flipping through the spec, to onboard a new mesh AP it needs to authenticate with only one existing mesh AP, and can use WPS push-button to do so.

Once onboarded, it can then link with any other AP in the mesh, authenticate other APs, etc at will without. In effect one physical access is all that's needed to PWN your network forever with an arbitrary number of 'rogue APs', and having an outdoor AP with WPS is an instant PWN. Moreover, because the auth occurs before the Controller is informed, you could potentially onboard your rogue AP beforehand, and the first notification that the target receives (if they're even monitoring the controller anyway) is that a rogue AP is already on the network.

 

"I don't need to buy an outdoor AP, I can just tape a regular AP up in a tupperware box and it'll be waterproof!". Throw in "put DD-WRT on it!" for extra effect.

 

Man, why in Primus' name would you have a functional WPS button, full-stop? Even ignoring the "WPS PIN can be brute-forced trivially" exploit(which I ASSUME can actually be disabled nowadays), it just makes it too easy to take over a secure network.
Normally, I figure that if you need physical access, it can't be stopped, but in this case you need it for all of two seconds. Or just need to wait until someone with a valid use case pushes the button and then push your own.

WPS is the worst kind of security, even ignoring the blatant mistakes in the WPS PIN specification. ARGUABLY it is useful for home users that only need enough security to stop casual harassment, but I am of the opinion that trivially weak security is actually worse than no security at all.


Also, "for values of million and one below 255" is the best thing I read all day.