Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | [2] | 3 | 4 | (show all)   Print Thread
Standard User grapevine1
(regular) Sun 13-Jan-19 16:20:00
Print Post

Re: stop wifi remotely, ethernet lan to remain on.


[re: MrSaffron] [link to this post]
 
Mr Saffron,
Thank you sdo much,
I thank you for your kind information
We are fully aware of all the charges that would apply to any person carrying out such interference to communications and any equipment involved etc and further charges that will apply to those persons whose actions cause Harressment alarm and distress and especially fear of any form of violence as a result of their actions. There is another fact that it all may add further legal charges if it has also caused damage to any part of or contained within the property in which a dissabled person resides and further especially if that residence has been prior registered with the local authority and an annual reduction in that properties council tax has been in place in prior years to the offences taking place. There is also a Human rights issue which is to complicated to address at present.
This is all compounded if the situation has been reported to any Police Officer and no action resulting or known to have been ignored.
BW
grapevine1
Standard User grapevine1
(regular) Sun 13-Jan-19 16:38:49
Print Post

Re: stop wifi remotely, ethernet lan to remain on.


[re: baby_frogmella] [link to this post]
 
Baby_frogmella,
I am greatfull for your suggestions all points you have put forward I have reason to agree with, may I ask what dongle have you had any experience or even use of USB or otherwise in connection with the switching signal from a 3/4G signal to switch the WeFi on and off.

As a matter of interest what version of the Netgear router model you mentioned, or other such netgear items do you consider might be value for money for a domestic installation to enable a WiFi modem to be switched on/off.

Historically I have always in the past fed the ethernet output of the Modem or Modem/router into a Gigabyte 8 or 10 o/p switch

When I set up the last Netgear system the only commercial way was to use a small laptop to monitor the Routerstats of the line in question and via the ethernet cable switch the wifi on/off.

The smarfone app is a big step forward for all those who live where even the 9yr old kids are streats ahead these days of my historical ability when I was 18yrs old in respect to machine code programming.. They sure can Hack without any formal programming education.
BW
grapevine
Standard User grapevine1
(regular) Sun 13-Jan-19 16:47:18
Print Post

Re: stop wifi remotely, ethernet lan to remain on.


[re: baby_frogmella] [link to this post]
 
Baby_frogmella,
I am greatfull for your suggestions all points you have put forward I have reason to agree with, may I ask what dongle have you had any experience or even use of USB or otherwise in connection with the switching signal from a 3/4G signal to switch the WeFi on and off.

As a matter of interest what version of the Netgear router model you mentioned, or other such netgear items do you consider might be value for money for a domestic installation to enable a WiFi modem to be switched on/off.

Historically I have always in the past fed the ethernet output of the Modem or Modem/router into a Gigabyte 8 or 10 o/p switch

When I set up the last Netgear system the only commercial way was to use a small laptop to monitor the Routerstats of the line in question and via the ethernet cable switch the wifi on/off.

The smarfone app is a big step forward for all those who live where even the 9yr old kids are streats ahead these days of my historical ability when I was 18yrs old in respect to machine code programming.. They sure can Hack without any formal programming education.
BW
grapevine

PS Sorry posted (wrong thread)


Register (or login) on our website and you will not see this ad.

Standard User baby_frogmella
(knowledge is power) Sun 13-Jan-19 17:18:44
Print Post

Re: stop wifi remotely, ethernet lan to remain on.


[re: MrSaffron] [link to this post]
 
In reply to a post by MrSaffron:
Had another thought: many routers allow you to hide the wifi network names so this might be the best way to go, instead of having to continuously switch on/off wifi.


If someone has been persistent then this won't help at all, and can cause as many problems for legit users of the wi-fi network.


But surely if the router isn't publicly broadcasting any wifi network name, then the hacker has nothing to hack into? Like I said, most - if not all - wifi clients allow you to manually enter a wifi network name & password so all the OP needs to do is to make a note of the hidden SSID and pw and simply enter this into the req'd clients - this would just need to be done just once for each client as the clients would normally auto-reconnect. He would have 100% control over which clients are allowed onto his network.

