Discussion in 'Article Discussion' started by bit-tech, 15 May 2018.
MiTM attack anyone?
That's not really an issue with a mesh network. Especially the types of networks EasyMesh is targeting: they're not true meshes, where any device can communicate through any other device, but a pseudo-mesh involving only the access points themselves (i.e. each access point can communicate through any other access point, but the individual clients still need to communicate directly with their nearest access point.)
It depends on the onboarding process. Flipping through the spec, to onboard a new mesh AP it needs to authenticate with only one existing mesh AP, and can use WPS push-button to do so.
Once onboarded, it can then link with any other AP in the mesh, authenticate other APs, etc at will without. In effect one physical access is all that's needed to PWN your network forever with an arbitrary number of 'rogue APs', and having an outdoor AP with WPS is an instant PWN. Moreover, because the auth occurs before the Controller is informed, you could potentially onboard your rogue AP beforehand, and the first notification that the target receives (if they're even monitoring the controller anyway) is that a rogue AP is already on the network.
Why in the name of Eris would anyone have an access point with a functional WPS button outdoors where anybody could press it? That wouldn't just be a problem for a mesh network, that'd be a problem for a traditional non-mesh network: I could instantly connect my phone, my laptop, or my £20 Wi-Fi "Range Extender" and then have a million and one (for values of "million and one" below 255) arbitrary devices behind it.
"I don't need to buy an outdoor AP, I can just tape a regular AP up in a tupperware box and it'll be waterproof!". Throw in "put DD-WRT on it!" for extra effect.
That sounds like a problem that will solve itself come first rainfall, as anyone with that thought process ain't going to know what a drip loop is.
Man, why in Primus' name would you have a functional WPS button, full-stop? Even ignoring the "WPS PIN can be brute-forced trivially" exploit(which I ASSUME can actually be disabled nowadays), it just makes it too easy to take over a secure network.
Normally, I figure that if you need physical access, it can't be stopped, but in this case you need it for all of two seconds. Or just need to wait until someone with a valid use case pushes the button and then push your own.
WPS is the worst kind of security, even ignoring the blatant mistakes in the WPS PIN specification. ARGUABLY it is useful for home users that only need enough security to stop casual harassment, but I am of the opinion that trivially weak security is actually worse than no security at all.
Also, "for values of million and one below 255" is the best thing I read all day.
True, dat. I disable it as standard on my routers, always have.
Separate names with a comma.