WiFi security, ATT fiber and router.
July 10, 2023 6:56 PM Subscribe
Need to up my security game.
ATT just put my neighborhood on fiber. I got a BGW 320-500 "modem"/router. Then came a few wireless devices, we use I phones but have game consoles, an extender, sonos speakers, a couple of windows computers, etc. I have ATT Smart Home Manager.
For an old man this is pretty cool.
Except: I am constantly getting notifications that "a new device has joined the network". They are always "unknown device".
Sure, I can block them after they already get in, but it's like playing whack a mole.
Is there not a way to make this thing require my permission bore other devices join my network? Being old fashioned, it would be nice if they'd ask first.
One of the devices shows "exposed password" but the security tool wont tell me which device.
Yuuuup, there is a way, and I'll tell you how I do it, but it's a bit tedious. And maybe a bit dated. But it works and my network is Locked The Eff Down.
MAC address filtering.
You go into your router, the device that provides the Wifi signal, and tell it to ONLY allow the devices that you approved. Each wifi device has a "MAC address", sort of a wifi serial number, that is unique. The router will then only allow those serial numbers to connect, in addition to requiring a password. You use the MAC address filtering function, which might be called "access control" or something like that, and it might be under the Advanced menu of your wifi router. You will need to explicitly let in every new device when it shows up, and this is a pain in the f. a. and takes five minutes every time, but it totally works.
At this point I have maybe two dozen devices explicitly allowed, and then the router's default is to deny any other new devices. Even if they know the wifi password. The only way they could get in is if they also figured out "MAC address spoofing", and I'm content that that kind of attack is not going to happen to my little network.
Update the firmware on your wifi router.
If your BGW thing won't let you do the above, get a wifi router and connect THAT to the AT&T device. That's how I'm set up. Internet -> AT&T modem -> my own router -> my devices.
posted by intermod at 7:48 PM on July 10, 2023
MAC address filtering.
You go into your router, the device that provides the Wifi signal, and tell it to ONLY allow the devices that you approved. Each wifi device has a "MAC address", sort of a wifi serial number, that is unique. The router will then only allow those serial numbers to connect, in addition to requiring a password. You use the MAC address filtering function, which might be called "access control" or something like that, and it might be under the Advanced menu of your wifi router. You will need to explicitly let in every new device when it shows up, and this is a pain in the f. a. and takes five minutes every time, but it totally works.
At this point I have maybe two dozen devices explicitly allowed, and then the router's default is to deny any other new devices. Even if they know the wifi password. The only way they could get in is if they also figured out "MAC address spoofing", and I'm content that that kind of attack is not going to happen to my little network.
Update the firmware on your wifi router.
If your BGW thing won't let you do the above, get a wifi router and connect THAT to the AT&T device. That's how I'm set up. Internet -> AT&T modem -> my own router -> my devices.
posted by intermod at 7:48 PM on July 10, 2023
Do you have any devices that have MAC address randomization turned on?
posted by zamboni at 9:02 PM on July 10, 2023 [2 favorites]
posted by zamboni at 9:02 PM on July 10, 2023 [2 favorites]
nth-ing MAC address randomization as the probable cause. My Eero network's app notifies me about a "new device" connecting whenever my parents, in-laws, and friends get within about 10 metres of our house, provided they haven't visited in the last 7 days, because their phones (Android and iPhone) randomize the MAC address they connect from.
I disabled randomization when connected to our home network on all my and my partner's devices, but haven't had a chance to do this on my extended family's devices. Actually it's kind of a useful early notification for when our kids are about to hammer on the door!
posted by wjt at 2:59 AM on July 11, 2023
I disabled randomization when connected to our home network on all my and my partner's devices, but haven't had a chance to do this on my extended family's devices. Actually it's kind of a useful early notification for when our kids are about to hammer on the door!
posted by wjt at 2:59 AM on July 11, 2023
If these nuisance devices are iPhone, it's the new Wi-Fi Privacy feature in iOS.
