MacInTouch Amazon link...

router & wireless security

Channels
Security
Since most relatively current portables lack wired ethernet, this could be a problem. I ended up using an original 2006 MacBook that I have lying around.
Ethernet-to-Thunderbolt 2 or 3 adapters are available for around $25-30 each. I keep these on hand for service needs. When you're downloading a multi-GB system update, a wired connection is much preferred.
 


Ric Ford

MacInTouch
Routers are rife with security problems:
Dan Goodin said:
Ongoing DNS hijackings target Gmail, PayPal, Netflix, banks and more
A wave of DNS hijacking attacks that abuse Google's cloud computing service is causing consumer routers to connect to fraudulent and potentially malicious websites and addresses, a security researcher has warned.

By now, most people know that Domain Name System servers translate human-friendly domain names into the numeric IP addresses that computers need to find other computers on the Internet. Over the past four months, a blog post published Thursday said, attackers have been using Google cloud service to scan the Internet for routers that are vulnerable to remote exploits. When they find susceptible routers, the attackers then use the Google platform to send malicious code that configures the routers to use malicious DNS servers.

Troy Mursch, the independent security researcher who published Thursday's post, said the first wave hit in late December. The campaign exploited vulnerabilities in four models of D-Link routers, including:
  • D-Link DSL-2640B
  • D-Link DSL-2740R
  • D-Link DSL-2780B
  • D-Link DSL-526B
 


Ric Ford

MacInTouch
Before you buy a Linksys router...
Bleeping Computer said:
Linksys Smart Wi-Fi Routers Leak Info of Connected Devices
More than 25,000 Linksys Smart Wi-Fi routers are currently impacted by an information disclosure vulnerability which allows remote and unauthenticated access to a vast array of sensitive device information.

This issue is very similar to a Linksys SMART WiFi firmware security issue from 2014 tracked as CVE-2014-8244 which allowed "remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request."

However, as Bad Packets' security researcher Troy Mursch discovered, although that flaw was supposedly fixed about five years ago, the vulnerability is still there. To make things even worse, as Mursch says, the Linksys security team tagged his vulnerability report as "Not applicable / Won’t fix" and closed the issue.
 



I've run into a problem in the latest versions of iOS - not sure when it started, or if it's "by design."

At work, we have an "Employees" WiFi access point that does not have security (WPA, etc. - i.e. "Unsecured Network"), but we do have a login where we enter our email/password to get access. That all works fine, but if I sleep my phone, then wake it sometime later, iOS has disconnected from the access point, and I have to go back in to the Wireless settings and reconnect. It's very annoying.

Not sure if this was a deliberate change recently or is some bug. Has anyone else seen this behavior? (Or maybe I can blame our WiFi system...?) Thanks.
 


At work, we have an "Employees" WiFi access point that does not have security (WPA, etc. - i.e. "Unsecured Network"), but we do have a login where we enter our email/password to get access. That all works fine, but if I sleep my phone, then wake it sometime later, iOS has disconnected from the access point, and I have to go back in to the Wireless settings and reconnect. It's very annoying.
I think it's working as designed.

Modern versions of iOS (going back to 8, I believe) implement MAC address randomization. Your MAC address will change periodically in order to prevent it from being used as a tracking identifier.

Unfortunately, public hotspots (which appears to be how your access point is configured) frequently track your logins via that MAC address - they maintain an internal database of MACs belonging to authenticated devices so the devices don't need to authenticate every time they connect. But whenever your MAC address changes, it no longer matches anything in the database, forcing you to re-enter your credentials.

You should talk to your IT department to see if they can implement a more proper Wi-Fi access security model. These typically involve running a RADIUS server on your network in support of IEEE 802.1X. This can be used to implement (among other things) per-user passwords (instead of the "personal" authentication where there is one password for everybody). It can also be used to implement certificate-based authentication, where the IT department will generate a certificate for you, which you will install in your phone so it can be used to authenticate connections.

This may not be possible with inexpensive routers intended for SoHo installations, but there are always exceptions including the possibility of using OpenWRT on compatible hardware.
 


I think it's working as designed. Modern versions of iOS (going back to 8, I believe) implement MAC address randomization. Your MAC address will change periodically in order to prevent it from being used as a tracking identifier....
Thanks for that info. I'll have to talk to them again. They claimed it was a bug in recent iOS. I think it has to do with their configuration. It was working just fine up until some version of iOS 12.
 


Modern versions of iOS (going back to 8, I believe) implement MAC address randomization. Your MAC address will change periodically in order to prevent it from being used as a tracking identifier [. . .] But whenever your MAC address changes, it no longer matches anything in the database, forcing you to re-enter your credentials.
This is not quite correct. iOS only uses MAC Address randomization when scanning for available wireless networks. When it actually joins a wireless network, it always uses the same, real MAC address.

But the rest of what David describes about tracking access via MAC Address is correct. What's actually happening here is the session timeout on their access gateway. Your iPhone is either exceeding the maximum session time or the maximum idle timeout. In either case, you have to reauthenticate at the captive portal before your MAC address is re-added to the gateway's "allow traffic" list.

What you should do is talk to your IT department and ask about having the gateway's session timeout and idle timeout lengths increased to something like 10 hours, so that you can get through the entire workday only having to authenticate once.

Otherwise, as David describes, if they want to have per-user access controls, the proper way to do it is to implement an 802.1X solution. Besides the user convenience of not having to login every time (the credentials are saved on the access device), it also allows you to operate with WPA2 encryption. If this is any kind of serious business, operating an unencrypted wireless network that company-confidential information is flying across is irresponsible and unnecessary.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts