Question Is Dish Fiber's network security as horrible as i think it is?

[merk]

I recently moved into a new apartment building. It was just built a year or two ago and came pre-wired with fiber and there's a mesh wifi network provided by Dish Fiber. So far my impression of their service from a security stand point is pretty low.

The wifi network does not use any wifi encryption. Instead their marketing material says everything stays secure because everyone is on their own private network. However, the only real authentication being done to get on my 'private network' is MAC authentication. The user/pass I was given for the wifi is basically just a login to their portal where you can add the currently connected MAC id to the list of authenticated devices (or manually ad MAC addresses). I know it's stupidly easy to spoof a mac address.

So basic question is - how secure can this network be? Couldn't anyone with a packet sniffer see the MAC address of my various devices and use that to get onto my network? I'm familiar with what packet sniffers do but I've almost never needed to use one. I grabbed wireshark and played around with it a bit just now and I can definitely see some traffic coming from devices that are not my own. There was nothing obviously sensitive in what i saw, but I'm not used to analyzing this sort of thing so I don't really know if there was anything sensitive or not.

Can I, or anyone else running a packet sniffer, actually see what I am doing? I assume if i go to an encrypted webpage (https) they wouldn't be able to see what's being sent back and forth. What about an un-encrypted site? Or even with an encrypted site, does having the mac address of my pc make it any easier for them to see what's being sent between me and the encrypted site or to somehow gain access to the encrypted session?

Is there any technical justification for not having encryption on the wifi? I mean every hotel is basically a mesh network and most of them give you a login that's unique for each room and uses wep or wpa. Why couldn't dish do the same thing? If they did that, that would solve the issue wouldn't it?

 

[bill001g]

You always need to assume someone can capture your traffic. Once your traffic is past the wifi you have the same issue anyway.

Wifi is very difficult to capture now days. Gone are the days of a single data feed between the router and the pc. Now they use Mimo with up to 4 feeds and other stuff like mumimo making it even harder. The intercepting machine will not get the same signal patterns as the actual device doing the communication. The chips in the wifi even when they have the promiscuous will not give you partial packets. This means that unless the chipset gets all the parts it will just pretend it got nothing.

Almost all traffic is now HTTPS so it is pretty immune to interception. The new version of chrome browser I think is now using encrypted DNS. Interception of DNS was the only remaining method to do some basic tracking.

Still if you can tolerate the overhead you should use a vpn. You will need to configure the vpn to allow things like netflix to bypass the vpn.

I be more concerned with the other machines on the network rather than the interception. If they are smart they have wireless isolation on so machines can not talk to each other. Without it other machines can directly attack your machine. The solution for this is to place a router of some kind between your equipment and the network...gets messy if the wan must be wifi.

 

[DeauteratedDog]

It sounds only slightly more secure than an open network at your local coffee shop.

Yes, anybody with a sniffer could intercept all of your traffic, but https traffic should be secure-ish. Sessions on unencrypted sites could be played back like a movie - no security at all there.

Don't worry too much about the MACs - those (and all control and management traffic) are visible even on heavily encrypted networks.

Treat it like you would an open coffee shop or airport network.

 

[DeauteratedDog]

Wifi is very difficult to capture now days.

Absolutely more difficult than it used to be, but still a long way from impossible, especially if you can get inside the room with a good capture device.

 

[hang-the-9]

I recently moved into a new apartment building. It was just built a year or two ago and came pre-wired with fiber and there's a mesh wifi network provided by Dish Fiber. So far my impression of their service from a security stand point is pretty low.

The wifi network does not use any wifi encryption. Instead their marketing material says everything stays secure because everyone is on their own private network. However, the only real authentication being done to get on my 'private network' is MAC authentication. The user/pass I was given for the wifi is basically just a login to their portal where you can add the currently connected MAC id to the list of authenticated devices (or manually ad MAC addresses). I know it's stupidly easy to spoof a mac address.

So basic question is - how secure can this network be? Couldn't anyone with a packet sniffer see the MAC address of my various devices and use that to get onto my network? I'm familiar with what packet sniffers do but I've almost never needed to use one. I grabbed wireshark and played around with it a bit just now and I can definitely see some traffic coming from devices that are not my own. There was nothing obviously sensitive in what i saw, but I'm not used to analyzing this sort of thing so I don't really know if there was anything sensitive or not.

Can I, or anyone else running a packet sniffer, actually see what I am doing? I assume if i go to an encrypted webpage (https) they wouldn't be able to see what's being sent back and forth. What about an un-encrypted site? Or even with an encrypted site, does having the mac address of my pc make it any easier for them to see what's being sent between me and the encrypted site or to somehow gain access to the encrypted session?

Is there any technical justification for not having encryption on the wifi? I mean every hotel is basically a mesh network and most of them give you a login that's unique for each room and uses wep or wpa. Why couldn't dish do the same thing? If they did that, that would solve the issue wouldn't it?

So two things here, the WiFi setup does not offer you any way to change the security? That is odd, but you can get around that simply by using your own router.

Second thing, basically, don't worry about it. As far as WiFi security goes as it is for you, for a standard user, there is pretty much 0 chance of someone that wants to get on your WiFi bad enough to bother getting into range, trying to find out what MAC addresses you have listed as being able to connect, and then breaking into your setup. A lot of people are worried about being "hacked" but 99% of the time the way people steal passwords and logons are from mass dumps of data from some website or merchant, not from directly connecting to your home or computer. It's just a bunch of useless worry. Good enough security is good enough. You just lock you door, you don't stick a metal gate over it or your windows, or put in a poison gas dispenser in your car or put in unbreakable glass in it, because the security is good enough already for those things. Same thing with pretty much any home network, yes there are vulnerabilities, but no-one really cares about you enough to break into your network, so don't worry about it too much. Unless you are some government official with secrets or you have 10 million in your bank account and someone knows about it to try to steal it. What dirty videos you watch online or that $2,000 you have in your account is not going to interest anyone worth bothering securing yourself from.

