1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Wi-Fi Alliance launches EasyMesh certification

Discussion in 'Article Discussion' started by bit-tech, 15 May 2018 at 10:44.

  1. bit-tech

    bit-tech Supreme Overlord Staff Administrator

    Joined:
    12 Mar 2001
    Posts:
    989
    Likes Received:
    18
    Read more
     
  2. MLyons

    MLyons Half dev, Half doge. Staff Administrator Super Moderator Moderator

    Joined:
    3 Mar 2017
    Posts:
    1,556
    Likes Received:
    340
    MiTM attack anyone?
     
  3. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,127
    Likes Received:
    615
    That's not really an issue with a mesh network. Especially the types of networks EasyMesh is targeting: they're not true meshes, where any device can communicate through any other device, but a pseudo-mesh involving only the access points themselves (i.e. each access point can communicate through any other access point, but the individual clients still need to communicate directly with their nearest access point.)
     
  4. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    2,280
    Likes Received:
    100
    It depends on the onboarding process. Flipping through the spec, to onboard a new mesh AP it needs to authenticate with only one existing mesh AP, and can use WPS push-button to do so.
    [​IMG]
    Once onboarded, it can then link with any other AP in the mesh, authenticate other APs, etc at will without. In effect one physical access is all that's needed to PWN your network forever with an arbitrary number of 'rogue APs', and having an outdoor AP with WPS is an instant PWN. Moreover, because the auth occurs before the Controller is informed, you could potentially onboard your rogue AP beforehand, and the first notification that the target receives (if they're even monitoring the controller anyway) is that a rogue AP is already on the network.
     
    MLyons likes this.
  5. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,127
    Likes Received:
    615
    Why in the name of Eris would anyone have an access point with a functional WPS button outdoors where anybody could press it? That wouldn't just be a problem for a mesh network, that'd be a problem for a traditional non-mesh network: I could instantly connect my phone, my laptop, or my £20 Wi-Fi "Range Extender" and then have a million and one (for values of "million and one" below 255) arbitrary devices behind it.
     
    jb0 and MLyons like this.
  6. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    2,280
    Likes Received:
    100
    "I don't need to buy an outdoor AP, I can just tape a regular AP up in a tupperware box and it'll be waterproof!". Throw in "put DD-WRT on it!" for extra effect.
     
    MLyons likes this.
  7. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,127
    Likes Received:
    615
    That sounds like a problem that will solve itself come first rainfall, as anyone with that thought process ain't going to know what a drip loop is.
     
  8. jb0

    jb0 Member

    Joined:
    8 Apr 2012
    Posts:
    255
    Likes Received:
    8
    Man, why in Primus' name would you have a functional WPS button, full-stop? Even ignoring the "WPS PIN can be brute-forced trivially" exploit(which I ASSUME can actually be disabled nowadays), it just makes it too easy to take over a secure network.
    Normally, I figure that if you need physical access, it can't be stopped, but in this case you need it for all of two seconds. Or just need to wait until someone with a valid use case pushes the button and then push your own.

    WPS is the worst kind of security, even ignoring the blatant mistakes in the WPS PIN specification. ARGUABLY it is useful for home users that only need enough security to stop casual harassment, but I am of the opinion that trivially weak security is actually worse than no security at all.


    Also, "for values of million and one below 255" is the best thing I read all day.
     
    MLyons likes this.
  9. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,127
    Likes Received:
    615
    True, dat. I disable it as standard on my routers, always have.
     
Tags: Add Tags

Share This Page