Re: [PLUG] Looking for some WiFi AP Security Advice
Thanks, MC_SEQUOIA for the explanation. My assumption was that HTTPS encrypts the messages between the client browser and server, so one cannot just eavesdrop on the messages back and forth to generate a map of how to intercept and change the messages. Of course, one would have to gain access to the private WiFi network created with the AP, protected by a 16 character password and MAC filter, first. My security strategy was to put up multiple barriers to make it an annoying project for the nefarious types. Aslo, our launches are 2-4 hours long at most, and then the passwords change for the next launch, and no Internet connection. If someone is good enough to get through 3 randomly generated 16 character passwords and a MAC white list in 3 hours with a laptop within 300 feet of the launch site, he/she deserves the honor of launching all the rockets! Good idea to check the DHCP client list periodically during the launch. The AP provides that as well as a way to deny an unknown connected device, if needed. Mark On Fri, Dec 29, 2023 at 2:38 PM MC_Sequoia wrote: > > > > "I want to set up some sort of secure connection between the cell phone > > > and the web site running on the Pi." > > > > > > This should be doable via a vpn client/server. A quick google search on > > > "raspberry pi cell phone vpn" returned this: > > > > > > Are you saying a VPN is needed along with the SSL, or as a replacement? > Why > > both, or why as a replacement? > > An SSL certificate enables a web site to use HTTPS and it also verifies > the website's domain authenticity through a certificate authority. This is > all more for end-user security and privacy. Self-signed certs are for > non-production enviros. > > This does provide end to end security for any and every connected device, > but with a VPN, you can restrict which ip addr(s) can connect only via the > vpn. But since, "It is not accessible to the Internet, as the AP is not > connected to the Internet this is all happening on a private ip network", > all of this is secure connection concern is irrelevant as no one outside of > the private ip net can access the launch web site. > > Yes, it's possible to spoof a mac address, forge ip packets, etc. And > curious tech savvy kids will be curious tech savvy kids, but you're talking > about a fairly serious amount of time, effort, knowledge, skill and tools > to pull this off. > > I'd suggest there are far more interesting internet things for those > curious tech savvy kids to hack & crack on and/or into. > > I walked away from a lucrative cybersecurity career a few decades ago > because my experience was that the whole industry was built on the idea of > scaring people to buy security products and services. Yes, there are very > real vulnerabilities, exploits, security concerns and bad actor > hacker/crackers but people fail to correctly asses the real risks, threats > and targets. > > If you setup a reasonably secure launch situation and some black hat > genius kid cracks it and launches the rocket on you, they gotta be close > enough to get onto the WiFi and not in mom's basement over the internet. > > You should also be able to monitor the devices in real time that are > connecting to the WiFi AP. If you're not familiar with this, either poke > around on the AP mmgmt. web site or look through the instruction manual for > mac table, ip table, arp table, connected devices, or the like. If you see > a new device that you don't know connect to the AP before the launch, don't > launch until you figure out what's going on and/or disconnect/block that > device. > > I hope that gives you a better understanding of this whole secure launch > concern and gives you some peace of mind. Cheers! >
Re: [PLUG] Looking for some WiFi AP Security Advice
> > "I want to set up some sort of secure connection between the cell phone > > and the web site running on the Pi." > > > > This should be doable via a vpn client/server. A quick google search on > > "raspberry pi cell phone vpn" returned this: > > > Are you saying a VPN is needed along with the SSL, or as a replacement? Why > both, or why as a replacement? An SSL certificate enables a web site to use HTTPS and it also verifies the website's domain authenticity through a certificate authority. This is all more for end-user security and privacy. Self-signed certs are for non-production enviros. This does provide end to end security for any and every connected device, but with a VPN, you can restrict which ip addr(s) can connect only via the vpn. But since, "It is not accessible to the Internet, as the AP is not connected to the Internet this is all happening on a private ip network", all of this is secure connection concern is irrelevant as no one outside of the private ip net can access the launch web site. Yes, it's possible to spoof a mac address, forge ip packets, etc. And curious tech savvy kids will be curious tech savvy kids, but you're talking about a fairly serious amount of time, effort, knowledge, skill and tools to pull this off. I'd suggest there are far more interesting internet things for those curious tech savvy kids to hack & crack on and/or into. I walked away from a lucrative cybersecurity career a few decades ago because my experience was that the whole industry was built on the idea of scaring people to buy security products and services. Yes, there are very real vulnerabilities, exploits, security concerns and bad actor hacker/crackers but people fail to correctly asses the real risks, threats and targets. If you setup a reasonably secure launch situation and some black hat genius kid cracks it and launches the rocket on you, they gotta be close enough to get onto the WiFi and not in mom's basement over the internet. You should also be able to monitor the devices in real time that are connecting to the WiFi AP. If you're not familiar with this, either poke around on the AP mmgmt. web site or look through the instruction manual for mac table, ip table, arp table, connected devices, or the like. If you see a new device that you don't know connect to the AP before the launch, don't launch until you figure out what's going on and/or disconnect/block that device. I hope that gives you a better understanding of this whole secure launch concern and gives you some peace of mind. Cheers!
Re: [PLUG] Looking for some WiFi AP Security Advice
@MC_Sequoia On Sun, Dec 24, 2023 at 3:23 PM MC_Sequoia wrote: > "I want to set up some sort of secure connection between the cell phone > and the web site running on the Pi." > > This should be doable via a vpn client/server. A quick google search on > "raspberry pi cell phone vpn" returned this: > Are you saying a VPN is needed along with the SSL, or as a replacement? Why both, or why as a replacement? > > "If you're going to be connecting to Pi VPN on a mobile device, I > recommend OpenVPN Connect, the official client. It's completely free and > integrates really well with iOS and Android. The first step is to open the > App Store or Play Store, depending on your device. In either case, search > for OpenVPN Connect" > > You should be able to easily find step-by-step instructions to do get this > setup and working. > > That'll solve the secure connection between the cell ph and the Rpi hosted > website, but that doesn't your "main concern is an attacker connecting to > the web site and igniting the rocket while the user is connecting thew > wires to the igniter." > > I'm going to suggest the probability of this happening is your best > security. > > However, I'm not the adult that's responsible for children's safety. > > The big question here is whether the Rpi hosted website is accessible from > the internet? > It is not accessible to the Internet, as the AP is not connected to the Internet. > > My suspicion is that it would have a non-internet routable private not > pubic ip addr in the following ip addr ranges: > 10.0. 0.0 to 10.255. 255.255. > 172.16. 0.0 to 172.31. 255.255. > 192.168. 0.0 to 192.168. 255.255. > > If the Rpi website is accessible via the public internet than there's 2 > other other options. > > 1. Learn about securing/hardening a Rpi. > https://www.chrisapproved.com/blog/raspberry-pi-hardening.html > > 2. Change all the passwords and codes on launch day. That is a given. Sorry I didn't mention it. > > > I hope that's somewhat helpful. > > > > > > > >
Re: [PLUG] Looking for some WiFi AP Security Advice
Point not missed. It’s frosty beverage time. - Robert On Tue, Dec 26, 2023 at 17:32 Ted Mittelstaedt wrote: > > You missed the point. > > As an adult responsible for kids shooting off model rockets would I take > all precautions? > > Obviously. Not only because it's the duty of the older to set an example > for the younger but because our litigious society would take my house away > if I didn't. > > But would I draw conclusions from observing others taking these > precautions that model rocketry is so dangerous that no way on Earth should > anyone do it without taking precautions? > > Ah, no. > > You can't bubble-wrap the world and people need to understand what risk is > all about. Risk should never be used to frighten people away from taking > risks. > > Electric ignitors today are safer than the old-school way of setting off > rockets which was to insert a fuse into the butt end of the rocket and > light it off. > > But only marginally. > > Ted > > > -Original Message- > From: PLUG On Behalf Of Robert Citek > Sent: Tuesday, December 26, 2023 4:46 AM > To: Portland Linux/Unix Group > Subject: Re: [PLUG] Looking for some WiFi AP Security Advice > > Thanks, Ted, for some wonderful examples of survivorship bias. > > https://en.m.wikipedia.org/wiki/Survivorship_bias > > Not every kid survives to adulthood. And not every kid who does survive > does so without losing or damaging some parts. Any EMT, Paramedic, or ER > staff can tell you countless tales from the other side of that probability > curve. > > But those are best shared in-person over some frosty beverages, not on > this list. > > Regards, > - Robert > > > On Mon, Dec 25, 2023 at 21:58 Ted Mittelstaedt > wrote: > > > Yeah although I'll provide the perspective opposite from the "Nanny > State" > > perspective which is: > > > > "AFAIK it's still just a toy model rocket" > > > > As kids we used to do all kinds of fun and games with these that would > > fall into The Christmas Story classification of "You'll put your eye > > out" > > > > I saw a kid once stick a lit match up the ass of one of these to set > > it off because he had run out of ignitors and sure enough it Did > > ignite and blast off. Other than a lot of "holy shit's" from the rest > > of us nobody suffered any ill effects - there is in fact enough Time > > to quickly yank your hand away when you hear the rocket engine ignite, > > it is after all very small. > > > > We also specialized in launching these at less than a perfect 90 > > degree angle aiming at targets, as well as loading them With a variety > > of payloads OTHER than the recommended plastic parachute and wadded > > tissue paper. Hezbollah would have been proud of us. > > > > Despite our "model rocketry" picadilloes, all of us grew up with all > > fingers intact and nobody's house burnt down. > > > > Chances are no matter how Rube Goldberg it is, there's no way it will > > be as bad as some of the stuff we did and the rocket will most likely > > launch with no ill effects. > > > > Ted > > > > -Original Message- > > From: PLUG On Behalf Of Michael > > Barnes > > Sent: Sunday, December 24, 2023 7:28 PM > > To: Portland Linux/Unix Group > > Subject: Re: [PLUG] Looking for some WiFi AP Security Advice > > > > Doesn't matter how much security you build in. There is no way on > > earth you should be launching rockets with anything other than a > > safety/lockout key equipped hard wired system. Do all you want with > > fancy clocks, timers, horns, etc for the public's viewing pleasure and > > show, but the actual launch circuit powering the igniter should only > > be hardwired under manual control with appropriate safeties in place. > > Anything else is a disaster waiting to happen and potential for injury > and lawsuits. > > > > Been doing model rockets since 1963. > > > > > > Michael > > > > On Sun, Dec 24, 2023 at 3:23 PM MC_Sequoia > > wrote: > > > > > "I want to set up some sort of secure connection between the cell > > > phone and the web site running on the Pi." > > > > > > This should be doable via a vpn client/server. A quick google search > > > on "raspberry pi cell phone vpn" returned this: > > > > > > "If you're going to be connecting to Pi VPN on a mobile device, I > > > recommend OpenVPN Connect, the official client. It's completely free > > > and inte
Re: [PLUG] Looking for some WiFi AP Security Advice
You missed the point. As an adult responsible for kids shooting off model rockets would I take all precautions? Obviously. Not only because it's the duty of the older to set an example for the younger but because our litigious society would take my house away if I didn't. But would I draw conclusions from observing others taking these precautions that model rocketry is so dangerous that no way on Earth should anyone do it without taking precautions? Ah, no. You can't bubble-wrap the world and people need to understand what risk is all about. Risk should never be used to frighten people away from taking risks. Electric ignitors today are safer than the old-school way of setting off rockets which was to insert a fuse into the butt end of the rocket and light it off. But only marginally. Ted -Original Message- From: PLUG On Behalf Of Robert Citek Sent: Tuesday, December 26, 2023 4:46 AM To: Portland Linux/Unix Group Subject: Re: [PLUG] Looking for some WiFi AP Security Advice Thanks, Ted, for some wonderful examples of survivorship bias. https://en.m.wikipedia.org/wiki/Survivorship_bias Not every kid survives to adulthood. And not every kid who does survive does so without losing or damaging some parts. Any EMT, Paramedic, or ER staff can tell you countless tales from the other side of that probability curve. But those are best shared in-person over some frosty beverages, not on this list. Regards, - Robert On Mon, Dec 25, 2023 at 21:58 Ted Mittelstaedt wrote: > Yeah although I'll provide the perspective opposite from the "Nanny State" > perspective which is: > > "AFAIK it's still just a toy model rocket" > > As kids we used to do all kinds of fun and games with these that would > fall into The Christmas Story classification of "You'll put your eye > out" > > I saw a kid once stick a lit match up the ass of one of these to set > it off because he had run out of ignitors and sure enough it Did > ignite and blast off. Other than a lot of "holy shit's" from the rest > of us nobody suffered any ill effects - there is in fact enough Time > to quickly yank your hand away when you hear the rocket engine ignite, > it is after all very small. > > We also specialized in launching these at less than a perfect 90 > degree angle aiming at targets, as well as loading them With a variety > of payloads OTHER than the recommended plastic parachute and wadded > tissue paper. Hezbollah would have been proud of us. > > Despite our "model rocketry" picadilloes, all of us grew up with all > fingers intact and nobody's house burnt down. > > Chances are no matter how Rube Goldberg it is, there's no way it will > be as bad as some of the stuff we did and the rocket will most likely > launch with no ill effects. > > Ted > > -Original Message----- > From: PLUG On Behalf Of Michael > Barnes > Sent: Sunday, December 24, 2023 7:28 PM > To: Portland Linux/Unix Group > Subject: Re: [PLUG] Looking for some WiFi AP Security