Author Topic: Physical security for wireless networking equipment  (Read 341 times)

0 Members and 1 Guest are viewing this topic.

Offline Scratch.HTF

  • Regular Contributor
  • *
  • Posts: 77
  • Country: au
Physical security for wireless networking equipment
« on: May 16, 2020, 01:35:02 am »
I have demonstrated (and contributed on Wikipedia) that anyone with physical access to a wireless router can gain access and/or obtain a wireless passphrase without special tools (Windows: Show characters) by pressing the Wi-Fi Protected Setup button and/or using preset security information on the unit which can include the Wi-Fi Protected Setup PIN number - once someone gets hold of this PIN number, there is no going back if it cannot be changed and/or disabled.

Even though a law in Germany requires wireless routers to have wireless security enabled out of the box if it does not manually require enabling of wireless networking functionality, the law does not (as far as I know) address physical security with respect to provision of information on physical security with respect to Wi-Fi Protected Setup and preset security information printed on the unit.

Physical security with respect to Wi-Fi Protected Setup and/or preset security information printed on the unit has made it to a number of tech publications, but I will enjoy true success when governments publically acknowledge this security issue.
If it runs on Linux, there is some hackability in it.
 

Offline I wanted a rude username

  • Frequent Contributor
  • **
  • Posts: 384
  • Country: au
  • ... but this username is also acceptable.
Re: Physical security for wireless networking equipment
« Reply #1 on: May 16, 2020, 04:40:24 am »
Physical access == game over for security.

This has always been true in IT, and modern devices uphold this proud tradition, honouring it in new and creative ways. A recent example is the discovery that some network-connected security cameras, as soon as you plug a USB key into them, immediately start saving their video onto the key so you can retrieve it on your second visit.  ;D
 
The following users thanked this post: Ian.M, analogueAdder

Offline analogueAdder

  • Contributor
  • Posts: 9
  • Country: 00
Re: Physical security for wireless networking equipment
« Reply #2 on: May 19, 2020, 02:52:39 am »
It's worth adding that WPS pins can be bruteforced easily and that some router manufacturers generate the default pin and WPA passphrase from the MAC address. Additionally, the firmware of those boxes is often full of careless vulnerabilities...

In other words, if you want security you have to disable WPS and change the WiFi password. And install a third party firmware like OpenWRT if possible. (And disabling the web interface as well.)

However, non of this will protect you against an attacker with physical access. In that case it's indeed game over... :horse:
 
The following users thanked this post: I wanted a rude username

Offline Syntax Error

  • Regular Contributor
  • *
  • Posts: 217
  • Country: england
  • <[[ facemask ]]>
Re: Physical security for wireless networking equipment
« Reply #3 on: May 22, 2020, 11:54:30 pm »
Do not forget the other end of an enterprise wireless access point, the wireless/link aggregation switch. This is often co-located with the other switches/routers, so lock it away in a steel box in the security room and disable all but physical wired console access. A wifi client sat in a store cafe should NOT be able to log into the link aggregation server at their gateway I.P. address, but it can happen.
« Last Edit: May 23, 2020, 12:06:00 am by Syntax Error »
 

Offline james_s

  • Super Contributor
  • ***
  • Posts: 11689
  • Country: us
Re: Physical security for wireless networking equipment
« Reply #4 on: May 23, 2020, 04:17:59 am »
Nothing really new here. If you have physical access to the device then all bets are off, there is always a way to extract data from it or break into it. Fortunately it's relatively easy to secure the device in most cases, certainly for home routers put it inside your house and the only people who can access it without breaking into your house are the people who are authorized to be there. If you are really paranoid you can lock it in a cabinet.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf