I'm scared of my wireless router
January 4, 2006 10:42 AM   Subscribe

A true switch, which most are today, keeps track of which port the destination computers are on, and routes only out that port. This is for security but also improves overall bandwidth of the network since multiple connections can talk over different ports at the same time. Older "routers" broadcast to every port. I don't think I've seen anything for sale except true switches for years, so I think you're good.
posted by RustyBrooks at 10:50 AM on January 4, 2006

The Linksys WRT45G, like most routing switches, is vulnerable to ARP poisoning, which would allow an attacker to monitor all traffic on your wired network.
posted by Jairus at 11:00 AM on January 4, 2006

Your WRT54G contains a switch (as opposed to a hub), so traffic going over an ethernet cable will not be broadcast to the wireless network unless it's destined for a device or devices on the wireless network. Your traffic is safe.
posted by pmbuko at 11:04 AM on January 4, 2006

Forgive me, but I have some deep suspicions about Jairus's claim that an attacker could monitor all traffic on your wired network, using only the wireless bits.

I'd want to see a successful demonstration before I was convinced that this was a real possibility. Are there any papers on this exact attack available, online?
posted by I Love Tacos at 11:07 AM on January 4, 2006

Your WRT54G contains a switch (as opposed to a hub), so traffic going over an ethernet cable will not be broadcast to the wireless network unless it's destined for a device or devices on the wireless network. Your traffic is safe.

...unless an attacker tells the switch to route the traffic to the attacker instead of the destined PC on the wired network.
posted by Jairus at 11:08 AM on January 4, 2006

OK, so I should have written 'safe'. ARP poisoning could reveal your traffic. Here's a PDF about it.
posted by pmbuko at 11:08 AM on January 4, 2006

I Love Tacos: Here you go. It's a very easy hack.
posted by Jairus at 11:08 AM on January 4, 2006

JINX
posted by Jairus at 11:09 AM on January 4, 2006

I found that PDF about it, but it doesn't actually confirm that modern wireless access points are built with the aforementioned design flaw. It merely states that an unspecified combo device does arp bridging.

As it stands, I still see no reason to either believe or disbelieve that the attack is possible.
posted by I Love Tacos at 11:14 AM on January 4, 2006

Nor does it state that whether the WRT45G's vulnerabilities are cured with any of the available (official or second-hand) firmware updates.
posted by I Love Tacos at 11:17 AM on January 4, 2006

I Love Tacos, it's a MAC layer attack. The flaw is in the protocol implementtion, not the device.
posted by Jairus at 11:18 AM on January 4, 2006

There are a number of wireless bridges which heedlessly pass ARP packets from the wired to wireless interfaces, which will allow ARP poisoning on a wireless interface (it's interesting to note that typical solutions to the hidden node problem prevent direct wireless-to-wireless poisoning, though that's even easier to perform a socially structured attack on), I recall Netgears being a problem when I was dealing with all that. It's a real shame there's no clear list of modern hardware that puts the wired/wireless interfaces on the same broadcast domain.

smackfu, the easiest thing to do might be to read up on ARP poisoning and test that very attack to see if it works.

I Love Tacos, it's a MAC layer attack. The flaw is in the protocol implementtion, not the device.

Well, yeah, but it's only a real problem with wireless interfaces since you can't control physical access. Seperation of the domains means that wired access is secure from such an attack. That's a design flaw.
posted by j.edwards at 11:20 AM on January 4, 2006

You don't have to believe anything. This isn't church. Download ettercap, poison the ARP, and see what happens.

A wireless router/switch acts exactly like a wired switch. Unless there's some added security layer it is very sniffable.
posted by skallas at 11:20 AM on January 4, 2006

j.edwards, yes. The fact that wireless devices were designed around wired security conventions is a design flaw. The problem with ARP which allows spoofed MAC source addresses is a protocol flaw.

WITH THEIR POWERS COMBINED I can read I Love Taco's wired PC's email from his parking lot.
posted by Jairus at 11:23 AM on January 4, 2006

Jairus-

I'm thinking, and it seems j.edwards is agreeing, that the attack could be defeated by a wireless access point that doesn't bridge arp packets.

I'm not buying the idea that every single wireless device on the market passes arp packets. As for answering the original question, I can't test it as I don't have a WRT45G.

You've established that there's a possible attack, but I've yet to see any evidence that the original poster's unit bridges ARP packets, or if it is possible to make it stop doing so via a firmware upgrade.

The easiest answer is to refrain from buying these "combo" devices in the first place, but given their rabid popularity, a definitive list of vulnerable/not-vulnerable devices would be vastly useful.
posted by I Love Tacos at 11:39 AM on January 4, 2006

I Love Tacos, I am not aware of any routing switches sold for home use which do not allow ARP poisoning. All switched networks are vulnerable to ARP poisoning unless measures are actively taken -- therefore, there does not need to be evidence that the WRT45G is vulnerable, because there is no evidence to the contrary.
posted by Jairus at 11:43 AM on January 4, 2006

I have no trouble believing that arp poisoning is possible on either the wired, or wireless sides, but allowing it between the wired and wireless segments is an almost comically bad design.

This wouldn't be the first time that an absurdly dumb design was put into wide use, but I still find it surprising. Perhaps I'm just unrealistically optimistic.
posted by I Love Tacos at 11:51 AM on January 4, 2006

I Love Tacos, I hate to say this, but there is not a single aspect of wireless security that is not an example of comically bad design.