Advice > > Doesn't matter how much security you build in. There is no way on > earth you should be launching rockets with anything other than a > safety/lockout key equipped hard wired system. Do all you want with > fancy clocks, timers, horns, etc for the public's viewing pleasure and > show, but the actual launch circuit powering the igniter should only > be hardwired under manual control with appropriate safeties in place. > Anything else is a disaster waiting to happen and potential for injury and > lawsuits. > > Been doing model rockets since 1963. > > > Michael > > On Sun, Dec 24, 2023 at 3:23 PM MC_Sequoia > wrote: > > > "I want to set up some sort of secure connection between the cell > > phone and the web site running on the Pi." > > > > This should be doable via a vpn client/server. A quick google search > > on "raspberry pi cell phone vpn" returned this: > > > > "If you're going to be connecting to Pi VPN on a mobile device, I > > recommend OpenVPN Connect, the official client. It's completely free > > and integrates really well with iOS and Android. The first step is > > to open the App Store or Play Store, depending on your device. In > > either case, search for OpenVPN Connect" > > > > You should be able to easily find step-by-step instructions to do > > get this setup and working. > > > > That'll solve the secure connection between the cell ph and the Rpi > > hosted website, but that doesn't your "main concern is an attacker > > connecting to the web site and igniting the rocket while the user is > > connecting thew wires to the igniter." > > > > I'm go
Re: [PLUG] Looking for some WiFi AP Security Advice
Thanks, Ted, for some wonderful examples of survivorship bias. https://en.m.wikipedia.org/wiki/Survivorship_bias Not every kid survives to adulthood. And not every kid who does survive does so without losing or damaging some parts. Any EMT, Paramedic, or ER staff can tell you countless tales from the other side of that probability curve. But those are best shared in-person over some frosty beverages, not on this list. Regards, - Robert On Mon, Dec 25, 2023 at 21:58 Ted Mittelstaedt wrote: > Yeah although I'll provide the perspective opposite from the "Nanny State" > perspective which is: > > "AFAIK it's still just a toy model rocket" > > As kids we used to do all kinds of fun and games with these that would > fall into The Christmas Story classification of > "You'll put your eye out" > > I saw a kid once stick a lit match up the ass of one of these to set it > off because he had run out of ignitors and sure enough it > Did ignite and blast off. Other than a lot of "holy shit's" from the rest > of us nobody suffered any ill effects - there is in fact enough > Time to quickly yank your hand away when you hear the rocket engine > ignite, it is after all very small. > > We also specialized in launching these at less than a perfect 90 degree > angle aiming at targets, as well as loading them > With a variety of payloads OTHER than the recommended plastic parachute > and wadded tissue paper. Hezbollah would have been proud of us. > > Despite our "model rocketry" picadilloes, all of us grew up with all > fingers intact and nobody's house burnt down. > > Chances are no matter how Rube Goldberg it is, there's no way it will be > as bad as some of the stuff we did and > the rocket will most likely launch with no ill effects. > > Ted > > -Original Message----- > From: PLUG On Behalf Of Michael Barnes > Sent: Sunday, December 24, 2023 7:28 PM > To: Portland Linux/Unix Group > Subject: Re: [PLUG] Looking for some WiFi AP Security Advice > > Doesn't matter how much security you build in. There is no way on earth > you should be launching rockets with anything other than a safety/lockout > key equipped hard wired system. Do all you want with fancy clocks, timers, > horns, etc for the public's viewing pleasure and show, but the actual > launch circuit powering the igniter should only be hardwired under manual > control with appropriate safeties in place. Anything else is a disaster > waiting to happen and potential for injury and lawsuits. > > Been doing model rockets since 1963. > > > Michael > > On Sun, Dec 24, 2023 at 3:23 PM MC_Sequoia > wrote: > > > "I want to set up some sort of secure connection between the cell > > phone and the web site running on the Pi." > > > > This should be doable via a vpn client/server. A quick google search > > on "raspberry pi cell phone vpn" returned this: > > > > "If you're going to be connecting to Pi VPN on a mobile device, I > > recommend OpenVPN Connect, the official client. It's completely free > > and integrates really well with iOS and Android. The first step is to > > open