Security Enhancement: Let's disable the APs by default!

Discussion in 'Tomato Firmware' started by eibgrad, Apr 23, 2019.

  1. eibgrad

    eibgrad Network Guru Member

    Just wondering if anyone else has thought about the benefits of having the APs in the firmware default to OFF rather than ON.

    I've thought about this many times before, and just let it slide. But when you really think about, it's incredibly dumb to turn the radios ON and w/ no security. I understand why OEM firmware does this; they assume the customer is a total idiot, so they make it as simple as possible to get started. But is this a valid assumption for ppl using third party firmware? Seems to me we could do better, and make things more secure.

    This issue came back to mind just last night when earlier in the afternoon I had updated the firmware on one of my FreshTomato routers in the lab. Then got distracted by a phone call. Came back and forgot about the firmware update, and proceeded about my business. Later in the evening, I happened to be using that router for development and testing purposes when lo and behold there's some punk using the wireless AP of that router! And he had been on there for over an hour. Unfortunately, the WAN of that router was patched to LAN of my primary network, and he not only had internet access, but if he was observant enough, might have noticed the private network immediately upstream of that router (no way for me to be sure if he did or didn't).

    Bottomline, why are we *still* defaulting to having the radios ON? This makes no sense to me, esp. in this day and age. Takes two seconds for the administrator of the router to enable it, and thus he knows for sure the state of the APs. Yes, in the end, it was *my* fault. But shouldn't the router try to protect me if it can? Heck, I remember one time many years ago when one of my lab routers spontaneously rebooted (maybe due to an electrical surge) and it reset the router to all defaults! Luckily I was home at the time and noticed rather quickly. But if I hadn't, that thing might still be broadcasting an open AP. LOL
    Last edited: Apr 23, 2019
    txnative, ddimitrov and Malakai like this.
  2. rs232

    rs232 Network Guru Member

    I see what you mean, I really do, however this seems to be very specific of your network/scenario.

    I have to admit I have been "saved" many times by being able to log into the default tomato24 open SSID. Sometime you go installing tomato for the first time and if it wasn't for the default SSID appearing you would get the feeling the router is bricked.

    To be fair I don't see any security issue here, if you log in you just change the SSID/password also chances are that the default IP does not even belong to the existing LAN subnet. If it does: well consider re-addressing your LAN perhaps?

    Toastman if I remember correctly disabled DHCP by default, some people think that's a good idea other not.

    I'm always resistant to change default behaviours, users have spent years getting used to "the tomato way", so unless there's a real issue not sure this is a good idea. I would have thought disabling radio by default would cause more headaches than benefits.

    my 2 cents
    Techie007 likes this.
  3. eibgrad

    eibgrad Network Guru Member

    Thanks for the feedback.

    I'd be less concerned about the APs being ON by default if wasn't for the fact there's no security. And frankly, no one should be doing firmware updates over wireless anyway. So when the firmware is initially installed, you already have a wired connection to confirm the update and configure the router, and the APs.

    Again, I see the audience for third-party firmware differently than for your average, networking newb who's buying a retail router w/ OEM firmware. I wonder how many of them use the router's wireless for DAYS before someone tells them they need to enable security. Yes, once the default is OFF, we'll get the usual rush of inquiries and complaints in this forum, but eventually ppl will become familiar w/ the new process.

    I understand the resistance to change, I really do. I don't like it either. But it's just that my attitude has changed in recent years regarding security. Given all the exploits, even of WPA2 and the soon to come WPA3, it makes no sense to default to ON and Open anymore. That's 2005 thinking AFAIC. That's the same reason I complained about the OpenVPN clients using bidirectional tunnels by default. What is often easier, is also often less secure.

    Anyway, I'd be interested in what others have to say.
    Last edited: Apr 23, 2019
    Malakai likes this.
  4. jerrm

    jerrm Network Guru Member

    No one answer to make everyone happy. I liked having the wireless enabled (and consider myself VERY security conscience). My general practice was to boot up with nothing attached, connect over wifi, make initial changes, reboot and attach to the net.

    First boot disconnected partially for security, but just as much (or more) for DHCP confilcts.
    Last edited: Apr 23, 2019
    Techie007 likes this.
  5. eibgrad

    eibgrad Network Guru Member

    Maybe two different builds, one w/ it OFF, one w/ it ON (only half serious).
  6. ddimitrov

    ddimitrov Network Newbie Member

    I agree that starting Tomato with radios on is not desirable in many standard cases. For example, I use my routers mainly with wired devices (desktops and laptop docks), so I need WiFi only a couple of times a year. In order to automatically turn radios off I had to configure a WAN-Up script similar to the one below:
    wl -a eth1 radio off
    wl -a eth2 radio off​
    In rare occasions when I need WiFi, I turn radios on with the help of the the router's WPS-button (which is configured in Tomato to do "Toggle Wireless" by default).