I own a BGW320 and there's no way to control this in Smart Home Manager or the BGW320 configuration itself (go to 192.168.1.254 and poke around). You can turn off the announcements if that helps (Settings->App Preferences)
The answer I use is what intermod says. Get a router like an Eero, set your BGW320 to passthru mode, and let the Eero handle device connections when randomization is happening. Their firmware can handle this, especially iPhones.
posted by JoeZydeco at 4:37 AM on July 11, 2023
I own a BGW320 and there's no way to control this in Smart Home Manager or the BGW320 configuration itself (go to 192.168.1.254 and poke around). You can turn off the announcements if that helps (Settings->App Preferences)
The answer I use is what intermod says. Get a router like an Eero, set your BGW320 to passthru mode, and let the Eero handle device connections when randomization is happening. Their firmware can handle this, especially iPhones.
posted by JoeZydeco at 4:37 AM on July 11, 2023
I've seen OEM Windows 10 installations with MAC address randomization turned on by default for wireless network connections, and I believe recent versions of iOS and Android do it too. It's a pain in the arse for network stability and in my estimation offers mainly privacy theatre, very little actual privacy.
The technical ability to implement MAC address randomization also implies the ability to implement arbitrary MAC address spoofing, which makes MAC address filters, like SSID hiding, security theatre at best. I recommend not doing these things. All they really do is add extra failure modes to your wireless network for legitimate users.
If you want to keep your local wireless network as secure as any of these things possibly can be, the rules are the same as they ever were: turn off WPS, use visible (i.e. non-hidden) SSIDs in conjunction with long, machine-generated WPA2 passwords, and be selective about who you hand those out to.
I like to use passwords in the form of five dot-separated groups of five lowercase letters for applications like this (e.g. beiez.kughc.yzppa.mjnmr.jmrvu). They're still a nuisance, but the fact that you can write them down unambiguously helps, as does being able to input them on a touchscreen device's soft keyboard without toggling between cases and/or alphanumeric entry modes.
A reasonable balance between security and convenience can be had by running two SSIDs, one for your own use and one for guests. Even if both of them are set up with access to the same underlying network, thereby giving your guests access to all the same resources your own devices have, this is a security win because you can re-randomize the guest WPA2 password after the guests leave without the disincentive of also needing to change them on all your own wifi-connected devices as well.
And if your own devices allow you to control MAC address randomization per wifi connection rather than for wifi as a whole, you can turn it off on stuff you connect to your own SSID which should get rid of nuisance notifications except on the guest network where you'd kind of expect them.
The next security improvement would be to use VLANs to separate the network resources available to guests from those available to you. For example, you could set up the guest wifi so that the only thing that guests could use it for was Internet access, disallowing them from messing with e.g. your security cameras. But that's probably overkill for a home network.
posted by flabdablet at 4:40 AM on July 11, 2023 [2 favorites]
The technical ability to implement MAC address randomization also implies the ability to implement arbitrary MAC address spoofing, which makes MAC address filters, like SSID hiding, security theatre at best. I recommend not doing these things. All they really do is add extra failure modes to your wireless network for legitimate users.
If you want to keep your local wireless network as secure as any of these things possibly can be, the rules are the same as they ever were: turn off WPS, use visible (i.e. non-hidden) SSIDs in conjunction with long, machine-generated WPA2 passwords, and be selective about who you hand those out to.
I like to use passwords in the form of five dot-separated groups of five lowercase letters for applications like this (e.g. beiez.kughc.yzppa.mjnmr.jmrvu). They're still a nuisance, but the fact that you can write them down unambiguously helps, as does being able to input them on a touchscreen device's soft keyboard without toggling between cases and/or alphanumeric entry modes.
A reasonable balance between security and convenience can be had by running two SSIDs, one for your own use and one for guests. Even if both of them are set up with access to the same underlying network, thereby giving your guests access to all the same resources your own devices have, this is a security win because you can re-randomize the guest WPA2 password after the guests leave without the disincentive of also needing to change them on all your own wifi-connected devices as well.
And if your own devices allow you to control MAC address randomization per wifi connection rather than for wifi as a whole, you can turn it off on stuff you connect to your own SSID which should get rid of nuisance notifications except on the guest network where you'd kind of expect them.
The next security improvement would be to use VLANs to separate the network resources available to guests from those available to you. For example, you could set up the guest wifi so that the only thing that guests could use it for was Internet access, disallowing them from messing with e.g. your security cameras. But that's probably overkill for a home network.
posted by flabdablet at 4:40 AM on July 11, 2023 [2 favorites]
Ohhhh yeah MAC address randomization won't work with the security step I described above (MAC address filtering). Mrs. Intermod got a new phone last month and I had to have her turn that off.
posted by intermod at 6:34 AM on July 11, 2023
posted by intermod at 6:34 AM on July 11, 2023
I have maybe two dozen devices explicitly allowed, and then the router's default is to deny any other new devices. Even if they know the wifi password. The only way they could get in is if they also figured out "MAC address spoofing", and I'm content that that kind of attack is not going to happen to my little network.
