#7 Insecure WIFI Enabled After First Boot

Closed
opened 6 years ago by IceTeaLemonade · 1 comments

The release page states that LibreCMC 1.4 main images "ship with a sane default configuration". However, upon installing LibreCMC 1.4, I learned that my router had wifi enabled with the default configuration (SSID=librecmc,password=librecmc) before the root password had even been set.

This would allow any person within wifi range of a device with LibreCMC freshly installed to steal the root account or possible do worse.

Wifi should either not be enabled by default or not be enabled when the root password is empty.

device: WZR-HP-G300NH, software: LibreCMC 1.4

The release page states that LibreCMC 1.4 main images "ship with a sane default configuration". However, upon installing LibreCMC 1.4, I learned that my router had wifi enabled with the default configuration (SSID=librecmc,password=librecmc) before the root password had even been set. This would allow any person within wifi range of a device with LibreCMC freshly installed to steal the root account or possible do worse. Wifi should either not be enabled by default or not be enabled when the root password is empty. device: WZR-HP-G300NH, software: LibreCMC 1.4
RISCI_ATOM commented 6 years ago
Collaborator

This would allow any person within wifi range of a device with LibreCMC freshly installed to steal the root account or possible do worse.

This is true of most off the shelf routers at this point in time. This decision was made to help ease the configuration of the router and reduce complaints (even with appropriate documentation, people still complained about wifi being disabled by default). Even with restricted / "secure" default configurations, many people will still manage to improperly configure their X (it be their router, or other device).

Also, the risk is quite low unless you are in a densely populated area or you are being specifically targeted . Even if someone managed to set the root password in this state, you can always reset the router or re-flash it.

We will evaluate other ways of making this more "secure" (reset button pushes or enable wifi once the root password is set).

Temporary Fix

A temporary solution to this problem would be to get a cardboard box that can fit over the router and line the inside of it with aluminum foil. On first boot of the router, place the aluminum foil lined cardboard box over the router. Once you are satisfied with the configuration, remove the cardboard box. Make sure to keep said cardboard box for future use.

> This would allow any person within wifi range of a device with LibreCMC freshly installed to steal the root account or possible do worse. This is true of most off the shelf routers at this point in time. This decision was made to help ease the configuration of the router and reduce complaints (even with appropriate documentation, people still complained about wifi being disabled by default). Even with restricted / "secure" default configurations, many people will still manage to improperly configure their X (it be their router, or other device). Also, the risk is quite low unless you are in a densely populated area or you are being specifically targeted . Even if someone managed to set the root password in this state, you can always reset the router or re-flash it. We will evaluate other ways of making this more "secure" (reset button pushes or enable wifi once the root password is set). ## Temporary Fix A temporary solution to this problem would be to get a cardboard box that can fit over the router and line the inside of it with aluminum foil. On first boot of the router, place the aluminum foil lined cardboard box over the router. Once you are satisfied with the configuration, remove the cardboard box. Make sure to keep said cardboard box for future use.
Sign in to join this conversation.
Loading...
Cancel
Save
There is no content yet.