FluidOne FTTPoD 330/30 Mbps
Linksys EA9500v2
Standard User baby_frogmella
(knowledge is power) Sun 13-Jan-19 17:32:54
Print Post

Re: stop wifi remotely, ethernet lan to remain on.


[re: grapevine1] [link to this post]
 
If you want to buy a Netgear router at a reasonable price then something like the Netgear D6400 is a good option. Once installed, the Netgear genie smartphone app allows you to switch on/off the router's wifi.

Wrt wifi adaptors, most of my wifi clients have wifi built-in. On my desktop PC I'm using this wifi adaptor which is great. If you have a choice, go for a PCI wifi adaptor rather than a USB model as the PCI models (generally) perform better. Obviously for a laptop PC requiring wifi, you're limited to USB models only,

FluidOne FTTPoD 330/30 Mbps
Linksys EA9500v2
Standard User ukhardy07
(knowledge is power) Sun 13-Jan-19 21:27:45
Print Post

Re: stop wifi remotely, ethernet lan to remain on.


[re: grapevine1] [link to this post]
 
Hey, I actually work in the security field and have done corporate wifi penetration testing etc in the past. A lot of the advice here is unfortunately poor and comes from a concept of applying logic, rather than understanding the security underpinning WPA2 encryption.

So to set things straight:
1) MAC address filtering does absolutely nothing for security.

As an example, my network name is BTHub6-6S4Z. When I bring my iPhone home, it transmits a signal effectively in all directions of every WiFi name it has ever connected to, in the hope it finds BTHub6-6S4Z. It also broadcasts its MAC address. My iPad does the same, my macbook, my PS4, Printer etc.

As an attacker what I can do is listen to the wireless traffic around me - this is called "monitor mode." In the case above, say I had an attacker living next door to me. The attacker would be able to see my iPhone is looking for BTHub6-4S4Z, and they also can see my iPhone MAC (lets say it's 11:22:33:44:55:66).

If I had MAC address filtering enabled, it is bypassed with no hacking at all. The attacker can see my iPhone with MAC address 11:22:33:44:55:66 is requesting BTHub6-4S4Z. All the attacker needs to do is pop in the properties of their network card, and change their MAC to be 11:22:33:44:55:66, and connect to BTHub6-4S4Z. In they go, 15 second job.

Same applies for "hiding your SSID." Say I hide my SSID for my BTHub6-4S4Z network... My iPhone, iPad, Macbook, PS4, Printer, Work Laptop etc will still connect in, and in doing so they will push out this data in every direction asking for this network. Once they connect, they will push out data saying the SSID they are associated with. The attacker can see every device in my home effectively calling out for BTHub6-4S4Z... They can even see a list of every device in wireless range of themselves that is associated with my network name, and all of the MACs. The SSID is hidden, but it is literally being broadcast in every direction by every device I own, in clear text, unencrypted form. Easy to figure out my networks name right smile ?

Point is, hiding your SSID, and MAC filtering do nothing to solve security. This data is literally pushed out by every device, in every direction, and is never "hidden." The WiFi specification is not designed to hide this data, as it was never a security measure.

2) A strong WPA2 password is important, although most hackers will not exploit the password, but rather exploit flaws in WPS or the PINs. On older devices, these can often be exploited in less than 2 minutes... Even if I had a 50 digit WPA2 password, if I exploited WPS, this would just hand over the 50 digit password. WPS exploits are no slower/faster depending on password complexity.

This is why disabling WPS is real important. It is recommended to change the WPA2 password and have a length of 16+ characters (if you know you are being compromised, set a super long PW e.g. 60 characters), and it is recommended to change the SSID from the vendor default also. WPS should not be used / enabled... This applies to all WiFi extenders / booster type devices also.

NOTE: On many devices when you turn off WPS, it does not actually disable. This is a flaw in design, and applies to older devices again.

When an attacker sees an SSID of BTHub6-XXXX, it tells them 1) The device to be compromised is a BT Smarthub and 2) The password is most likely 10 characters (the default length used on all BT Smarthubs). This severely reduces the possible password combinations. This is why changing SSID/password is important as now the attacker has a much bigger job on their hands to test all possible passwords.

Unfortunately, authentication is totally flawed on WPA2 implementations. What this means is, as an attacker I can basically send a request to your router, and ask it to disconnect every single device, it will respond by doing just that. There is no protection of this mechanism where devices connect / disconnect.. If you have a very malicious attacker, they could get "angry" and retaliate by constantly sending requests to your AP to disassociate every device, resulting in the user being unable to ever connect to the WiFi. This is highly illegal, but does occur at times.

WPA3 will resolve this flaw, apparently. smile

WPS etc is getting more secure, for various reasons, but I would still disable it.

In your shoes I would do the following:
1. Reset the router to factory defaults - the reason I say this, attackers can setup remote management which enables them to get into your routers settings from anywhere in the world. E.g. they could go into the settings from Australia... In the settings would be any wifi password.

Everytime you change the password, the attacker just logs into the router from another network (e.g. mobile phone data), pops in the settings and brings up the new password. Then they connect in...

Hence, it is worth resetting with a pin in the reset button to ensure they have not installed any of these "back doors."

2. As soon as the router is reset, login to the router, and change the admin password of the device to something complex e.g. a 16 digit random password.
3. Login to the router with the new admin password, navigate to the WiFi settings, disable WPS/WPS PINs.
4. Change the SSID to something else, keep SSID broadcast on, there is no security benefit disabling this. Do not bother with MAC filtering, there is no security benefit.
5. Set the router to WPA2-AES only, NOT WPA / WPA2 Mixed Mode. Set a password of 16+ characters (or 60 if you don't mind entering it one time on every device). Ensure no dictionary words are used e.g. Football10 and do not use common variations of words e.g. F00tb4ll10.
6. Double check remote access is disabled on your device (if your device supports it). Double check changing the SSID/Password has not re-enabled WPS.
7. If you can, reduce the WiFi AP power, so it only covers the property as required.
8. Apply any firmware updates to your device, in case there are inherent security weaknesses on your APs WiFi setup. If there is an auto update function, enable it. If you have ISP kit, this should get updates automatically...

If your device is end of life and not supported by the vendor, consider replacement with a new piece of kit, or a latest and greatest ISP device which will likely meet a much higher security standard out of the box (e.g. enhanced WPS pin lockout etc - still disable WPS).

At this point, it is likely the attacker will move onto an easier to compromise device. Your AP becomes a huge headache to get into...

Edited by ukhardy07 (Sun 13-Jan-19 21:51:01)

Standard User jabuzzard
(member) Sun 13-Jan-19 22:12:45
Print Post

Re: stop wifi remotely, ethernet lan to remain on.


[re: ukhardy07] [link to this post]
 
I was coming to post that MAC filtering and hiding the SSID is an exercise is wasting time. Basically I would second everything you have said as being things to do.

However I would add if the attacker is using a consistent MAC address one might consider using a MAC blacklist on it. Might take them sometime to work out what you have done.

There are some other options, just ditch pre-shared keys completely and go WPA2 enterprise. Lot more hassle but you could that put a lockout on failed authentication attempts.

As for turning the WiFi on and off remotely my suggestion would be a Ubiquiti EdgeRouter X SFP with whatever combination of UniFi AC Lite, AC LR, and Mesh AC being powered using the 24V passive PoE from the Edgerouter. You can then just SSH into the Edgerouter from wherever (assuming static IP and/or dynamic DNS) and then you can turn it off using

configure
set interfaces ethernet eth0 poe output off
commit
save
exit


and turn it back on with

configure
set interfaces ethernet eth0 poe output 24v
commit
save
exit


Note you only need the save command if you want it to persist across reboots of the router. It would also be possible to script this up so that it turns on and off at specific times.

