Looking for some WiFi AP Security Advice

Mark Phillips mark at phillipsmarketing.biz
Tue Dec 19 11:30:03 MST 2023 

My experience with self signed certs is not that great. Browsers don't like
them and balk at accepting them. When added to the keyring, they disappear
after a while (maybe an upgrade messes with them?) and just create lots of
issues when accessing a site. I would prefer some other encryption method
that can be set up and used without a lot of fiddling every time a user
wants to use them.

Mark

On Tue, Dec 19, 2023 at 3:04 AM Anthony Radzykewycz <
anthony.radzykewycz at gatewaycc.edu> wrote:

> It’d be my understanding that the AP would handle encryption over the air.
> If you wanted the web traffic to also be encrypted, I think the self-signed
> SSL certificates would suffice in this given application. To sniff that
> traffic, the attacker would have to be on the same network, as well, so
> guarding the AP with the aforementioned controls should prevent that.
> Presuming they did get in, capturing https traffic would be encrypted vs
> the plaintext counterpart of http.
>
> On Mon, Dec 18, 2023 at 11:04 PM Mark Phillips <mark at phillipsmarketing.biz>
> wrote:
>
>> Thanks, Anthony. I will see if the tp-link has a white list capability.
>> If not, I will look into another AP device.
>>
>> There is another safety feature I forgot to mention. A physical disarm
>> switch on the launcher, so the ignition circuit is disabled when it is
>> engaged. However, one can forget to do that (maybe only once!), but I also
>> don't want an attacker launching the rocket at any point.
>>
>> Is there anyway to encrypt the traffic between the cell phone and the web
>> server on the Pi? To prevent someone from monitoring the various passwords?
>>
>> Mark
>>
>> On Mon, Dec 18, 2023, 10:35 PM Anthony Radzykewycz via PLUG-discuss <
>> plug-discuss at lists.phxlinux.org> wrote:
>>
>>> That sounds pretty neat. Something you may want to add is a whitelist of
>>> allowed devices to the AP. That way, they’d also have to spoof your MAC
>>> (not impossible, but makes it harder). Other than that, it sounds like you
>>> are definitely doing the right thing in your defense in depth approach.
>>>
>>> On Mon, Dec 18, 2023 at 10:25 PM Mark Phillips via PLUG-discuss <
>>> plug-discuss at lists.phxlinux.org> wrote:
>>>
>>>> I am working on a project and need some security advice.
>>>>
>>>> The project is a wireless model rocket launcher. It consists of a
>>>> Raspberry Pi 2 W (Debian Buster) connected to a daughter board
>>>> with circuitry to control the current to ignite the igniter, a TP-Link Wifi
>>>> AP, and a cell phone. There is a web site (apache and flask) running on the
>>>> Pi that allows the user to control the circuits on the daughter board to
>>>> launch the rocket.
>>>>
>>>> The typical location for launching the rockets is in a large field far
>>>> from any buildings or trees. Typically, there is no Internet connectivity
>>>> even on cell phones, but there are quite a few people attending the launch.
>>>> There are also times when this launcher will be used in a more urban
>>>> environment (like a high school), and I want to make the system
>>>> "unattractive" to the high school students who think it would be cool to
>>>> hack the launcher during a launch.
>>>>
>>>> I want to set up some sort of secure connection between the cell phone
>>>> and the web site running on the Pi. My main concern is an attacker
>>>> connecting to the web site and igniting the rocket while the user is
>>>> connecting the wires to the igniter. Model rocket motors generate an
>>>> exhaust gas with a temperature of ~3,000 F. Also, the igniter needs 2-4 A
>>>> dc for 300 - 500 msec to ignite the rocket motor.
>>>>
>>>> I thought about SSL, but I would have to use a self signed certificate
>>>> (assuming no Internet), and I have read that it is not that secure. I am
>>>> using a long password to access the AP, a password protected login to the
>>>> web site, and another password as a launch key to enable the igniter
>>>> circuit and launch the rocket.
>>>>
>>>> I am not a network security guru, so I am not really sure what my
>>>> options are. Do you have any other suggestions on how I can make this
>>>> system more secure?
>>>>
>>>> Thanks!
>>>>
>>>> Mark
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20231219/9062f96c/attachment.htm>

More information about the PLUG-discuss mailing list