Separate Encryption; Does local device isolation work?

mg55

Occasional Visitor
Tell me if this is right: The WiFi SSID password is used to create the encryption code, so if your wireless router has just one SSID, or multiple SSIDs that share the same password, all the local devices that use WiFi on your local network can see each others' traffic, violating your privacy if any of those devices, many of which may not be very secure in the modern age in which everything more sophisticated than a toothbrush uses WiFi, are hacked.

Presumably, for devices that use it, Https encrypts that traffic in a way other devices can't easily decode, but can any of the local devices send packets to initiate a man-in-the-middle attack, fooling devices that I want to be reasonably secure, like PCs passing financially valuable info like passwords and credit cards, into disclosing that info?

What if I turn on device isolation, assuming my router supports it? Does it somehow solve these problems?

Will creating separate SSIDs for each device that needs to be secure, with separate passwords, fix the problem?

If so, does any DD-WRT or OpenWRT or similar open software compatible router support creating many SSIDs?

Also, do the same things apply to wired connections, or is the data on each Ethernet port of a router unique to that device?

I apologize for asking such basic questions here. I really don't understand network security very well.
 

degrub

Very Senior Member
You would have to take over the access point or the router to do what you think, at least on a basic level. That gives the ability to be in the middle in a trusted zone.

you are far far far more likely to fall for a phishing email, drive by malicious website, or tampered with download on a dodgy server somewhere than any of the things you mentioned.
If it really is a concern, put each device on its own vlan and one for “guests” and be done with the local network portion.
 

mg55

Occasional Visitor
Thanks.

I can't take over the ISP's router. It is controlled by my landlord, who didn't give me the administrative password.

I'm quite careful of phishing emails and downloads. You wouldn't believe the degree of paranoia I employ. Paranoia is completely crazy, but it usually works. :)

But I don't want a questionable app on an unsecured device to gain access to my bank, eBay or Netflix accounts. So I use my own second-stage router to feed my own devices, and try to get as much device isolation as I can.

Presumably, https encryption mostly takes care of interception by other devices on the ISP's router. Though I think I see what you mean - a man-in-the-middle attack from another device on the ISP's router, or anywhere in the entire network route, could fool my router into connecting to a spoofed remote server. Is there a good solution to that, i.e., some reasonably cheap easy way to authenticate common remote servers that I don't control?

Anyway, I would love it if someone would answer my original questions.
 

MichaelCG

Very Senior Member
Using WPA2-PSK, yes anyone that figures out the PSK can pretty much see all flows. If you are this paranoid, don't use WiFi. Someone can always sniff that traffic. You will always be at the mercy of how well the authentication and encryption methods of the WiFi holds up over time. The truly paranoid would use a VPN over the WiFi. That is what we used to do back in the WPA days in the Enterprises. We couldn't trust the WiFi to be secure, so we used a VPN over the WiFi to enforce our encryption requirements.

Now for your original question, this is usually why you don't use PSK methods for WiFi. In most Enterprise networks, you use one of the EAP methods instead which means each device gets uniquely authenticated and their key exchanges are completely unique. Rarely is this an easy setup to configure and support for the home user. Creating unique SSID per device does not scale up very well. There are technical limits on how many SSIDs an AP supports as well as you will eventually reach a limit of how much airspace/airtime is being consumed by management frames for each SSID.

A MitM attack requires more than just network access if HTTPS is involved. Any MitM attack involving HTTPS "should" throw certificate errors that a user would have to click through.

In the wired world....most consumer routers the switch is just a Layer2 bridge with little to no segmentation between the LAN ports. This really depends on the model of router/switch and the features they support. In a switched environment, the traffic by default is not seen by all devices on the switch. But using ARP spoofing, you can trick flows into being directed to other ports of the switch. This is why encryption in transit is critical no matter what. The certificates help your user know they are actually talking to the correct server. The encryption helps prevent someone who can actually capture the packets not be able to decipher the contents.
 

mg55

Occasional Visitor
Wait - I just realized something:

Most PC browsers have an option to do server authentication. Maybe that, combined with https encryption, is enough to provide the isolation I want, for financially valuable remote accounts, and I can almost completely ignore all these questions??

So why is there a security problem connecting to an unsecured public WiFi net?

Though I think Android phones are not very secure - often when I use one to view my gmail account or use my Google Voice # through hangouts, the gmail account seems to get hacked. I'm not sure if Chrome, Firefox or Hangouts on Android uses server authentication.

"Don't use WiFi" isn't an option for me. Many of my devices are not wired. E.g., my Android phone, some home hifi stuff, a glucose meter, a GPS, my car...

I'm looking up the "ARP spoofing" thing you mention.

I'm very disappointed that router ports are usually configured like switches. That seems crazy, and kills much of the security I assumed was there. Though I guess it means I might as well use a cheap external switch to increase the number of Ethernet ports that reasonably priced home "wireless" routers provide.
 