Brute force attacks against weak WPA2 passwords are generally done by capturing a longish sample of encrypted wifi traffic - half an hour or so is generally more than enough - and then subjecting the captured data to an offline encryption key guessing attack.
If that attack is successful, there is a very high likelihood that a decent sample of the network's in-use MAC addresses will then be trivially visible in the cracked captured data. I find it difficult to imagine that an attacker with the skills and tools required to crack a WPA2 password would not then be able to spoof a MAC address successfully.
The only class of connecting client for which MAC address filtering is likely to present a significant obstacle is legitimate network users, as Mrs Intermod's recent experience clearly shows.
If you want to lock a wifi network the eff down, MAC address filtering is not gonna do it for you. What you need (and all you need) is a machine-generated WPA2 password that's long enough to make brute force cracking infeasible. Done right, using such passwords is both more secure and more convenient than maintaining MAC address filters or hiding SSIDs.
posted by flabdablet at 1:42 PM on July 11, 2023 [1 favorite]
Brute force attacks against weak WPA2 passwords are generally done by capturing a longish sample of encrypted wifi traffic - half an hour or so is generally more than enough - and then subjecting the captured data to an offline encryption key guessing attack.
If that attack is successful, there is a very high likelihood that a decent sample of the network's in-use MAC addresses will then be trivially visible in the cracked captured data. I find it difficult to imagine that an attacker with the skills and tools required to crack a WPA2 password would not then be able to spoof a MAC address successfully.
The only class of connecting client for which MAC address filtering is likely to present a significant obstacle is legitimate network users, as Mrs Intermod's recent experience clearly shows.
If you want to lock a wifi network the eff down, MAC address filtering is not gonna do it for you. What you need (and all you need) is a machine-generated WPA2 password that's long enough to make brute force cracking infeasible. Done right, using such passwords is both more secure and more convenient than maintaining MAC address filters or hiding SSIDs.
posted by flabdablet at 1:42 PM on July 11, 2023 [1 favorite]
How about that? HowToGeek agrees with me.
6 Tricks That Won’t Secure Your Wi-Fi (And 6 That Will)
The only point where we differ is that their writer rates using passwords that would take billions of years to crack as security theatre; I don't. Offline cracking rates only ever get faster, never slower.
Wifi passwords simply don't need to get entered into things all that often because the devices are all built to remember them, so it makes no sense to me to make them human-memorable; easy to write down and key in is plenty good enough. It takes very little extra time and attention to enter a 5.5.5.5.5-format random lowercase password compared to a more Correct Horse Battery Staple alternative, and its 117 bits of entropy mean that it will still need billions of years to guess even if cracking tools get billions of times faster.
To me, the slight inconvenience of my preferred password format is a price I'm more than willing to pay to avoid needing to worry at all about the current state of the cracking arts.
posted by flabdablet at 2:09 PM on July 11, 2023
6 Tricks That Won’t Secure Your Wi-Fi (And 6 That Will)
The only point where we differ is that their writer rates using passwords that would take billions of years to crack as security theatre; I don't. Offline cracking rates only ever get faster, never slower.
Wifi passwords simply don't need to get entered into things all that often because the devices are all built to remember them, so it makes no sense to me to make them human-memorable; easy to write down and key in is plenty good enough. It takes very little extra time and attention to enter a 5.5.5.5.5-format random lowercase password compared to a more Correct Horse Battery Staple alternative, and its 117 bits of entropy mean that it will still need billions of years to guess even if cracking tools get billions of times faster.
To me, the slight inconvenience of my preferred password format is a price I'm more than willing to pay to avoid needing to worry at all about the current state of the cracking arts.
posted by flabdablet at 2:09 PM on July 11, 2023
This thread is closed to new comments.
...with respect to the exposed password issue, that's their "ActiveArmor" and in the majority of cases it means that a password hash which matches yours has been found posted somewhere online. It usually does not mean that your specific login+password has been found, just that someone in the world has also used (for example) "Bob1234" as their password for something, and so you are at slightly higher risk (kinda, not really).
[edit: I am assuming, in the foregoing, that you are using an appropriately-complex password and have not just set your wifi to, I dunno, "ABCDEFGH" or something trivially-guessable. If the latter, then you do have security problems to address.]
posted by aramaic at 7:28 PM on July 10, 2023