the App Store or Play Store, depending on your device. In either > > case, search for OpenVPN Connect" > > > > You should be able to easily find step-by-step instructions to do get > > this setup and working. > > > > That'll solve the secure connection between the cell ph and the Rpi > > hosted website, but that doesn't your "main concern is an attacker > > connecting to the web site and igniting the rocket while the user is > > connecting thew wires to the igniter." > > > > I'm going to suggest the probability of this happening is your best > > security. > > > > However, I'm not the adult that's responsible for children's safety. > > > > The big question here is whether the Rpi hosted website is accessible > > from the internet? > > > > My suspicion is that it would have a non-internet routable private not > > pubic ip addr in the following ip addr ranges: > > 10.0. 0.0 to 10.255. 255.255. > > 172.16. 0.0 to 172.31. 255.255. > > 192.168. 0.0 to 192.168. 255.255. > > > > If the Rpi website is accessible via the public internet than there's > > 2 other other options. > > > > 1. Learn about securing/hardening a Rpi. > > https://www.chrisapproved.com/blog/raspberry-pi-hardening.html > > > > 2. Change all the passwords and codes on launch day. > > > > I hope that's somewhat helpful. > > > > > > > > > > > > > > > > > >
Re: [PLUG] Looking for some WiFi AP Security Advice
On Sun, Dec 24, 2023 at 12:34 PM Russell Senior wrote: > > > On Sun, Dec 24, 2023 at 11:59 AM Mark Phillips > wrote: > >> I am working on a project and need some security advice. >> [...] >> > https://youtu.be/pWcTEizBW74?si=TxAQ2xKTDYGHD_K1=170 -- Russell Senior russ...@personaltelco.net
Re: [PLUG] Looking for some WiFi AP Security Advice
Yeah although I'll provide the perspective opposite from the "Nanny State" perspective which is: "AFAIK it's still just a toy model rocket" As kids we used to do all kinds of fun and games with these that would fall into The Christmas Story classification of "You'll put your eye out" I saw a kid once stick a lit match up the ass of one of these to set it off because he had run out of ignitors and sure enough it Did ignite and blast off. Other than a lot of "holy shit's" from the rest of us nobody suffered any ill effects - there is in fact enough Time to quickly yank your hand away when you hear the rocket engine ignite, it is after all very small. We also specialized in launching these at less than a perfect 90 degree angle aiming at targets, as well as loading them With a variety of payloads OTHER than the recommended plastic parachute and wadded tissue paper. Hezbollah would have been proud of us. Despite our "model rocketry" picadilloes, all of us grew up with all fingers intact and nobody's house burnt down. Chances are no matter how Rube Goldberg it is, there's no way it will be as bad as some of the stuff we did and the rocket will most likely launch with no ill effects. Ted -Original Message- From: PLUG On Behalf Of Michael Barnes Sent: Sunday, December 24, 2023 7:28 PM To: Portland Linux/Unix Group Subject: Re: [PLUG] Looking for some WiFi AP Security Advice Doesn't matter how much security you build in. There is no way on earth you should be launching rockets with anything other than a safety/lockout key equipped hard wired system. Do all you want with fancy clocks, timers, horns, etc for the public's viewing pleasure and show, but the actual launch circuit powering the igniter should only be hardwired under manual control with appropriate safeties in place. Anything else is a disaster waiting to happen and potential for injury and lawsuits. Been doing model rockets since 1963. Michael On Sun, Dec 24, 2023 at 3:23 PM MC_Sequoia wrote: > "I want to set up some sort of secure connection between the cell > phone and the web site running on the Pi." > > This should be doable via a vpn client/server. A quick google search > on "raspberry pi cell phone vpn" returned this: > > "If you're going to be connecting to Pi VPN on a mobile device, I > recommend OpenVPN Connect, the official client. It's completely free > and integrates really well with iOS and Android. The first step is to > open the App Store or Play Store, depending on your device. In either > case, search for OpenVPN Connect" > > You should be able to easily find step-by-step instructions to do get > this setup and working. > > That'll solve the secure connection between the cell ph and the Rpi > hosted website, but that doesn't your "main concern is an attacker > connecting to the web site and igniting the rocket while the user is > connecting thew wires to the igniter." > > I'm going to suggest the probability of this happening is your best > security. > > However, I'm not the adult that's responsible for children's safety. > > The big question here is whether the Rpi hosted website is accessible > from the internet? > > My suspicion is that it would have a non-internet routable private not > pubic ip addr in the following ip addr ranges: > 10.0. 0.0 to 10.255. 255.255. > 172.16. 0.0 to 172.31. 255.255. > 192.168. 0.0 to 192.168. 255.255. > > If the Rpi website is accessible via the public internet than there's > 2 other other options. > > 1. Learn about securing/hardening a Rpi. > https://www.chrisapproved.com/blog/raspberry-pi-hardening.html > > 2. Change all the passwords and codes on launch day. > > I hope that's somewhat helpful. > > > > > > > >