Not one.
posted by Jairus at 11:53 AM on January 4, 2006

I have the same router mentioned in the question currently running the DD-WRT firmware, and I'd be glad to try out this attack at home later tonight.
posted by odinsdream at 12:07 PM on January 4, 2006

Jairus-

So what would you recommend for the standard home user with one wired PC and one laptop? Am I correct to think that using a dedicated WAP (like a Linksys WAP54G) and a completely seperate wired switch will negate this problem?

This is quite obnoxious that the only apparent way to tell if a particular device is a piece of shit is to buy one and see if you got lucky.
posted by I Love Tacos at 12:11 PM on January 4, 2006

Even if you have WEP on, ARP poisoning can still be utilized, and it's also the mode of generating traffic for cracking with Aircrack. Don't know about WPA.
posted by cellphone at 12:24 PM on January 4, 2006

ArpStar is a Linux kernel module that is required to defeat ARP poisoning. It is a 'third party' module and is not part of the standard Linux kernel. It has been ported to the WRT54G, but Linksys has most likely not included it in the firmware for the Linux-based WRT54Gs; one theoretically could download the GPL source for the router to see if they include it, or do a real-world test. As for the new VxWorks versions of the WRT54Gs, as the source for those is closed, a practical test would be required.

Anyway, just don't let outsiders on your wireless network and you don't have to worry about ARP poisoning. Use WPA with a good secure passphrase instead of WEP.
posted by zsazsa at 12:32 PM on January 4, 2006

I Love Tacos, the only really secure way to approach this issue is a triple nat, where the firewall uses NAT on your internet connection, and then feeds down to two other NATs -- one for your wireless network, one for your wired.

I believe that there is a smoothwall plugin that provides this functionality, if you have an old Pentium-90 with 3 network cards lying around.
posted by Jairus at 12:44 PM on January 4, 2006

A physically discrete switch won't make a difference, as it's still part of the same switched network.
posted by Jairus at 12:45 PM on January 4, 2006

Also, I'm pretty sure that WPA won't prevent an ARP-based man in the middle attack, unless there's something I'm missing.
posted by Jairus at 12:47 PM on January 4, 2006

Also, I'm pretty sure that WPA won't prevent an ARP-based man in the middle attack, unless there's something I'm missing.

The ARP packets would have to be encrypted, so it wouldn't work. A well-implemented WPA system with good 2-factor authentication is currently secure (as is passphrase for AES, but that has the usual problems coupled with the inherent insecurities of wireless), but unfortunately there are very few of those around.
posted by j.edwards at 1:10 PM on January 4, 2006

How does WPA prevent arp poisoning? WPA protects the layer 2 link between the AP and the client -- that's fine.

The AP will take all the WPA-encrypted traffic from the client you poisoned, then encrypt it with your own WPA channel with your own key (because you're a valid member of the network, because you've poisoned the ARP).

All WPA does is make the link between client and AP as secure as an ethernet cable would be. An ethernet network is vulnerable to ARP poisoning. So is a WPA network.
posted by Jairus at 1:20 PM on January 4, 2006

Keep in mind, when you do this, you're not breaking WPA. WPA is working great -- but it's a physical/link layer protocol, and protection from a higher-level IP/ARP attack is beyond the scope of the protocol.
posted by Jairus at 1:30 PM on January 4, 2006

All WPA does is make the link between client and AP as secure as an ethernet cable would be. An ethernet network is vulnerable to ARP poisoning. So is a WPA network.

Well, sure, if you're a big dummy and let the poisoner onto your network. That's where the WPA comes in.
posted by kindall at 1:51 PM on January 4, 2006

smackfu-

There's another solution that will work to safeguard the more important data: just make sure all of your sensitive traffic is encrypted. POP and SMTP can both be encrypted, and most online financial transactions are as well.

Unfortunately, there's a host of sites (metafilter included) that don't encrypt submitted passwords. As such, you also have to be extra careful about password-reuse (which isn't a bad policy anyway, since some sites don't encrypt the stored passwords, thus creating a nice database of username/password combos for bad people to try at other, more important websites).
posted by I Love Tacos at 3:14 PM on January 4, 2006

So what you guys are saying is that paying bills online/wireless is a bad idea?
posted by snsranch at 3:16 PM on January 4, 2006

snsranch - Any online banking you do *should* be encrypted (see I Love Tacos' message above) so you're safe. Secure sites will start with https:// and your browser will also probably show a lock in the bottom righthand corner.
posted by sanitycheck at 4:02 PM on January 4, 2006

Good god this is depressing. I'm assuming that at least one or two of you know what you are talking about, and can speak definitively.

So, the only way you are truly safe (assuming that not all transmissions can be encrypted) is if your combo device is smart enough to avoid bridging ARP.

Luckily, I have the same system as odinsdream. I eagerly await his results.

odinsdream, I don't run the DD-WRT firmware, though. Is there any reason to believe that the bridge-separation is specific to the firmware? IE, just because the DD stuff is careful, the Linksys stuff may not be?

Sigh.
posted by Dunwitty at 6:40 PM on January 4, 2006

Nonono... here's the deal. In a switched ethernet network, once an attacker can read and write to any point in the network he can read all traffic on that network through ARP poisoning. That has been known for years and is a fact of life.

BUT, the entire point of encryption is to make it such that EVEN IF the attacker has every single packet sent and received, he can still not recover any useful information from them, except perhaps information that he inferrs from the addresses. SSL/TLS (aka https, which you would use for banking) as well as WPA with PSK both achieve this nicely. Thus if you are using either/both of these then yes the attacker can still read all your packets but NO it won't do him a drop of good.
posted by Rhomboid at 10:22 PM on January 4, 2006

« Older Where can I find a simple slid...   |   With next month's Valentine's ... Newer »

This thread is closed to new comments.