Re: Looking for some WiFi AP Security Advice

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Mark Phillips via PLUG-discuss
Date:  
To: anthony.radzykewycz
CC: Mark Phillips, Main PLUG discussion list
Subject: Re: Looking for some WiFi AP Security Advice
My experience with self signed certs is not that great. Browsers don't like
them and balk at accepting them. When added to the keyring, they disappear
after a while (maybe an upgrade messes with them?) and just create lots of
issues when accessing a site. I would prefer some other encryption method
that can be set up and used without a lot of fiddling every time a user
wants to use them.

Mark

On Tue, Dec 19, 2023 at 3:04 AM Anthony Radzykewycz <
> wrote:

> It’d be my understanding that the AP would handle encryption over the air.
> If you wanted the web traffic to also be encrypted, I think the self-signed
> SSL certificates would suffice in this given application. To sniff that
> traffic, the attacker would have to be on the same network, as well, so
> guarding the AP with the aforementioned controls should prevent that.
> Presuming they did get in, capturing https traffic would be encrypted vs
> the plaintext counterpart of http.
>
> On Mon, Dec 18, 2023 at 11:04 PM Mark Phillips <>
> wrote:
>
>> Thanks, Anthony. I will see if the tp-link has a white list capability.
>> If not, I will look into another AP device.
>>
>> There is another safety feature I forgot to mention. A physical disarm
>> switch on the launcher, so the ignition circuit is disabled when it is
>> engaged. However, one can forget to do that (maybe only once!), but I also
>> don't want an attacker launching the rocket at any point.
>>
>> Is there anyway to encrypt the traffic between the cell phone and the web
>> server on the Pi? To prevent someone from monitoring the various passwords?
>>
>> Mark
>>
>> On Mon, Dec 18, 2023, 10:35 PM Anthony Radzykewycz via PLUG-discuss <
>> > wrote:
>>
>>> That sounds pretty neat. Something you may want to add is a whitelist of
>>> allowed devices to the AP. That way, they’d also have to spoof your MAC
>>> (not impossible, but makes it harder). Other than that, it sounds like you
>>> are definitely doing the right thing in your defense in depth approach.
>>>
>>> On Mon, Dec 18, 2023 at 10:25 PM Mark Phillips via PLUG-discuss <
>>> > wrote:
>>>
>>>> I am working on a project and need some security advice.
>>>>
>>>> The project is a wireless model rocket launcher. It consists of a
>>>> Raspberry Pi 2 W (Debian Buster) connected to a daughter board
>>>> with circuitry to control the current to ignite the igniter, a TP-Link Wifi
>>>> AP, and a cell phone. There is a web site (apache and flask) running on the
>>>> Pi that allows the user to control the circuits on the daughter board to
>>>> launch the rocket.
>>>>
>>>> The typical location for launching the rockets is in a large field far
>>>> from any buildings or trees. Typically, there is no Internet connectivity
>>>> even on cell phones, but there are quite a few people attending the launch.
>>>> There are also times when this launcher will be used in a more urban
>>>> environment (like a high school), and I want to make the system
>>>> "unattractive" to the high school students who think it would be cool to
>>>> hack the launcher during a launch.
>>>>
>>>> I want to set up some sort of secure connection between the cell phone
>>>> and the web site running on the Pi. My main concern is an attacker
>>>> connecting to the web site and igniting the rocket while the user is
>>>> connecting the wires to the igniter. Model rocket motors generate an
>>>> exhaust gas with a temperature of ~3,000 F. Also, the igniter needs 2-4 A
>>>> dc for 300 - 500 msec to ignite the rocket motor.
>>>>
>>>> I thought about SSL, but I would have to use a self signed certificate
>>>> (assuming no Internet), and I have read that it is not that secure. I am
>>>> using a long password to access the AP, a password protected login to the
>>>> web site, and another password as a launch key to enable the igniter
>>>> circuit and launch the rocket.
>>>>
>>>> I am not a network security guru, so I am not really sure what my
>>>> options are. Do you have any other suggestions on how I can make this
>>>> system more secure?
>>>>
>>>> Thanks!
>>>>
>>>> Mark
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list:
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list:
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>

---------------------------------------------------
PLUG-discuss mailing list:
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss