Thread: wifi strangeness
View Single Post
  #27   Report Post  
Posted to uk.d-i-y
John Rumm John Rumm is offline
external usenet poster
  
Posts: 25,191
Default wifi strangeness
On 08/12/2020 08:49, No Name wrote:
On 07/12/2020 23:03, Fredxx wrote:
On 07/12/2020 20:54:25, Tim Lamb wrote:
Tested by Tim, wifi signal adequate throughout kitchen/dining area.

Internet radio works OK although there have been a few outages which
seemed to coincide with Openreach installing some additional cabling
nearby.

Ancient i phone will not connect saying the Wi-Fi password key is
incorrect. Router 12 months or so from installation, not running hot
or any other symptoms. Hardwired connection to desktop OK.

A while ago I was looking into the security of Wifi networks and
methods to obtain the password.

There are a number of techniques that take over the SSID and trick the
user into entering the network Wifi Password. It's one reason why many
corporate Wifi networks use a bespoke interface where the user has no
access to this password.

This type of attack comes under "social engineering".

The idea of entering a password known to be correct a number of times
should ring alarm bells.

Most likely it's a iPhone feature!


There are a number of things you can do to help mitigate against this:

If your Wifi gear supports it, you can hide the SSID to make it harder
for others to recreate an evil twin Acces point.

Its trivial enough to find hidden SSIDs, that this is not worth doing
IMHO. Anyone capable of sticking up a fake wifi to masquerade as an
existing network, will also be able to see SSIDs hidden or not.

Using properly signed security certificates and EAP authentication is
the way to go if you want to prevent this.

(and having a RADIUS database of users, means you add or revoke
individual users, rather than sharing one wifi password with everyone)

You can build yourself a openVPN server on a raspberry pi and install on
on your home network, Then install openVPN on all mobile devices and set
it to always only connect over VPN to wifi. Use a different password for
the VPN to the WiFi password.

(This is also doable out on the 4g network if you port forward port 1194
in the router to your VPN server so you can also deal with dodgy public
wifi access points)

Create a Captive Portal on your home network for user authentication.

Some WifI AP's support Rogue AP detection, mine does and I get emails if
it detects a rogue AP popping up.

On my Wifi I have a MAC address white list so only the MAC addresses
that are in the White list are allowed to connect, every othetr MACX
address is rejected.

More security theatre really. MAC addresses are "soft" and can be
reprogrammed on modern network cards. So other than making you own life
more difficult there is not usually any real benefit to MAC address
filtering.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/
Reply With QuoteReply With Quote