    I also agree that automatic starting and opening of APs is even more problematic when doing firmware upgrade, because after clearing NVRAM the APs are started open without any security. A potential intruder has a couple of minutes to do something (until we configure the wireless security of the router).

    In general, I would be glad too, if there was a firmware option for starting the router with radios off by default.

    P.S. Configuring wireless interfaces as "disabled" (instead of leaving them enabled but turning radios off) is not an option, because when the wireless interfaces are "disabled" we cannot toggle WiFi on/off later with the WPS-button.
  7. RMerlin

    RMerlin Network Guru Member

    Households are becoming increasingly wireless. Many modern laptops no longer include Ethernet. You need wifi to be enabled by default, or else it would be impossible to configure the routers for an increasing number of persons. I've had customers with only Macbooks for instance, not a single computer with an Ethernet port.

    (Btw, I have done more router flashing over wifi while developing than everyone else in this thread will do in their entire lives ;) It's fine, as long you are not connected at like -80dB...)

    The real solution rather, as implemented by many OEMs, is to implement a first time setup assistant that comes up on first boot following a factory default reset, forcing users to either configure or disable wifi, change login password, etc...

    Sent from my P027 using Tapatalk
  8. eibgrad

    eibgrad Network Guru Member

    Seems to me we're stuck between two extremes. Either we continue w/ the current situation because it's easy (but insecure), or else need something elaborate such as suggested by RMerlin.

    As I said before, I don't place third-party firmware users in the same category as your average Joe who buys a retail product from Best Buy or Amazon. While it might be the case there are some small percentage of users who literally have no ethernet connection available to them, I still say it's a bit risky doing a firmware update over wireless. Yeah, RMerlin, Sean B., me, and host of others on this forum who know the risks, wouldn't place ourselves in a situation like -80dBm. Or risk it in a crowded wireless environment. Instinctively, we know to protect ourselves against such hazards. But you can't assume that means it's safe for the average Joe.

    But all that is really beside the point. I'm just looking for a middle ground solution. Something that doesn't leave the wireless ON and OPEN and thereby available to any rube that happens to wander by. But not one that means we have to create some elaborate setup wizard, as if we we're dealing w/ a naive user.

    What about turning the radios OFF by default (not disabling them) and using the already existing option under Administration->Buttons/LED to toggle the wireless ON? At least for those routers that have such a button.
    Last edited: May 1, 2019
  9. Sean B.

    Sean B. Network Guru Member

    Knee-jerk reaction would be to post that there's a bug breaking wireless in new versions, rather than press a button.
  10. eibgrad

    eibgrad Network Guru Member

    Any solution is going to meet w/ opposition, dismay, confusion, simply because something has changed. There's no getting around it. Wasn't long ago that Google stopped supporting SHA1 signed certificates in favor of SHA256, and looooong before it could really be justified (afaik, there's wasn't and still isn't any known issue w/ SHA1). Didn't stop Google from making the change though, did it. Even the thought of a potential security issue, perhaps years from now, was enough to make them take action, and inconvenience a whole lot more ppl. Broke some things, even brought down some websites. But Google didn't care. They were placing security above anyone's inconvenience or opposition. Then ppl learned of the change, adjusted to the new world of Google SHA256, accepted it, and moved on.
  11. phuklok1

    phuklok1 Network Guru Member

    I have to agree with RMerlin here. The change would not be justified, any small benefit would be swamped by the downsides. I would venture to guess the pool of people (already advanced enough to go the extra mile to install Tomato) that have no other easy way to configure an AP except for wireless, is significantly larger than the pool of people who may get distracted after an upgrade and temporarily forget to secure their router.
    Last edited: May 1, 2019
    Techie007 likes this.
  12. Sean B.

    Sean B. Network Guru Member

    Yeah, but when you're like Google and making billions it's much easier to tolerate the shit storms you start ;)
    Severus likes this.
  13. Monk E. Boy

    Monk E. Boy Network Guru Member

    It doesn't hurt that in most cases you can say "screw you Chrome" and avoid that browser like the plague it is.

    I can't remember the last time I configured a router wirelessly, I can't think of a router who's recovery mode works over wireless and that's always step 1 or 2 for me.

    Personally I don't particularly care because during the initial setup period its just my system and a router connected via an ethernet cable, with a firewall on the ethernet port.

    As for systems coming without ethernet, well, that's what USB is for. I don't have a system with a serial port yet I've been using a USB to serial adapter for years to configure routers and switches. You can get an ethernet adapter for under $15, given the hundreds all these people are plunking down on ARM routers getting an ethernet adapter should be nothing.