Last edited:

MichaelCG

Very Senior Member
The TLS handshake on its own when using a public certificate is server authentication. Your client contacts the server, the server replies back with a certificate that is issued by a trusted authority, your browser compares the name on the cert to the name you typed in along with the issuer of the cert, if they match and the issuer is trusted by the browser, your client has not confirmed it is talking to the correct server.

Android, iOS, Windows, Linux, MacOS....they all have issues. There is not a single solution here. If you browse the web from the device or use apps from the app store, you are at risk. You cannot eliminate all risk here...you are consuming services from the Internet on consumer grade devices using consumer grade network and security equipment. Your primary risk mitigations will be to follow best practices on patching, passwords, and restricting access to the Internet. Do NOT permit your "secure" systems to even talk to the Internet except to specific white listed sites enforced by a FW and/or proxy server. Do NOT permit your "secure" systems to have access to or from any other systems.

Usually by the time you really "secure" your system, it is no longer really usable and it now is just an annoyance.

If your Android phone usage with GMail or GVoice gets your account hacked, then your device has issues. I have used Android, iOS, Chrome, Windows, Linux, etc for years with these services and do not have the experience you have. I have family who blame Google for lots of things....then I watch them on how they use their phone and their passwords and it makes complete sense on why they keep getting compromised. They are doing stupid things, browsing all kinds of stupid shirt, installing apps left and right, and they use a stupid password that they use on 254 other sites...and that password is written on a sticky note on their monitor.
 

RMerlin

Asuswrt-Merlin dev
Using WPA2-PSK, yes anyone that figures out the PSK can pretty much see all flows.
I'm not sure about that. Wifi uses two separate keys, one of which will rotate (by default every 3600 seconds).

Someone with better understanding on how wifi encryption works at the lower-level might be able to confirm this.
 

MichaelCG

Very Senior Member
Note...I have a much longer reply that got flagged for moderation...guessing my use of a specific curse word got it flagged...be patient, I'm sure they will either edit my post and/or hopefully approve it.

PSK...I haven't kept up on WiFi security attacks for many years. I know back in the WPA1 days, it worked that way. I could run kismet (I think that is what it was???) or even wireshark (with correct WiFi module and driver) and capture PSK traffic flows and decrypt if I had the PSK. That may have changed with WPA2...not too sure. Through the mid-2000s this was one of my areas of focus at work. After 2010'ish, my focus shifted as I changed jobs and haven't had as much time nor motivation to keep current.
 

MichaelCG

Very Senior Member
A quick Google search confirms my "theory" as at least not being too far fetched....again...it has been many many years since I have actually done this so I cannot confirm personally that this works on modern equipment.

https://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/

This is roughly the idea that I was mentioning. If you have the PSK and capture enough traffic, I'm fairly confident you can decrypt the large majority of it fairly easily. I do hope others who have more current expertise chime in here.
 

ColinTaylor

Part of the Furniture
I'm not sure about that. Wifi uses two separate keys, one of which will rotate (by default every 3600 seconds).

Someone with better understanding on how wifi encryption works at the lower-level might be able to confirm this.
Indeed. There is a key exchange between the client and the AP which is unique. So the scenario proposed in the original post is unrealistic. Mearly knowing the password for the SSID doesn't mean you can automatically intercept and decipher traffic from another client. NB I'm not talking about "hacking" the encryption here.
 

mg55

Occasional Visitor
Unfortunately smartphones come pre-configured with a lot of apps one might not trust. Some of which can't be disabled or uninstalled. And the whole point of a smartphone IS to use apps. It would be nice if Android really did sandbox apps, and their network traffic and keypresses, from each other, but that is a hopeless dream. I make a point of not using gmail for anything that needs to be secure, and try not to use my main email account on the Android device.

Also, to connect to the Verizon network, you need a bunch of them.

But PCs are a problem too. Microsoft itself is one of the worst sources of security problems. (All my crashes - and I've been using computers since the late 1970's - that weren't caused by hard drives were caused by Microsoft update, a very common complaint.) Linux is created by zillions of voluntary users with no background checks.

I do what I can. It seems like a good router is a reasonable place to start. I already try out and use untrusted apps and visit websites that seem fishy on my PCs inside temporary copies of virtual machines, do full image backups on alternate external media that are disconnected at other times, use Windows Firewall, Microsoft Offline Defender, and CCleaner, and set up my browsers in the most secure ways I can figure out. But I know it's not enough in theory.

But it is hard to stay off all untrusted websites. (I have no real reason to trust this one either. :) ) A lot of the reason I use my PC is precisely to do random web browsing, and to watch IPTV. Plus, it doesn't have the CPU power to run a virus checker while it is watching or recording streaming video, not that I really trust the ones I have used.

That said, home PCs and such aren't the only problem. At one point I worked at a secure government facility. They had their problems too. Serious security is very hard to do right. I was told that Sun Microsystems once tried to create a genuinely secure computer operating system, but couldn't convince anyone to use it, because it was too inconvenient.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top