Re: [PLUG] Looking for some WiFi AP Security Advice
Doesn't matter how much security you build in. There is no way on earth you should be launching rockets with anything other than a safety/lockout key equipped hard wired system. Do all you want with fancy clocks, timers, horns, etc for the public's viewing pleasure and show, but the actual launch circuit powering the igniter should only be hardwired under manual control with appropriate safeties in place. Anything else is a disaster waiting to happen and potential for injury and lawsuits. Been doing model rockets since 1963. Michael On Sun, Dec 24, 2023 at 3:23 PM MC_Sequoia wrote: > "I want to set up some sort of secure connection between the cell phone > and the web site running on the Pi." > > This should be doable via a vpn client/server. A quick google search on > "raspberry pi cell phone vpn" returned this: > > "If you're going to be connecting to Pi VPN on a mobile device, I > recommend OpenVPN Connect, the official client. It's completely free and > integrates really well with iOS and Android. The first step is to open the > App Store or Play Store, depending on your device. In either case, search > for OpenVPN Connect" > > You should be able to easily find step-by-step instructions to do get this > setup and working. > > That'll solve the secure connection between the cell ph and the Rpi hosted > website, but that doesn't your "main concern is an attacker connecting to > the web site and igniting the rocket while the user is connecting thew > wires to the igniter." > > I'm going to suggest the probability of this happening is your best > security. > > However, I'm not the adult that's responsible for children's safety. > > The big question here is whether the Rpi hosted website is accessible from > the internet? > > My suspicion is that it would have a non-internet routable private not > pubic ip addr in the following ip addr ranges: > 10.0. 0.0 to 10.255. 255.255. > 172.16. 0.0 to 172.31. 255.255. > 192.168. 0.0 to 192.168. 255.255. > > If the Rpi website is accessible via the public internet than there's 2 > other other options. > > 1. Learn about securing/hardening a Rpi. > https://www.chrisapproved.com/blog/raspberry-pi-hardening.html > > 2. Change all the passwords and codes on launch day. > > I hope that's somewhat helpful. > > > > > > > >
Re: [PLUG] Looking for some WiFi AP Security Advice
"I want to set up some sort of secure connection between the cell phone and the web site running on the Pi." This should be doable via a vpn client/server. A quick google search on "raspberry pi cell phone vpn" returned this: "If you're going to be connecting to Pi VPN on a mobile device, I recommend OpenVPN Connect, the official client. It's completely free and integrates really well with iOS and Android. The first step is to open the App Store or Play Store, depending on your device. In either case, search for OpenVPN Connect" You should be able to easily find step-by-step instructions to do get this setup and working. That'll solve the secure connection between the cell ph and the Rpi hosted website, but that doesn't your "main concern is an attacker connecting to the web site and igniting the rocket while the user is connecting thew wires to the igniter." I'm going to suggest the probability of this happening is your best security. However, I'm not the adult that's responsible for children's safety. The big question here is whether the Rpi hosted website is accessible from the internet? My suspicion is that it would have a non-internet routable private not pubic ip addr in the following ip addr ranges: 10.0. 0.0 to 10.255. 255.255. 172.16. 0.0 to 172.31. 255.255. 192.168. 0.0 to 192.168. 255.255. If the Rpi website is accessible via the public internet than there's 2 other other options. 1. Learn about securing/hardening a Rpi. https://www.chrisapproved.com/blog/raspberry-pi-hardening.html 2. Change all the passwords and codes on launch day. I hope that's somewhat helpful.
