Thoughts and questions about WiFi Security

[Snail]

This thread has a lot of good advice on securing Puppy in itself. However, I can't see anything about securing WiFi here. I am no expert but is it not possible that, if you are connecting to the internet via a WiFi link that is insecure, then the very best security of your computer will not prevent an attacker obtaining sensitive info, e/g/ bank account details and passwords?

I have been a bit lax about security in the past but increasing levels of computer crime is starting to worry me. What really got me concerned was when my ISP provided me with a new WIFI router/modem. Immediately after it was installed, my iPad warned me about an insecure connection, because of TKIP. My ISP is a local company and has always had very high levels of customer satisfaction in the past. They do have one peculiarity, they prefer to keep the router management to themselves, hence I cannot see or change my router settings myself, I have to ask them to do it for me. I am now getting a bit concerned about this.

TKIP is known to be insecure and has been for quite some time. As far as I have been able to find out, currently the only safe WiFI encrption schemes are WAP2, using AES and WAP3. I have seen recommendations that the best current setting for home routers, is to allow WAP2-AES and WAP3 and no other schemes. This should be fine for any machine built in the last dozen or so years.

When I asked my ISP about the iPad message, I was assured that it was nothing to worry about, it was just Apple being weird. However, I later confronted them with the fact that iwlist also showed TKIP was switched on. The support guy then admitted that was true that TKIP was active on their routers. I asked him to disable TKIP on my router and he agreed. However, the following day, I re-ran iwlist and got:

Output from "iwlist wlan0 scan"

IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK

It appears that iwlist is being deprecated, so I ran iw and got a slightly different output:

Output from "iw wlan0 scan"

RSN: * Version: 1
* Group cipher: TKIP
* Pairwise ciphers: CCMP TKIP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
WPA: * Version: 1
* Group cipher: TKIP
* Pairwise ciphers: CCMP TKIP
* Authentication suites: PSK

Is RSN just another term for WAP2?
Is CCMP another term for AES, as I assume from my Googling?

I assume that the above output is just what the router is offering to the clients?

I am running Fossapup64 9.5 frugally installed on a Thinkpad T400. The Internet connection wizard offers SNS, Frisbee and Network Wizard. Only the Wizard allows me to force WAP2 and even it provides no way to force AES (or CCMP?). Only Frisbee reports on the encryption of the network, after Frisbee sets it up, and it connects using WAP_TKIP, not even WAP2-TKIP.

How do I force WAP2-AES in Puppy? How do I check that the set up forcing has been successful? Are there later versions of the Puppy connection helpers that do a good job in this regard and do they work in Fossapup64 9.5?

If I can only setup some of my client devices to use WAP2-AES and others are still using TKIP, will I be safe only employing the AES-using devices for sensitive work, or not?

I am surprised that a relatively recent Puppy allows the naive user to set up an insecure network. Surely, this needs fixing in all Puppies?

Of course, the best solution would be to change the router allowable encryption. I will of course be taking this up further with the ISP. If they do manage to block WAP1 and TKIP, will that break the Puppy connection apps?

The new router is a Huawei DG8245V-10. There is very little useful on the web about setting up encryption on this router but, what there is suggests to me that there may not be a WAP2-AES ony nor a WAP2-AES + WAP3 setting available in the software. Way to make spying easier I guess!

[Wiz57]

One method I can think of right off the top of my head would be to purchase your own WiFi router/access point, not from Huawei,
that allows YOU the user to adjust settings. Connect it to your ISPs modem, and set it up to use WPA/WPA2, and connect
your devices to it instead of your ISP supplied modem/router. Puppy as well as other OSes (IpadOS, Windows, MacOS, Android)
will use the encryption specified by the router...which is why you see the warning on your IPad when connecting to your ISP
supplied router, you cannot force the OS to employ encryption not supported by the modem/router.
Wiz

[bigpup]

That is exactly what I do.

Use my own WIFI router to supply the WIFI signal.

I have total control of all settings it uses.

One important one is what channel it is broadcasting on.
2.4Ghz signal only has a small number of channels and most of them overlap.
So if there are a lot of WIFI signals in your area, good chance several of them could be using the same channel you are.
by default most WIFI routers are set to the same channel when you buy it.
So changing the channel to one not used or used the least is a good idea.

All my Internet service provides, is a Ethernet connection I can hook the WIFI router to, that provides connection to their service, and the Internet.

The other thing is the service provider I use, wants a monthly charge to use their supplied WIFI router.

Over a years time, I could buy two Wifi routers, for what it costs in their monthly charge.

They have to provide the Ethernet connection for free, so you can even use their service.

Note:
I do not think any Puppy version can use any higher setting than WPA2
That is the highest setting I have seen in any of the Puppy connection programs.

[Snail]

Wiz57 said:

One method I can think of right off the top of my head would be to purchase your own WiFi router/access point, not from Huawei,
that allows YOU the user to adjust settings. Connect it to your ISPs modem, and set it up to use WPA/WPA2, and connect
your devices to it instead of your ISP supplied modem/router. Puppy as well as other OSes (IpadOS, Windows, MacOS, Android)
will use the encryption specified by the router...which is why you see the warning on your IPad when connecting to your ISP
supplied router, you cannot force the OS to employ encryption not supported by the modem/router.
Wiz

Hi Wiz,

Thank you for replying. I could, of course, buy a new router. It could answer my personal worries and WiFi routers are not too expensive. However, I am concerned that other people may be at risk and my buying a router would do nothing to help them.

My reasons for posting are:

* To find out as much as I can before going back to my ISP. So far, they seem to be less than transparent about the issue, which is surprising, because they have had a very good reputation for service and support in the past. I need to know more before getting into any arguments.
* To see if it is possible to get adequate security at all if the router settings remain as they currently are. Note that the iw scan output indicates that the router is currently offering the acceptable WAP2_CCMP but, unfortunately it is also serving up other seriously insecure options. My understanding is that it should be possible to force my Puppy device to use WPA2_CCMP for one-to-one communications, given the right software. True or false? Unfortunately, Multicast communication always uses the oldest encryption option that the router is offering, will that be a problem?
* To find out how to set up an acceptable network connection in Puppy, using the current router settings.
* If the current Puppy connection tools can't guarantee the best available encryption option is chosen, or if they can but the unavoidable multicast issue is critical, perhaps Pups need to sound a warning when the network is unsafe. iPadOS is doing that but not very visibly, it's buried in "Settings". It was my hope that this thread may attract some discussion by Puppy WiFi experts on this issue.

I would also like to ask if anyone has knowledge about this particular Huawei DG8245V-10 router. What encryption choices does this router actually offer? Huawei's websites are very confusing but give me the impression that a safe, logical option is not available from the standard router login. Is this true? If it is, surely it can be fixed in software/firmware? Is such a fix available?

Hi bigpup,

Again a new router could sooth my personal worries but I'd still be concerned about others at risk, including my ISP's other customers and non-expert Puppy users, such as myself.

The router is connected to the wider internet via a cat5e cable connected to an ONT, which is the fibre terminal in my house. (New Zealand has fibre to the home in most suburbs.)

I am in suburbia and my garden and those of my neighbours are reasonably large. iw scan and my iPad are only detecting two other networks at the moment and I haven't seen more than 4 at any time. I do suspect there is another source of RF interference around however, so channel-hopping may be a good idea.

[Wiz57]

@Snail Huawei was banned in the USA a few years back, I have no experience with any of their kit, so I can't give
a really informed answer. As for what others would risk connecting to your ISP supplied router, that risk is on them, much like the
risk one might take on when using "free" public WiFi at a coffee shop...in those situations it is not recommended to perform any
sensitive transactions while using that WiFi.
Wiz

[bigpup]

I do not think you understand what the WIFI signal security is about.
The security used is to protect from the ability of someone in the range of your transmitted WIFI signal, being able to read and understand what you are sending over your WIFI.
They can see your WIFI signal and receive it, but do nothing with it.
Just like you scanning your area for WIFI signals. You see them, but your specific signal is the only one you can use.
With WPA, WPA2, WPA3 etc....... your signal is scrambled up between your computer and your WIFI router.
Those two devices understand the WIFI signal, but not someone else that is trying to use the signal or receiving it.
Plus you should have a password, that only your computer and WIFI router know, that even allows connection to the WIFI router.

It looks to me that your service provider is not wanting to have to answer questions about WIFI signal security options and keep their provided equipment setup as simple as possible.
Do they even have it setup to need a password to even make a connection?
Plus do not have to deal with someone making wrong settings in the router setup, if they are only ones able to make settings in it.

[Snail]

I am sorry bigpup but I find your latest post more than a bit insulting. What, in my posts, leads you to the conclusion that am that stupid? I admit that I am no expert but, although old, I am not yet completely senile.

Of course cracking my WiFi encryption would not allow an attacker to damage my OS or my personal data. In fact, even if they could, it wouldn’t matter much, I don’t keep sensitive stuff on any of my devices, not even passwords, except my WiFi one that is. That doesn’t alter the fact that sniffed WiFi packets can reveal my banking details and other internet passwords, once encryption is broken.

Naturally I have a WiFi password set up. I had to get my ISP to load my chosen SSID and password into the router before I picked it up though. I know that is a potential security breach in itself but, in the past, I trusted them not to keep any records, because of their excellent reputation and the fact that both their Head Office and help desk are located in my smallish town, less than 2km from my house.

Yes, it is obvious that the ISP is doing what they do to reduce administration costs, especially regarding router setup. Support will be costly for them because they employ relatively expensive locals, rather than Indians in India, who I my bitter experience are culturally incapable of being helpful. That’s why they provide routers free of charge and do the admin remotely. In the past however, they were prepared to tell me the router login details, they have tightened up on this now. I am re-thinking this setup now, of course. I am still considering what I can do to help my fellow customers. Doing so will require me to learn more, so they cannot snow me as they nearly succeeded in doing at first. “Just Apple being weird” they said! I had hoped to get some useful answers here.

[bigpup]

No one is stupid!!!

But if you ask questions, we have no way of knowing what you do or do not know until you tell us!
If you already know what we are giving information about, then just tell us you already know it.

WE ONLY KNOW WHAT YOU TELL US!

If the above information was in your first post we would have better understood you!

You seem to already understand this stuff!

We gave you the best advice.

Use your own WIFI router that you can have total control of it and it's settings!