Issue is that you know some stuff, which causes you extra worry for no real benefit. It's like looking up medical issues online, soon as someone gets a small bump on their arm they look things up and immediately panic because it could be one of the 40 deadly diseases, when it's a lot more likely it's a mosquito bite. You know about how networks work so you start panicking that there are 4 Russian hackers in a van outside your house trying to break into your network. There are not.

What you should be worried about is every time you buy something with your credit card or give out your name and address or social security number that THOSE people secure their network and files.

 

[merk]

So two things here, the WiFi setup does not offer you any way to change the security? That is odd, but you can get around that simply by using your own router.

Second thing, basically, don't worry about it. As far as WiFi security goes as it is for you, for a standard user, there is pretty much 0 chance of someone that wants to get on your WiFi bad enough to bother getting into range, trying to find out what MAC addresses you have listed as being able to connect, and then breaking into your setup. A lot of people are worried about being "hacked" but 99% of the time the way people steal passwords and logons are from mass dumps of data from some website or merchant, not from directly connecting to your home or computer. It's just a bunch of useless worry. Good enough security is good enough. You just lock you door, you don't stick a metal gate over it or your windows, or put in a poison gas dispenser in your car or put in unbreakable glass in it, because the security is good enough already for those things. Same thing with pretty much any home network, yes there are vulnerabilities, but no-one really cares about you enough to break into your network, so don't worry about it too much. Unless you are some government official with secrets or you have 10 million in your bank account and someone knows about it to try to steal it. What dirty videos you watch online or that $2,000 you have in your account is not going to interest anyone worth bothering securing yourself from.

Issue is that you know some stuff, which causes you extra worry for no real benefit. It's like looking up medical issues online, soon as someone gets a small bump on their arm they look things up and immediately panic because it could be one of the 40 deadly diseases, when it's a lot more likely it's a mosquito bite. You know about how networks work so you start panicking that there are 4 Russian hackers in a van outside your house trying to break into your network. There are not.

What you should be worried about is every time you buy something with your credit card or give out your name and address or social security number that THOSE people secure their network and files.

I'm sorry but i disagree entirely about not worrying about security.

One of the things I didn't mention since it wasn't entirely relevant was that the property management apparently just re-uses logins when someone moves out. The login they gave me belonged to the previous tenant. I found paperwork in a drawer with the same login info. Plus when i logged into the management portal, all of their devices were still listed as authorized.

Who knows how many people that tenant might have shared their password with. Maybe they moved out because they had a dispute with the property management and decide to post their password on a forum somewhere just to cause problems.

The chances of me getting into a horrible car accident on any given day is pretty low, but i still wear a seat belt. This is no different. Encrypting the wifi and giving everyone a unique login is pretty basic and not something that should be hard to do. It should basically be as much trouble as putting on a seat belt.

 

[bill001g]

It changes nothing really though. If you are already concerned about security you would not worry just about the wifi connection. What if they leave the on premise router in a unlocked room.

You need to assume someone can see you data and always take precautions even if you have a fiber connection to your house. It is not the teen next door you need to worry about it is the person who makes his living stealing something of value.

In general HTTPS is good enough but you have to watch the icons to be sure you are always running secure traffic. The next step up is a simple router that because of the NAT will hide your machines from direct attack but the firewall in window is pretty strong now days. The standard solution is to use VPN but again that is not some magic security feature and you don't need to still use care. The data is only encrypted from your house to the vpn data center after that it is again subject to interception.

 

[hang-the-9]

I'm sorry but i disagree entirely about not worrying about security.

One of the things I didn't mention since it wasn't entirely relevant was that the property management apparently just re-uses logins when someone moves out. The login they gave me belonged to the previous tenant. I found paperwork in a drawer with the same login info. Plus when i logged into the management portal, all of their devices were still listed as authorized.

Who knows how many people that tenant might have shared their password with. Maybe they moved out because they had a dispute with the property management and decide to post their password on a forum somewhere just to cause problems.

The chances of me getting into a horrible car accident on any given day is pretty low, but i still wear a seat belt. This is no different. Encrypting the wifi and giving everyone a unique login is pretty basic and not something that should be hard to do. It should basically be as much trouble as putting on a seat belt.

OK so the fact the internet setup is not actually yours is totally different with how you work with it. Go to the person in charge of the setup and talk to them about the logon and security settings. If you don't have access to the control of the router/modem from the ISP you will have a hard time doing anything, even setting up your own router. Something provided to you by the owners of the building is not really the same thing as something you ordered and control.

But again, do you think whoever had the old logon and devices is going to go back and try to get into your systems? Nope. And if they can see your computers, then what? Without things shared openly on the network only thing they can do is see your IPs. Unless this person before you happens to be a mastermind network hacker and you have the secrets to the JFK killing you are pretty safe. Sure it's not good security practice, but at the end of it, it really does not matter in your situation. It's in the hands of this building management that provide you with the service, they are the ones you need to talk to about setting up a better service.

 

[merk]

I think you are missing my point. I'm not saying any of this stuff is definitely going to happen. It's unlikely to happen. But unlikely isn't the same thing as never going to happen.

The point is encrypting the wifi and giving everyone a unique login is basic security and is the least they can do to keep things secure. Unless there's some technical reason I don't know about (and one of the reasons I asked in here) there's no reason they shouldn't be doing this beyond ignorance or negligence.

It's in the hands of this building management that provide you with the service, they are the ones you need to talk to about setting up a better service.

Yes, it is, which is the whole reason I posted this question here.