Security Risks from WiFi

[Archive7]

I am just wondering if there are any security risks letting a neighbor connect to my WiFi broadband by giving him my connection key.
He is having problems with his current connection and asked if I can give him my key so that he can try to switch to mine when things get really bad for him.
We checked that my WiFi gets him only two bars out of five, which is not good enough I think still not bad for 20m distance and going through several walls.

 

[Archive-8]

I am just wondering if there are any security risks letting a neighbor connect to my WiFi broadband by giving him my connection key.
He is having problems with his current connection and asked if I can give him my key so that he can try to switch to mine when things get really bad for him.
We checked that my WiFi gets him only two bars out of five, which is not good enough I think still not bad for 20m distance and going through several walls.

He will be able to look around your network, unless you can set him up as a guest on your wifi.

My router will allow me to set guest accounts, it then gives them just the net, and not my internal network.

 

[Archive7]

He will be able to look around your network, unless you can set him up as a guest on your wifi.

My router will allow me to set guest accounts, it then gives them just the net, and not my internal network.

Thanks Chris. That's a good idea. What is your router model please?
I am not sure if my router has this option. I will check it.

 

[Archive-8]

Thanks Chris. That's a good idea. What is your router model please?
I am not sure if my router has this option. I will check it.

I have a tp-link D2 and my netgear D6200 both support guest accounts.

So do my wifi access points they are tp-link wa901nd.

 

[timo_w2s]

Yes, some routers do allow guests that use a different IP range and a different SSID and password which can be handy for things like this.

 

[archive10]

He will be able to look around your network, unless you can set him up as a guest on your wifi.

My router will allow me to set guest accounts, it then gives them just the net, and not my internal network.

Guest access is good, some up-market routers have a DMZ with completely separate IP network etc.
This works great for "normal" people, as it's a bit arcane to nose around beyond this.

BUT

WiFi is really not very secure in the first place.
Equipped with a laptop and the right software, a skilled hacker can get into almost any WiFi net these days, without violating any physical personal space.
It's not too difficult to latch onto the WiFi network, and once in, it's much easier to packet-sniff and wireshark around until you can attack individual computers and devices.
Especially the light-bulbs and thermostats are nasty, as recent news items have given evidence about.
Many have been hi-jacked and been used in botnets.

Which is not that bad, compared to much worse with key-loggers installed on computers and pads, and stealing log-in details, ransom-ware etc.

With a wired network, you need physical access to your house - which is a lot more difficult than driving by and picking up WiFi networks.

So it's really a matter of deciding to live with the risk, or to structure the network to have several perimeters (e.g. computers to do banking on living only wired connections not shared with WiFi). The latter is a bit more cumbersome and probably not for your average consumer.

I've tried a compromise - my network has an "inner courtyard" with the important computers in it, and an outer courtyard with the consumer devices + WiFi), and thirdly a guest zone for guest WiFi access (they normally just want internet).
This is implemented using the WiFi in the broadband router for guest access to internet, a dedicated firewall/router to separate outer courtyard and guest zone, and having a separate access point for the outer courtyard. The inner courtyard is behind another router, providing classical two-tier firewall configurations.

But of course this will by many be considered overkill.
Most consumers don't even reckognise the danger, though, so the idea of multiple boxes and Cat5/6 cabling turns many people off.

(apologies for the rant, i just got started and then it's sometimes hard to stop... )

 

[PaulR]

(apologies for the rant, i just got started and then it's sometimes hard to stop... )

I've started so I'll finish...

 

[Topper]

Visiting my niece's in the summer, her husband who works for Intel, has set up their home network similar to st1 with zones, but goes further than that, he does not display any SSID over WIFI, so nobody can find it in the first place then also he only connects an item to his network using MAC addresses. It all takes a few seconds longer to setup but stops anyone else connecting to his network

 

[a33]

he does not display any SSID over WIFI, so nobody can find it in the first place

This choice, however, seems NOT really safer than displaying the SSID!
Non-broadcast Networks are not a Security Feature, see Non-broadcast Wireless Networks with Microsoft Windows

This seems to be very relevant information from Microsoft itself; I believe them here...

Greetz,
A33

 

[Tururu]

Hace la tira de años con las tarjetas wifi Atheros.
Podias localizar estas redes (ocultas) en un pispas.
Clonar la MAC de uno de los dispositivos autorizados.
Con una antena direccional wifi, de 10-20 metros, pasa a mas de 100 metros el alcance de ese router y poder conectarte.

