Thread: Cable modem TV antenna experiment
View Single Post
  #20   Report Post  
Posted to sci.electronics.repair
Jeff Liebermann Jeff Liebermann is offline
external usenet poster
  
Posts: 4,045
Default Cable modem TV antenna experiment
On Sun, 13 Jan 2013 06:58:54 -0800, "William Sommerwerck"
wrote:

Actually, it's trivial to hack into a wireless router with MAC address
filtering enabled. Just sniff the traffic to/from that wireless
router and collect the MAC addresses being used. The MAC
addresses are NOT encrypted. Then, just change the MAC address of
of your computer to one of them, and you're on.

http://www.irongeek.com/i.php?page=security/changemac

That's assuming there's no data encryption.

True. However, as I mumbled, encryption is the only truly effective
security method.

I use both encryption and MAC
filtering.

It's helpful to know how the order and sequence of making a wireless
connection. I won't describe the whole process but you can see it
happen if you enable tracing and look at the connection progress logs:
http://technet.microsoft.com/en-us/library/bb457017.aspx
In order to do the key exchange cerimony for encryption, the devices
need to initially associate using the unencrypted MAC addresses. If
MAC address filtering is active, the initial association will fail. If
you have a valid MAC address, it will connected. It's as simple as
that to detect MAC address filtering and determine if a sniffed MAC
address will work.

Nevertheless, I appreciate this information, as the book I read indicated that
you needed hardware to spoof a MAC address. (Perhaps the author was talking
about what was required to sniff it.)

You need quite a bit of hardware and carnal knowledge of the design in
order to permanently change a MAC address. It's usually in a
protected parts of the firmware flash memory where it's safe from user
screwups. All the various OS's read the MAC address, and then save it
in a configuration file somewhere for later use. Changing the MAC
address is nothing more than changing the saved value.

In the distant past, I was doing some wireless testing which included
determining how many MAC addresses an access point could handle.
(Reminder: All 802.11 wireless networking is done at the MAC address
layer 2 level. Layer 3 or IP addresses are strictly for management
and configuration). I had software that connected to an AP,
disconnnected, changed the MAC address, reconnected, disconnected, and
so on. Each connection had a new spoofed MAC address. The question
was how many connections could it handle before failing, how did it
fail, and how gracefully did it recover. Nobody was very happy when I
reported that the system would hang and die long before the connection
tables were full. Hopefully, things have been fixed in todays
devices.

A friend of mine remarked that both he and I were relatively safe from such
attacks. "Why would anyone be interested in accessing //our// computers?"
Indeed. This is true for most users. Of course, it's no excuse for not taking
simple steps to protect yourself.

I play both sides of the wireless fence, so it's difficult for me to
provide a consistent personal policy. I also hate getting into
security discussions as they always end in acrimonious disagreement.
For the purposes of this discussion, I'll suggest that the
manufacturers of commodity hardware are at fault for NOT providing
routers and access points that are secure by default. Out of the box,
the router should have a pre-assigned secure password and a
pre-assigned secure WPA2 key. Only after the user configures the
router can it be reduced to a lower security level. Currently, all
but 2wire routers are delivered with no password (or a default
password), and encryption turned off. I ran a little mini-campaign
called "Secure by Default" for a few years trying to get the major
players to simply understand the problem. I even suggested that they
might be deemed liable for any financial damages resulting from the
misuse of their routers. Certainly, by looking at the gaudy box
covered with security related buzzwords and acronyms, a casual buyer
would ASSUME that they were well protected. Anyway, I was told that
convenience of setup was more important and not to bother them with
such problems. Oh well.


--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Reply With QuoteReply With Quote