[nSLUG] Bell Aliant FibreOP and Linux router
nslug at kernelpanic.ca
Mon Oct 14 00:12:53 ADT 2013
On Sat, Oct 12, 2013 at 3:32 PM, Jack Warkentin <jwark at bellaliant.net>wrote:
> I have successfully set up a hidden SSID, MAC address filtering, and WPA2
WPA2 with CCMP/AES is all you need. (do remember to disable tkip.) MAC
address filtering is pointless. Anyone who wants to attack your network can
spoof an allowed address. The filtering just makes it more annoying when a
guest visits and you want to allow them to use your WIFI. A hidden SSID is
bad security. I know it has been standard advice since the early days of
40bit WEP and 802.11b, but the advice is wrong. An SSID is only hidden when
there are not clients connected to the access point. A hidden SSID may
prevent a random drive-by attack, but a good WPA password does a better job
of prevent those types of attacks. The problem is that a hidden SSID
exposes your clients to attack.
When a WIFI clients initializes it first looks for broadcast beacons from
known SSIDs. If the client does not see any beacons from known SSIDs it
will broadcast looking for specific SSIDs starting with the last SSID the
client was connected too. It is trivial for an attacker to setup a fake
access point that pretends to be every SSID. If the last SSID a client was
connected was a public network (e.g. library, hotel, or coffee shop) the
client will happily connect to the fake access point and start downloading
malware before you know it. The attack is at the script-kiddie level of
difficulty. My grandfather could run it. (but he wouldn't. he is a nice
person.) This attack is really only possible against a hidden SSID.
The upshot: A hidden SSID does little to nothing to protect your access
point, and it exposes you clients to an easy attack. Just use a good WPA
pass-phrase and you will be fine.
 Note: there is an active attack that can trick your client into
connecting to the fake access point even if your client was last connected
to your secured WIFI. It is timing attack. It works by slowing down your
secured access point in the hopes that you client will broadcast looking
for another network. An SSID beacon breaks this attack.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nSLUG