Author Topic: Weatherlink IP and Orbi Wireless Routers  (Read 10029 times)

0 Members and 1 Guest are viewing this topic.

Offline Mattk

  • Forecaster
  • *****
  • Posts: 2135
Re: Weatherlink IP and Orbi Wireless Routers
« Reply #75 on: January 02, 2018, 05:03:47 PM »
What this basically comes down to is that many users simply do not understand a lot of stuff with their network, routers and IP devices. 

Offline kobuki

  • Forecaster
  • *****
  • Posts: 838
Re: Weatherlink IP and Orbi Wireless Routers
« Reply #76 on: January 02, 2018, 05:11:09 PM »
@Dale: Why do you disagree? Would you please back summary statements like these? For some odd reason you're hellbent against forms of communication other than L3 or HTTP (in this narrow context). Why is that? Did you know that all of the current communication passing the device in question is in clear text which is easily eavesdropped and/or analyzed, given access is available to the network where it runs? How do you think that is more secure than a form of password and/or secure hash (or you think the opposite)? That would even be an improvement. Answer in a PM if you'd like, but I think this still fits the thread (even if just barely) since it's still about the comms/IP setup problem and thoughts on ways to fix or enhance the device to avoid the problem. It's not simply a matter of preference of opinion, but I think you do understand that. It's not black magic either, though for any normal user it might look like, sometimes rightfully so as the post above notes something similar.

Offline dalecoy

  • Forecaster
  • *****
  • Posts: 6447
    • Lee's Summit, MO
Re: Weatherlink IP and Orbi Wireless Routers
« Reply #77 on: January 02, 2018, 05:33:37 PM »
@Dale: Why do you disagree? Would you please back summary statements like these? For some odd reason you're hellbent against forms of communication other than L3 or HTTP (in this narrow context). Why is that? Did you know that all of the current communication passing the device in question is in clear text which is easily eavesdropped and/or analyzed, given access is available to the network where it runs? How do you think that is more secure than a form of password and/or secure hash (or you think the opposite)? That would even be an improvement. Answer in a PM if you'd like, but I think this still fits the thread (even if just barely) since it's still about the comms/IP setup problem and thoughts on ways to fix or enhance the device to avoid the problem. It's not simply a matter of preference of opinion, but I think you do understand that. It's not black magic either, though for any normal user it might look like, sometimes rightfully so as the post above notes something similar.

If a "network" command is provided, that will change settings within the device - and if that "network" command does not require knowledge of the local network [e.g. " For instance responding to special layer 2 messages (addressed to the MAC of the WLIP)"], then that's "hackable". 

Note, for instance, the recent hacks of the "Amazon Key" front door lock, and the Nest thermostats, cameras, etc.  All that is required is access to the network (in the extreme, remote access from the internet through an internet-connected PC or other internet-connected IOT device -- or wi-fi -- or physical connection to the ethernet cable).

The vulnerability is non-physical access, regardless of how good the software/firmware/hash/secret-keys are. 

The "solution" is to require physical access to the device.  For instance, a button to push while power-cycling the device, thus resetting the device to "initial default setup".

Offline kobuki

  • Forecaster
  • *****
  • Posts: 838
Re: Weatherlink IP and Orbi Wireless Routers
« Reply #78 on: January 02, 2018, 06:02:46 PM »
In short, L2 communication can be just as secure as L3. Period.

If we go by your logic, then (almost) everything networked is hackable - and this, unfortunately, is the sad truth, whatever the OSI layer or protocol. I am well aware of that and consider myself security-conscious (which proved to be very helpful many times). The questions are usually: the worth (of hacking), complexity, and time (which is money). In this case the worth is low and we can choose a security model accordingly.

I stressed out the importance of the implementation - and it should contain at least the same level of "security" as the config web page (or the Windows application protocol for that matter) of the current firmware has. Which is, sadly, nothing. Right, nothing is preventing someone on the same IP network (which can be set up freely in seconds on an adversary device) to alter settings. Everything I suggested is already better, or more secure than this. HTTP calls are a simple matter, just as is finding the device on the network. The web page is just for us human beings. Adding this functionality (however unlikely) would not weaken the security of the device. Oh, you're right, it's not "unhackable" - but you already get my point. The aim cannot include the utmost security this time.

The alternative ways like pushing a button at power up or such things no doubt would be just as good even if slightly less convenient. But we don't even have that now.

Offline dalecoy

  • Forecaster
  • *****
  • Posts: 6447
    • Lee's Summit, MO
Re: Weatherlink IP and Orbi Wireless Routers
« Reply #79 on: January 02, 2018, 07:05:14 PM »
In short, L2 communication can be just as secure as L3. Period.

I absolutely agree.

Offline kobuki

  • Forecaster
  • *****
  • Posts: 838
Re: Weatherlink IP and Orbi Wireless Routers
« Reply #80 on: January 02, 2018, 07:09:37 PM »
Hm, then what were we arguing about again? :roll: