Secure by default
It’s not often that I buy stuff off the cuff. My buying habits are relatively conservative, and I usually do a lot of research on equipment before I buy it. This Friday was an exception to the rule - when I saw the WRT54GC in Fry’s for $40, I just couldn’t miss out. The device is very slender, very nearly pocket-sized, and has a built-in antenna with a jack for an external one and 5 ethernet ports (1 external).
Wireless technology is in use for nearly a decade now, and securing a wireless network today is relatively easy. Yet as I plug this baby into the socket and hit refresh on the laptop, I see a new network: SSID linksys, channel 6, no encryption. Great. A few tweaks later and the device no longer publishes its SSID (no it’s not linksys anymore), and would only let you connect if you speak WPA2 to it. And ‘admin’ was a lame administrator password anyway.
Here’s a question for you: How many people actually go through the extra few clicks to secure their wireless device? If this device sold only 1000 units, I bet there are now 800 new open wireless networks.
Let’s consider the following imaginary scenario, involving Joe, your average computer user:
- Joe buys his new device and connects it to his cable modem, like the manual says
- Joe then looks for a wireless network with his laptop. There it is, SSID linksys, no encryption
- Joe connects to the unencrypted network and tries to browse the web
- Joe’s web connection is hijacked to a local web-server on the device, which asks him for a 6 digit code on a sticker on the device.
Several interesting things can happen now: Maybe Joe can surf the net immediately, while the device sets up a MAC filter for his current MAC address. Not very secure, but it’s better than nothing. Or Joe might have to choose a WPA key, and a small signed Java applet would setup his computer with the new key.
Now I’m not Joe, so maybe my perspective is all skewed. Is it really too much to ask from a user to go through a linear, consistent process before his network is set up, ensuring he is running an encrypted network, or at least MAC-filtered? Is it that much of an annoyance?
Is it more expensive to manufacture? The device already has an individualized sticker on it with the MAC address, I don’t think adding another 6 digits to it is much of a hassle, and the device already has an embedded web server. Yes, some more code.
Disclaimer 1: I know, this is still insecure, because Joe still uses a wireless unencrypted medium to transmit the code. It can be solved with an SSL web server, but even if it’s unencrypted, the window of vulnerability is greatly reduced.
Disclaimer 2: The WRT54GC came with a CD, which I never bothered to take out of its sleeve. I could see no reason to run software on my PC when I could just as well configure the device over the web. Perhaps Joe’s magic one-click access point securifier exists on that CD, and I just didn’t bother to check.
[…] Originaly posted in my blog […]
Pingback by SecuriTeam Blogs » Secure by default — September 12th, 2005 @ 10:09 pmWell, these things can be handled by the manufacturers… but why would they bother? They are not liable for any loss of anything. As long as “society” has “hackers” to blame in the mass media, all will remain the same.
As for Fry’s… you caught them on a good year. Up to about a year ago shopping there was not so pleasant. They improved greatly, especially on customer service and returns. First, don’t ever buy something with a “returned merchandise” sticker on it unless it is significantly cheaper and you are willing to come back to return it. Second, open anything expensive in front of the clerk to see that is it brand new, even if it shrink wrapped and “looks” new. I once bought a motherboard that looked new, but the inside was a mess. Third, never attempt a return on the weekends. Happy shopping at Fry’s it’s heaven for geeks like us; I’ll miss it.
Comment by Saar Drimer — September 13th, 2005 @ 3:02 pmThanks, Saar. Yes there was a ‘reduced price item’, for $2 less. Needless to say I didn’t take it. You can see how good a product is by the ratio of unopened/returned boxes on the shelf.
What’s wrong with returns on a weekend? I just had to ask…
Comment by arikb — September 13th, 2005 @ 5:59 pmThis applies to many big outlets (like Costco)… simply, the return lines are very long on the weekends.
Comment by Saar Drimer — September 14th, 2005 @ 4:38 amFrom what I can tell even those who go through a few extra clicks to
secure their wireless network aren’t very safe. I just configured a wireless
network in my new apartment for myself and my roomate to use.
I’ve setup a 128-bit encryption key and MAC access list. Still, someone can hack
the key in a few days, fake his MAC address and get everything he wants…
I’m counting on the fact that my neighbors aren’t uber-hackers.
By the way, that Linksys is extremely sexy (Please don’t make any assumptions
Comment by noam — September 28th, 2005 @ 2:30 pmregarding my sex life based on this comment).
It’s better than nothing. You’re protected from the occational hot-spotter.
If you upgrade to WPA, that’s much more significant.
Comment by arikb — September 28th, 2005 @ 2:34 pmnoam: uber hackers? I have friends who are complete morons who can shove an auditor livecd into their media tray, pass a few commands and fuck a wireless network.
More like count on it that your neightbors are not intrested or have IQ’s lower than 70.
Comment by dera — July 28th, 2006 @ 2:07 pmand arik, I can break into a WPA network with MAC filtering in less than 15 minutes. More than enough time to not look suspicous. The guy I’m with jumps out of the car, walks into a nearby building or the place we a targeting, looks around, acts intrested in an item/service, and when he gets back the router’s firmware has been upgraded to our version, which records every 1 and 0 that passes through it and sends it off to us. and if someone asks a question in the process, why I am sitting there with a laptop on in their parking lot, I am playing a nice game of chess against the computer (that is in the middle of a good game, saved from a few nights before) on a seperate desktop so they don’t see a thing. If they ask, I tell them my friend’s fake name and if he calls in to check, sure enough, there is a guy with that name sitting there asking about the latest version of some overprices piece of software and negociating a price for extra addons and a few hundred more seats.
God I love pen. testing. The look on a smug CEO’s face when he finds out how easily you can screw him- priceless.
Comment by dera (binary loc) — July 28th, 2006 @ 2:14 pmNow that’s interesting. WPA-encrypted networks that can be broken into within 15 minutes of sniffing - that’s news to me. You’re not talking about WEP, right? Can you please supply more details?
Comment by arikb — July 29th, 2006 @ 2:13 am