    It really comes down to how seriously you take security. It wasn't all that long ago that all routers shipped straight out of the box w/o any WiFi security enabled. Billions of lawsuits later virtually all routers now force you to walk through enabling security during initial setup (with massive squawking if you try to disable it). Meanwhile Tomato is still stuck in the old way of no security by default.

    Disabling everything and requiring the user to enable it is safer for the user base than the other way around. Will all users appreciate it? No. Especially the group that settles on a year-plus old build of AdvancedTomato because it has Advanced in its name. OTOH they're not going to be affected because, hey, year plus old build.
    ddimitrov and eibgrad like this.
  14. Sean B.

    Sean B. Network Guru Member

    We could just remove the security selection option all together, and force it on with just boxes for entering the desired keys. Below have a note stating "To disable security email @eibgrad with a good reason and ask nicely." :D
  15. Techie007

    Techie007 Networkin' Nut Member

    I second everything that @RMerlin said, except for the need to implement a first time setup assistant. We already know where the settings are and how to change them. But yes, I do it all the time with routers: Reset button, connect my phone via WiFi, firmware updates, change the SSID and security, reconnect phone. The only time I have to use the pesky cable and find a compatible laptop is when switching a router from OEM to Tomato via CFE. I even do firmware updates all the time over the Internet and through VPNs. Never had a real problem with it! Every once in awhile the CRC won't pass and it boots up to the previous firmware and I have to flash the update again.
    Ped Man, Magister and rs232 like this.
  16. txnative

    txnative Addicted to LI Member

    If and when someone decides to produce their own repo they can do this and there is no ill will into it nothing to specially done "turn a 1 to a 0" to do it before you compile your images in the proper file. Toastman done something similar in his builds disabling dhcp as I believe no one had a problem with it unless they didn't bother to read his descriptions, except if you are compiling your own builds you could just disable wireless in that manor and not worry about wireless security until you have all there is that needs to be done configuring the router so you can configure wireless settings for last, I don't know if everyone knows this but OpenWrt does this as well and it is documented as well. Regards
    maurer likes this.
  17. M_ars

    M_ars Network Guru Member

    Hi eibgrad,
    i do not want to argue what is the best solution in 2019 (radion on or off by default)

    The (dedicated) wlan button has been added to almost all supported tomato ARM routers (R7000...AC68U... and much more in the current Freshtomato branches). So now (with 2019.3 and newer) it is very easy to turn off/on wlan. It does not matter how long you push that button, after you release it, radio will toggle. At the same time you will get optical feedback, power LED will start to blink (or toggle the color for Netgear router) as long you push the wlan button. WLAN LED will turn on/off after you release WLAN button. The wps button is also there and can do the same, but you have to push round about 2 seconds (default config)

    I know this is probably not what you are looking for, but maybe it helps a little bit, at least in some cases. You can disable the radio with one (dedicated) button and the WLAN leds show the current status

    eibgrad likes this.
  18. eibgrad

    eibgrad Network Guru Member

    Yeah, not exactly what I'm looking for, but good to know. Thanks.
  19. tvlz

    tvlz LI Guru Member

    How about just a simple "Wifi Security Disabled" warning notice on the top of the Status Overview page?

    on line 339 add:
    if (((nvram.wl0_radio) == '1' && (nvram.wl0_security_mode) == 'disabled') ||
    ((nvram.wl1_radio) == '1' && (nvram.wl1_security_mode) == 'disabled'))
    E('wifiwarn').style.display = '';
    on line 415 add:
    <div style="display:none" id="wifiwarn">
    <div class="section-title" style="text-align:center"><b>!! Notice: Wifi Security Disabled !!</b></div>
    <div class="fields" style="text-align:center"> The Wifi Radios are <b>Enabled</b> without having a <b>Wifi Password</b> set.
    <br/><b> Please make sure to <a href="basic-network.asp">Set a Wifi Password</a> </b></div>

    Attached Files:

  20. eibgrad

    eibgrad Network Guru Member

    I think you're on the right track, although I think the wording is still a bit confusing. *I* know what you mean, but I can imagine the user being confused. So is the wifi radio presently enabled or not?

    I think one of the other problems here is dealing w/ the fine distinction between being "enabled/disabled" vs. "on/off". Some ppl use those terms interchangeably, others do NOT.

    I think what needs to be said is that by default, all the radios are OFF (not disabled). That would suggest that if the user wanted, he could still enable them, and without a password, by using the SES/WPS/AOSS button. Not recommended, but at least it's an easy answer for those that insist the radios be available, if still open, upon initial installation.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice