I think this is a big problem.
If a WISP configures a client customer CPE mikrotik device with a user account which is read-only, the customer-client can winbox into their mikrotik and see the password and wep keys in clear text.
A read-only account should never be able to see any password or wep key information. This needs to be changed.
As a WISP, I need to give all my customers a read-only login on their wireless CPE equipment. Customers need to be able to check their signal strength to my APs. This then gives a customer the ability to aim their antenna and check the quality of their signal strength.
If I create a read-only user account on the CPE mikrotik device and a customer logs in using a web broswer - it appears there are no clear text passwords or clear text wep keys to be seen.
However - if the same read-only account is used with winbox, the customer can do the following:
1-Use Winbox to login to a Mikrotik using a read-only account
2-Click into Interfaces
3-Double click into a Security Profile
4-Click on Static Keys
5-Click in the top-right part of Winbox to remove the check mark in _Hide_Password
6-Presto - the customer can see the WEP key in clear text. At this point the customer might know how to build and radio to connect into your APs.
In my client configuration CPE test - I am running a RB411 with RouterOS 4.6 with R52H wirelss cards
I feel this should be fixed right away and consider the user read-only login a major problem (undocumented unwated feature) and should be fixed ASAP.
Or - is there another method a customer can check their signal strength (aim antennas) without allowing the customer to have the ability to see stuff they should not be able to see?
tomj@northwestusa.com