DIYbanter - View Single Post - Is it theorectically or practically even possible to mooch off if a typical WISP

Aardvarks

On Sun, 24 Jul 2016 21:05:10 -0700, Jeff Liebermann wrote:

Sigh. Do you really expect me to post detailed instructions on how it
might be done?

Hi Jeff,
I knew you'd be on either a.i.w or s.e.r (although you hang out more on the
latter nowadays, I think).

I'll assume that the leach has a compatible wi-fi client bridge radio,
a decent dish or panel antenna, a good location to see the WISP access
point antenna, and is able to associate (synchronize with the pseudo
random spread spectrum spreading code). Basically, the means the
leach can get a "connect" indication from his client bridge radio.

The theoretical leach would be me (but I already have free WiFi access from
my WISP in return for being an access point for him) so the question really
*is* theoretical, and you actually know all the WISPs in this area (let's
not state their company or real names, for privacy reasons, but you know of
Loren at H.....p and Dave at S.....t and Mike at R...........s, and Herman
at E.....c, etc., who are the respective WISP proprietors).

The next obstacle is how much security has the WISP installed to
protect his system. Nobody runs a wide open system, without
encryption and no passwords.

Exactly!
Nobody runs a wide open system where leaches can just latch on for any
reasonable period of time.

Loren is the least restrictive, Herman is the most restrictive - with the
others in between on security.

For a minimum, the WISP is certain to
authenticate the MAC address of the client bridge radio. MAC
addresses are easily spoofed, but this is mostly for identifying and
blocking radios that are attempting to connect, but don't belong on
the system.

Actually, as you pretty well know, that end of the MAC address is, think,
the harder one to spoof (I think it was you who told me that long ago).

But let me confirm...

The end that the WISP sees is the hard one to spoof, isn't it?

The next layer is WPA2-AES-Enterprise encryption and authentication.

Yup. While Loren doesn't even use encryption on the 802.11 equipment, he
has plenty of 900MHz equipment which has to be specially set up, and Mike,
for example also makes use of non-wifi protocols. So does Dave and Herman's
system isn't at all compatible with customer owned equipment.

Unlike the typical home wi-fi router, which uses WPA2-AES-PSK
(pre-shared key), WPA2-AES-Enterprise does not have a single
encryption key for the entire system. A new and unique key is issued
for each connection and at regular intervals. Even if you could crack
the encryption key, it would only be good for a maximum of 3600
seconds. The RADIUS authorization and 802.1x authentication system
would also have a stored login and password.

Yup. And that doesn't even count the protocol tricks that these guys use to
get better bandwidth throughput and noise rejection.

There are a bunch of other tricks to improve security that are used,
which I don't want to disclose or discuss. Most do not really prevent
someone from breaking into the system, but rather act as a burglar
alarm to identify attempted breakins.

They all run a watchdog of some sort.

I would say that trying to get past WPA2-AES-Enterprise, even with
inside information, is not possible (unless you're the NSA).

Actually, I have more knowledge than most because I'm a repeater so I am
sometimes called to do troubleshooting to save them a visit - but for this
discussion - we should assume I'm a normal customer of the WISP.

Spoofing
an existing connection or working WISP customer is somewhat less
difficult. One would need the previously mentioned hardware list, a
means of tweaking the client bridge MAC address, the RADIUS login and
password, and inside knowledge of what the WISP is using for
authentication.

You also need the protocol information, and the IP address information, but
presumably you could sniff that over the air.

One would also need to somehow disable the real
customer as it would not do to have two client bridge radios trying to
authenticate using identical credentials. That will certainly set off
alarms (if the WISP pays attention to alarms and reads the log files).
That's possible, but hardly practical, and certainly not reliable.

Yup. While doing a site discovery isn't hard, you have to also crack the
admin password on the radio, which changes frequently, among other hurdles.

Leeching is usually NOT done by trying to connect to the WISP access
point.

Agreed. It's just too hard to do and too easy to get caught since a house
doesn't move all that fast.

Instead, it's done by connecting to the wireless router
installed by the WISP customers.

OK. That's *easy* by way of comparison. But we weren't talking about
breaking into the homeowners' SOHO router (which is a different topic
altogether).

In other words, the neighbors. These
are typical home wireless commodity routers, secured by a single
WPA2-AES-PSK password key. If you know the key (or its hash code),
and have good RF connectivity to the neighbors wireless router, you're
on the system.

Yes. Plenty of neighbors have wide open networks. Sigh.
They're the Santa Cruz 60's hippy trusting type of people.
You know ... people like you!

(jk - you're too knowledgeable to be trusting!)

So, to answer your question... yes, it's theoretically possible but
no, it's not easy, practical, worthwhile, or reliable. Incidentally,
it's also a crime and legally actionable as "theft of services" which
increases the element of risk.

Yup. Just what I had thought.

The Apple iOS "experts" blandly accuse people of this stuff, not even
taking into account *any* of the many potential hurdles, not the least of
which that a house doesn't move all that fast and is easy to locate when
stealing WISP bandwidth.

If you're not the NSA, then you're probably not hacking into the WISP.
It's just not feasible.

Thanks for your insight!

PS: What do you think about the possibility of tapping into a Starbucks in
downtown Santa Cruz from Loma Prieta?