Todo con un viejo portatil P3 a 700Mhz.
La seguridad, son las ganas que tenga el otro de "entrar".
------------------------------------------------------------------
It does the strip of years with the Atheros wifi cards.
You could locate these (hidden) networks in a flash.
Clone the MAC of one of the authorized devices.
With a directional antenna wifi, of 10-20 meters, passes to more than 100 meters the reach of that router and to be able to connect you.

All with an old P3 notebook at 700Mhz.
Security is the desire of the other to "enter".

 

[Topper]

This choice, however, seems NOT really safer than displaying the SSID!
Non-broadcast Networks are not a Security Feature, see Non-broadcast Wireless Networks with Microsoft Windows

This seems to be very relevant information from Microsoft itself; I believe them here...

Greetz,
A33

With all due respect information for an XP wifi network from 11 years ago is hardly relevant in today's world.

 

[a33]

With all due respect information for an XP wifi network from 11 years ago is hardly relevant in today's world.

Has the contact protocol for WIFI networks changed fundamentally, then?
As I understand it, SSID-names are easy to intercept, even if they are "hidden".
And if the network doesn't send the SSID, the computer does, even when the network is't in receiving range.

So how much safer would it be, to hide the SSID of the network?
Or what is the point I am missing, in today's world?

Greetz,
A33

 

[Topper]

I think you are missing the point of my post where I described his setup, the fundamental being that unless the MAC address of the client wishing to connect is inserted into the router config there can be no connection from outside entities, yes SSID names are easy to intercept if you happen to walk around with probe software on your phone tablet or laptop but the existence and use of that software would not allow you to connect to the WIFI unless you actually knew the person and he allowed you to connect by inserting your MAC address into his router config

 

[a33]

OK,
My point is, that hiding the SSID in itself isn't a safety measure, and presenting it as a safety measure seems somewhat misleading to me.
That was the point I was responding to.

If access is only allowed by active permission of the network owner, that is a good safety measure off course.
No way that I would be arguing about that.

Greetz,
A33

 

[Topper]

OK,
My point is, that hiding the SSID in itself isn't a safety measure, and presenting it as a safety measure seems somewhat misleading to me.
That was the point I was responding to.

If access is only allowed by active permission of the network owner, that is a good safety measure off course.
No way that I would be arguing about that.

Greetz,
A33

Please let me know where I presented hiding the SSID as a safety feature. I think you are reading that information into my post when it is not given. Again I repeat I was describing the setup that he had and in no way was I presenting hiding the SSID as a safety feature although I do happen to think that not displaying the SSID would primarily deter the average Joe from even attempting to connect. Of course it is true that there are many in this world that think it is their right to gain access to your property regardless of the safety features installed and will do if they have a mind to. Not displaying the SSID is merely a deterrent in that process, but even though MAC address filtering would stop most determined thieves in their tracks, because it also has a flaw in it, it is also insecure because MAC addresses can also be spoofed.

 

[battenfan]

What's your router model, @HB13DISH16 ?

 

[Archive7]

My router is D-Link DSL 6740U (ADSL modem/router)
I setup today the guest account with password (5 numbers only) for my neighbor.
Just wondering which software hackers use to decipher the keys and if 5 numbers is hard to crack.
It is only 99,999 possibilities so if someone who has a lot of time on his hands (a prisoner for example), he should be able to crack it in 100 days at the rate of typing 1,000 numbers a day. But of course he can get there sooner depending on the actual key.
I can change it to 13 numbers to make it more difficult but this is really too much (good for a prisoner with a life sentence, gives him something to do).

 

[a33]

Please let me know where I presented hiding the SSID as a safety feature. I think you are reading that information into my post when it is not given.

Well, as you can see above, I reacted to this part:
"he does not display any SSID over WIFI, so nobody can find it in the first place"

I never wrote that YOU presented it as a safety measure; I wrote:

My point is, that hiding the SSID in itself isn't a safety measure, and presenting it as a safety measure seems somewhat misleading to me.

So it was not meant personnally at all.
Sorry if it was understood that way.

Greetz,
A33

 

[Topper]

Well, as you can see above, I reacted to this part:
"he does not display any SSID over WIFI, so nobody can find it in the first place"

I never wrote that YOU presented it as a safety measure; I wrote:


So it was not meant personnally at all.
Sorry if it was understood that way.

Greetz,
A33

Perhaps a bad choice of wording on my part initially, perhaps I should have put :-
"he does not display any SSID over WIFI, so nobody without specialist software can find it in the first place"

 

[timo_w2s]

My wifi password is a list of over 60 random characters. It really annoys friends trying to connect... ;)