From Newsgroup: alt.internet.wireless
Carlos E.R. wrote:
Carlos was pointing out that some things will connect to any open wifi,
_without the user knowing_. That is not "taking advantage" - or if it
is, your opprobrium needs to be addressed to the makers of such
equipment, not the users.
Well, I don't use automatic wifi connect. I always look for my own
router's SSID. :)
I use automatic wifi connect, to known wifis. I have disabled connect to open wifis.
To add further technical value to this sub topic...
For those wishing to know more about this topic, most people have their
router Wi-Fi AP set to broadcast the SSID, which means it's uploaded to world-wide publicly accessible databases whether they like it or not.
a. The (unique) GPS location (of the phone uploading it) is uploaded
b. The signal strength (of the signal to the phone) is uploaded
c. The (unique) BSSID (MAC address) is uploaded - which is essentially you
d. The (normally non-unique) SSID is uploaded (with or without _nomap)
Every mobile device owned by ignorant/rude people is uploading that privacy
to the world-wide publicly accessible databases (which have been abused).
That means my mobile devices don't ever upload your privacy.
But your mobile device almost certainly tries to upload mine.
What I do to prevent the upload is I set my SSID to not broadcast.
a. This prevents a passive upload by rude/ignorant people.
I also opt out by adding _optout_ & _nomap to the SSID.
b. This (supposedly) removes my privacy information from the servers
In addition, I set the mobile device to not connect automatically.
c. This stops the mobile device from shouting out "are you there?"
In addition, due to the ubiquitous existence of WPA2 SSID-salted rainbow
hash tables (& reusable butterfly WPA2-handshake hashcat tables), I use a (hopefully) unique SSID (since it's the WPA2 encryption salt) in addition
to a (hopefully) non-dictionary passphrase (both of which are required to
stay out of those pre-computed and re-used cryptographic hash tables).
1. Rainbow tables: Precomputed WPA2 hash databases based on SSID
2. Butterfly hash tables: Optimization structures used in WPA2 cracking
Furthermore, iOS mobile devices can be set to randomize the MAC per SSID,
while Android mobile devices can be set to randomize the MAC per instance.
If you own a new'ish router, you can upgrade to WPA3, which replaces WPA2's vulnerable handshake with SAE (so it's resistant to dictionary attacks).
Of course, you should always disable Wi-Fi Protected Setup (WPS). Duh.
And, keep your firmware updated (duh), & isolate the guest network (duh). Disable remote adminstration to your router (duh) & use HTTPS for login.
You "can" restrict connections by MAC, but if you're randomizing the MAC address, it's going to be impossible (as is static IP addresses set at the router level - they now have to be set at the mobile device level instead).
Also enable and check the router log (duh) for intrusions, but if you've
ever done that, you'll know already you're being attacked constantly.
Disable UPnP (duh), and firewall inbound traffic (duh) and enable DNS encryption (DoH/DoT), which seems easy, but I've found it to be a PITA.
A. DoH (DNS over HTTPS) wraps DNS queries inside HTTPS traffic
B. DoT (DNS over TLS) sends DNS queries over a TLS-encrypted channel
You enable iOS 14 & up DoH using Settings > Wi-Fi > DNS & you enable
Android 9+ DoT with Settings > Network & Internet > Advanced > Private DNS.
You enable DoH on Windows in Settings > Network & Internet > Change adapter options > DNS settings where Windows 11 is still DoH but the GUI is better.
On Android devices, you can add a system-wide firewall such as NetGuard.
It can block Wi-Fi/CellularData access per app. Not available on iOS.
I don't have much experience with RethinkDNS, but it's a FOSS Android app
that combines encrypted DNS (DoH/DoT/DNSCrypt) with a system-wide firewall.
i. RethinkDNS = firewall + encrypted DNS (DoH/DoT/DNSCrypt) + blocklists
ii. NetGuard = firewall + per-app blocking + ad/tracker blocklists
You'll never have any privacy/security on iOS, which sucks at both (and
anyone thinking it doesn't suck, clearly doesn't know anything about iOS).
While we're at it, it's probably a good idea to put smart TVs, cameras, and
IoT gadgets on a separate VLAN or guest SSID, and it goes without saying further that you should change the rude/ignorant default iOS/Android setup.
What did I miss?
--
I invest energy in responding to Usenet posts because I care about people getting full & complete information so we move tribal knowledge forward.
--- Synchronet 3.21a-Linux NewsLink 1.2