You could do the same with a Mikrotik hEX PoE as well, and Mikrotik have a range of WiFi access points that work with 24V passive PoE. You could mix and match between Mikrotik and Ubiquiti if you wanted as the two 24V passive PoE's are compatible.

You would need a separate modem as well but a HG612 3b off eBay is cheap and reliable, and with the appropriate adaptor you can power that using 24V passive PoE too.

https://www.amazon.co.uk/gp/product/B00EBCQ5FM

Added advantage IMHO with this sort of option is that you are dealing with devices that are going to get regular and prompt firmware updates unlike the consumer grade devices suggested by other people. Personally I consider the consumer grade stuff to be worse than an utter waste of time if you are interested in security.

Obviously going down the Ubiquiti/Mikrotik router is more complex than ISP supplied or other consumer devices, but it is a thousand times more robust.

Finally you could consider physical security. That is wrap the property in a Faraday cage, though at this point you would then need to put a femocell inside the house if you want mobile coverage, or have a phone capable of WiFi calling. Rather extreme and very expensive unless your house happens to be made of bricks full of ferrous material smile
Standard User grapevine1
(regular) Sun 13-Jan-19 23:58:07
Print Post

Re: stop wifi remotely, ethernet lan to remain on.


[re: ukhardy07] [link to this post]
 
Hi UKH

My professional life has been in Electronics FOR Coms ,IT and Law. I believe we have met 2010/11. I had some involve,ment in your industry you can PM me if you like
My other halfs very elderly mother has just been rushed into Hospital 150 miles away, just to say if im off topic for a few days I have to concentrate on my rock.
Standard User grapevine1
(regular) Mon 14-Jan-19 00:31:55
Print Post

Re: stop wifi remotely, ethernet lan to remain on.


[re: jabuzzard] [link to this post]
 
Hi JB
My professional life has been in Electronics FOR Coms ,IT and Law. I believe we may have met 2009/11 (Digital Economy Bill). I had some involvement in your industry you can PM me if you like
My other halfs very elderly mother has just been rushed into Hospital 150 miles away, just to say if im off topic for a few days I have to concentrate on my rock, to share the projection and control of an old fashioned design of combustion Engine in front of us.
For interest The original half of My property was built by the family prewar the 30's and the black mortar etc was steelworks flyash a faraday cage that takes some beating but the new houses (microcabins) now being constructed the other face of the valley are internal wooden frame (in a day) sections metal foil covered with a brick outer layer, a signal reflector and blocker, hence my poor mobile signal at present. Some of the Beech trees in the signal path (are being removed) with their leaves forming a half wavelentgh attenuator in the summer months. I have added this last long sentance for some factual light relief. I spent a chunk of my life 67- 85 being fried by high powered 10 to 30 Ghz and getting the signal and reception up to 50,000miles. So the practical of domestic broadband although in recent years known to me. I considered was for another branch of Research and Consulting Engineers
BW
grapevine1
Standard User jabuzzard
(member) Mon 14-Jan-19 10:56:54
Print Post

Re: stop wifi remotely, ethernet lan to remain on.


[re: grapevine1] [link to this post]
 
It occured to me that an alternative approach might be to go down the route of either a honeypot and/or tarpit.

It in the first instance might make identifying the culprit a piece of cake, as you would be able to man in the middle their traffic. Something a simple as sending or receiving an email could give them away. Also if they get in and then find the connection is rubbish and limited due to the tarpit approach they might decide it's not worth the effort.

A third approach would be to go on the offensive. Just watch their MAC address and send deauth packets when ever the associate with an access point. Do that for a day then stop. If they still attack your network start again. Repeat till they give up.
Pages in this thread: 1 | [2] | 3 | 4 | (show all)   Print Thread

Jump to