Few days ago I read that topic which it was about hacking the hotspot.
I just wanted to give more details about this issue because the same thing happened with me also and I still didn’t figure a way to sort it out
This is a part of my network digram
In my network, I Have three outdoor access points connected to sector antenna in turn. All of the APs are connected to hub. The ether2 (Local) port in my MT box is connected to the hub as well to distribute the hotspot service. I didn’t set any security in my access points, it is very important to me that any subscriber can easily connect to my network as it possible.
Since my wireless network is open for anyone, some subscribers reported that they get the “conflict IP address” message several times. I told them just to make repair and it will be solved, but later I found out what was going on.
Anyone able to connect to my wireless network can make an IP scan and copy the IP address and the associated MAC ID from IP scan result. The intruder will set his computer IP address to the same one from the IP scan and using a simple program to clone the MAC ID or from the device manager proprieties can change the MAC ID. Now if the host IP logged in using his username and password, then intruder will be able to use the internet service without typing username and password since the host IP is logged already.
Other WISP reported the same thing happened with them. I tried it myself and it worked, I cloned an IP address and MAC ID to my laptop and I was able to use the internet without typing my username and password.
I thought the problem is from the hotspot itself. I thought to see whether the problem from the hotspot or not, I reconfigured another MT box as a router only, and I connected two laptops with the same IP address and MAC ID, I just got the “conflict IP address” message, but both machines use the internet properly.
I dont think if I will block the scanning ports to prevent the useres from doing an IP scan will help in my case, becasue the IP scanning process is done at the access points and MT can’t block the access points.
Number of sessions per user is only one, and this won’t change anything since I used the MT as router only in my experiment to define where the problem might be.
I am going to email this to MT, but I thought to share it with you guys to see if someone faced it already and can help us to sort it out.
You need to block access through the APs until the client has authenticated. This has to be done on the AP itself using one of the EAP protocols with a RADIUS backend. Once authenticated, the client is issued a network key and further communication is encrypted. Periodically, the AP and client negotiate a new key so you can use even relatively insecure protocols such as WEP. Sniffing a MAC address will have no benefit because the packet will be discarded by the AP.
Alternatively, once the client is authenticated, open a VPN tunnel between the client and hotspot and reject packets on the hotspot that haven’t come from a tunnel.
Both approaches have their merits but the first is potentially more secure and there’s less impact on the user i.e. They don’t have to open a VPN once connected.
Well Andrew, I agree that your approaches are the best solutions yet, but the problem that I still tend tolet my wireless network open for every one as it is a very importnat advertisement for my wireless network and the services that I provide the free wireless network, I have local server which contain up to date software and other stuff and any subscriber can download freely as it costs me nothing, but I charge them for tthe internet service only, so thats why it is important for me to keep my wireless network open.
Thanks for your suggestions
Set up a Virtual unencrypted AP/SSID for the free network and use encryption/802.1x on the internet network.. You can set up a HTTP redirect on the free network to a page that advertise your commercial net. We do the same here..
Well, I’ll need some help to follow with your idea. I work mostly with the communication part usually like microwave and vsat and so. for MT i know only how to do the simple things like routing and hotspot and these easy things. so if it is possible that some one can give me more details on how to implment the virtual network along with the free network and redirection and so.
well, anyone can spend more time with me and tell me how ?
What about MT guys, i wonder if what is happening with us is somethign normal and no backdoor or somethign wrong with MT router?
anyway, thanks for who posted already, at least I have some options now.
I assume by your description, all the AP’s are wireless bridges? So users can share files across AP’s on a tower, and anyone is free to do so?
If so - then how about separating the AP’s with a routerboard, run a hotspot server on each interface and turn default forwarding off? You could have a ‘walled garden’ to your public free access server then for file sharing with no real easy way to get in.
Use different IP subnet pools on each interface and masquerade all of them out the internet interface.
That should give you a reasonably tight network, and still keep the public access service. It’s also really easy to set up - RB532 & 502 daughterboard + 4 Wlan & run the hotspot wizard for each AP and you’re off!