Re: [PLUG] Looking for some WiFi AP Security Advice
> Yes: using a website to launch the rocket. I know, really! They are supposed to use a Habitrrail that releases a rodent that runs through a maze and triggers a button as a food reward Website? How simple! (clearly you are under the impression model rocketry is all about launching rockets. It isn't. It's about building them and planning out the launch. 15 seconds after launch the rocket has drifted off course and falls into a tree or someone's roof.) Ted
Re: [PLUG] Looking for some WiFi AP Security Advice
I built a number of these things in my youth, timer based and so on. Th wireless and pi are of course unnecessary, as was the digital countdown display I used in my youth. The big thing that kills these attempts is the power to the ignitor. Ignitors need a lot more power than just 2-4a. While that will do it - eventually - it takes time for the wire to heat up enough to ignight the ground up match heads or whatever they coat it with. SO you have this elaborate countdown - in your case run by the pi - it gets to zero - then nothing happens for 15 seconds while the ignitor heats up and eventually ignites. Quite a letdown. What I found worked was running very thick short cables from a car battery next to the rocket to alligator clips on the ignitor and a massive relay. You want the ability to dump 100A into the ignitor for that 300-500 ms so that there's no heatup period. In fact, we got it to where we could just use plain old thin bent copper wire, forget the ignitor completely the wire would glow cherry red and ignite the engine. Ted -Original Message- From: PLUG On Behalf Of Mark Phillips Sent: Sunday, December 24, 2023 11:59 AM To: Portland Linux Users Group Subject: [PLUG] Looking for some WiFi AP Security Advice I am working on a project and need some security advice. The project is a wireless model rocket launcher. It consists of a Raspberry Pi 2 W (Debian Buster) connected to a daughter board with circuitry to control the current to ignite the igniter, a TP-Link Wifi AP, and a cell phone. There is a web site (apache and flask) running on the Pi that allows the user to control the circuits on the daughter board to launch the rocket. The typical location for launching the rockets is in a large field far from any buildings or trees. Typically, there is no WiFi Internet connectivity and cell service is problematical. There are quite a few people attending the launch. There are also times when this launcher will be used in a more urban environment (like a high school field), so there may be WiFi and cell access to the Internet. I want to make the system "unattractive" to the high school students or anyone else who thinks it would be cool to hack the launcher during a launch. I want to set up some sort of secure connection between the cell phone and the web site running on the Pi. My main concern is an attacker connecting to the web site and igniting the rocket while the user is connecting the wires to the igniter. Model rocket motors generate an exhaust gas with a temperature of ~3,000 F. Also, the igniter needs 2-4 A dc for 300 - 500 msec to ignite the rocket motor. I have put these security layers in place. 1. 16 character password to access the WiFi AP network 2. MAC address filtering on the WiFi AP 3. Self signed SSL cert for the web site 4. 16 character password to access the web site 5. Standard flask cookie security for CSRF 6. 8 character code to enable the launcher (the equivalent to a physical launch key) 7. A physical switch on the launcher that disables the ignition circuit - for use when attaching the igniter leads to the rocket engine. However, there is no guarantee that the user will use this switch everytime he/she loads a new rocket on the launcher. There is a timer attached to the switch so that when the switch is put in the "on" position, the igniter circuit will not be enabled for another 10 seconds...enough time to run like h*ll away from the launcher;) I am not a security guru, so I am not really sure what my options are. Do you have any other suggestions on how I can make this system more secure? Am I doing anything that is unnecessary? Thanks! Mark
Re: [PLUG] Looking for some WiFi AP Security Advice
On Sun, Dec 24, 2023 at 11:59 AM Mark Phillips wrote: > I am working on a project and need some security advice. > > The project is a wireless model rocket launcher. It consists of a Raspberry > Pi 2 W (Debian Buster) connected to a daughter board with circuitry > to control the current to ignite the igniter, a TP-Link Wifi AP, and a cell > phone. There is a web site (apache and flask) running on the Pi that allows > the user to control the circuits on the daughter board to launch the > rocket. > > The typical location for launching the rockets is in a large field far from > any buildings or trees. Typically, there is no WiFi Internet connectivity > and cell service is problematical. There are quite a few people attending > the launch. There are also times when this launcher will be used in a more > urban environment (like a high school field), so there may be WiFi and cell > access to the Internet. I want to make the system "unattractive" to the > high school students or anyone else who thinks it would be cool to hack the > launcher during a launch. > > I want to set up some sort of secure connection between the cell phone and > the web site running on the Pi. My main concern is an attacker connecting > to the web site and igniting the rocket while the user is connecting the > wires to the igniter. Model rocket motors generate an exhaust gas with a > temperature of ~3,000 F. Also, the igniter needs 2-4 A dc for 300 - 500 > msec to ignite the rocket motor. > > I have put these security layers in place. > 1. 