Physical security for wireless networking equipment

[Scratch.HTF]

I have demonstrated (and contributed on Wikipedia) that anyone with physical access to a wireless router can gain access and/or obtain a wireless passphrase without special tools (Windows: Show characters) by pressing the Wi-Fi Protected Setup button and/or using preset security information on the unit which can include the Wi-Fi Protected Setup PIN number - once someone gets hold of this PIN number, there is no going back if it cannot be changed and/or disabled.

Even though a law in Germany requires wireless routers to have wireless security enabled out of the box if it does not manually require enabling of wireless networking functionality, the law does not (as far as I know) address physical security with respect to provision of information on physical security with respect to Wi-Fi Protected Setup and preset security information printed on the unit.

Physical security with respect to Wi-Fi Protected Setup and/or preset security information printed on the unit has made it to a number of tech publications, but I will enjoy true success when governments publically acknowledge this security issue.

[I wanted a rude username]

Physical access == game over for security.

This has always been true in IT, and modern devices uphold this proud tradition, honouring it in new and creative ways. A recent example is the discovery that some network-connected security cameras, as soon as you plug a USB key into them, immediately start saving their video onto the key so you can retrieve it on your second visit. 

[analogueAdder]

It's worth adding that WPS pins can be bruteforced easily and that some router manufacturers generate the default pin and WPA passphrase from the MAC address. Additionally, the firmware of those boxes is often full of careless vulnerabilities...

In other words, if you want security you have to disable WPS and change the WiFi password. And install a third party firmware like OpenWRT if possible. (And disabling the web interface as well.)

However, non of this will protect you against an attacker with physical access. In that case it's indeed game over...

[Syntax Error]

Do not forget the other end of an enterprise wireless access point, the wireless/link aggregation switch. This is often co-located with the other switches/routers, so lock it away in a steel box in the security room and disable all but physical wired console access. A wifi client sat in a store cafe should NOT be able to log into the link aggregation server at their gateway I.P. address, but it can happen.

[james_s]

Nothing really new here. If you have physical access to the device then all bets are off, there is always a way to extract data from it or break into it. Fortunately it's relatively easy to secure the device in most cases, certainly for home routers put it inside your house and the only people who can access it without breaking into your house are the people who are authorized to be there. If you are really paranoid you can lock it in a cabinet.

[RoGeorge]

The whole computer security concept is about when the attacker does NOT have physical access to the hardware.

If the attacker has physical access to the machine, there's nothing one can do to protect the data.

[tszaboo]

A guy with a halberd. And trained dogs.

[RoGeorge]

A black vault with voice recognition, lady guard, retinal scanner, double electronic key card, sound sensors, temperature increase sensors, lasers and floor pressure sensors are known to be not very effective:





 

[iteratee]

If physical access is a non-barrier then you have no problem - just use your physical access to hack the device and remove the WPS functionality.

Oh wait, you can't, because the physical access thing is a fantasy and rendering a device unhackable for all practical purposes is all too easy. Physical access is only a non-barrier to those with unlimited resources (i.e. not you).

[I wanted a rude username]

If you wish to contribute to the discussion, first formulate a cogent argument which actually addresses the point instead of attacking the straw man of your hallucinations.

[iteratee]

If you wish to contribute to the discussion, first formulate a cogent argument which actually addresses the point instead of attacking the straw man of your hallucinations.

I'm not arguing with OP. I'm perhaps arguing with comments that themselves miss the point... this seems more of a variation on usual issues with router default passwords than a physical security thing.

[NiHaoMike]

Flash a third party firmware that simply doesn't have the insecure WPS "feature". Then cut the trace to the reset button to make it more difficult to reset it to default settings without someone noticing.

As for countermeasures against physical hacking, while it is true that there's not a way to make it completely impossible, it often is possible to increase the difficulty to the point where the effort needed would exceed the value obtained by the attack. For some ideas, take a look at how credit card readers resist physical hacking, although that's almost certainly overkill for a wireless router.

[Halcyon]

Firstly, if you're using a router with WPS, disable it immediately. It's awful in terms of security (even if you don't have physical access to the device). Secondly, use a strong password for your wireless network. Ideally, use properly configured 802.1X authentication, but that's going beyond the scope and knowledge level of most home users.

If you're that worried, put all wireless devices on a separate VLAN and lock it down, that way if access is gained to the network, the attack surface is reduced.

[vk6zgo]

Have several small, yappy dogs--------& one very big quiet one!