Secure WiFi Router Design
Secure WiFi Goals
When building the SPR, we spent some time performing a simple threat model, to identify probable threat actor profiles, and the types of common threat vectors we see against WiFi networks.
Threat Actors
Remote Internet Attacker: Anyone on the internet that can send packets to the WAN/Uplink interface
Man In The Middle / Malicious ISP: An attacker with a man in the middle position on the uplink
Supply Chain Attacker: An attacker looking to insert code into the SPR project to compromise routers
Physical Proximity Attacker (Evil Neighbor): An attacker with physical proximity to WiFi
Inside Perimeter Attacker (Evil Guest): An attacker with physical access
Compromised Device Attacker (Implant): An attacker operating from a compromised device, authenticated on the network
Threat Vectors
Network Flaws
- Weak Passphrase / Password Reuse
- ARP Spoofing
- MAC Spoofing
- DHCP MAC Spoofing
- VLAN Hopping
- Insecure Private Subnet Requests from Web Browsers
Software Implementation Flaws
- Memory corruption
- Command Injection
- XSS, CSRF
- DNS Cache Poisoning
- Response Splitting Attacks
802.11 Flaws
- Cryptographic Vulnerabilities
- Password Cracking
- Frag Attacks
- MITM
- AP Isolation Bypass
- Packet in Packet Attacks
Secure WiFi Principals
All of this, left us with the following principles for building a secure WiFi router:
- Router is secure against compromises via the web services, remote uplink, or local network attack surfaces
- Practical to use strong passwords for WiFi devices
- One compromised device should not be able to impersonate other devices on the network or intercept their network traffic
- Devices can only communicate to systems they are explicitly allowed to. No spoofing.
Additional Security Considerations
- Power & Radio Sidechannel attacks (out of scope)
- Physical attacks, physical supply chain (out of scope)
Now that we have our who and our what, we mapped these out into a table, and use this to inform our goals and look for high impact secure WiFi features.