16 character password to access the WiFi AP network > 2. MAC address filtering on the WiFi AP > This is useless. MAC addresses can be forged easily. > 3. Self signed SSL cert for the web site > This only confirms to the client that they reached an authentic website. And not really, since it is self-signed and there isn't a convenient way of confirming it's valid. It doesn't prevent someone else from accessing the website, only from pretending to be the website. If it were possible to confirm the certificate was valid, then this could theoretically prevent someone from becoming a man-in-the-middle and stealing the credentials that are protecting the secrets in step 4 and 6. > 4. 16 character password to access the web site > 5. Standard flask cookie security for CSRF > 6. 8 character code to enable the launcher (the equivalent to a physical > launch key) > Consider some kind of temporary code, like a TOTP. > 7. A physical switch on the launcher that disables the ignition circuit - > for use when attaching the igniter leads to the rocket engine. However, > there is no guarantee that the user will use this switch everytime he/she > loads a new rocket on the launcher. [...] If this is for a club activity, make sure they DO, EVERYTIME. Put it in the Standard Operating Procedure. I'd suggest something like a physical key switch, where the key necessary to enable the launcher is physically attached to the person designated to attach the igniter wires on a lanyard or something, that can only be enabled by inserting that key from a safe distance. I am not a security guru, so I am not really sure what my options are. Do > you have any other suggestions on how I can make this system more secure? > Am I doing anything that is unnecessary? > Yes: using a website to launch the rocket. -- Russell Senior russ...@personaltelco.net
[PLUG] Looking for some WiFi AP Security Advice
I am working on a project and need some security advice. The project is a wireless model rocket launcher. It consists of a Raspberry Pi 2 W (Debian Buster) connected to a daughter board with circuitry to control the current to ignite the igniter, a TP-Link Wifi AP, and a cell phone. There is a web site (apache and flask) running on the Pi that allows the user to control the circuits on the daughter board to launch the rocket. The typical location for launching the rockets is in a large field far from any buildings or trees. Typically, there is no WiFi Internet connectivity and cell service is problematical. There are quite a few people attending the launch. There are also times when this launcher will be used in a more urban environment (like a high school field), so there may be WiFi and cell access to the Internet. I want to make the system "unattractive" to the high school students or anyone else who thinks it would be cool to hack the launcher during a launch. I want to set up some sort of secure connection between the cell phone and the web site running on the Pi. My main concern is an attacker connecting to the web site and igniting the rocket while the user is connecting the wires to the igniter. Model rocket motors generate an exhaust gas with a temperature of ~3,000 F. Also, the igniter needs 2-4 A dc for 300 - 500 msec to ignite the rocket motor. I have put these security layers in place. 1. 16 character password to access the WiFi AP network 2. MAC address filtering on the WiFi AP 3. Self signed SSL cert for the web site 4. 16 character password to access the web site 5. Standard flask cookie security for CSRF 6. 8 character code to enable the launcher (the equivalent to a physical launch key) 7. A physical switch on the launcher that disables the ignition circuit - for use when attaching the igniter leads to the rocket engine. However, there is no guarantee that the user will use this switch everytime he/she loads a new rocket on the launcher. There is a timer attached to the switch so that when the switch is put in the "on" position, the igniter circuit will not be enabled for another 10 seconds...enough time to run like h*ll away from the launcher;) I am not a security guru, so I am not really sure what my options are. Do you have any other suggestions on how I can make this system more secure? Am I doing anything that is unnecessary? Thanks! Mark
