Surprised so many people are OK with WPA2-PSK

PiIot

n3wb
Joined
Mar 30, 2020
Messages
13
Reaction score
6
Location
Washington
Why are there no wireless 802.1x aka WPA2-Enterprise compatible cameras out there? Am I just not finding them? WPA2-PSK is vulnerable to many exploits both social and technical, and I'm surprised by the amount of people that are just OK with using it. Yes I can create a separate SSID and VLAN that blocks all network access to my other networks, but that doesn't stop a potential snooping neighbor from cracking the WPA2-PSK network and viewing my camera feeds. Also, each additional SSID I have active decreases wifi performance, so I'd rather have as few as possible. RADIUS assigned VLANs is the way to go to solve this, but guess what it requires? 802.1x

It seems like the only cameras I can use with 802.1x are either the (imo) overpriced Axis cameras, or create something custom using a Raspberry Pi and camera modules. Anyone have any other ideas on solving the snooping neighbor problem?
 

SamM

Getting the hang of it
Joined
Mar 29, 2020
Messages
149
Reaction score
49
Location
SA
I still don't get the demand for wireless cameras??? These devices need some sort of continuos power source, bringing the wired part back.. Anyway, (imo) wired is the safest route from nosy neighbours.
 

mat200

IPCT Contributor
Joined
Jan 17, 2017
Messages
5,918
Reaction score
3,842
Why are there no wireless 802.1x aka WPA2-Enterprise compatible cameras out there? Am I just not finding them? WPA2-PSK is vulnerable to many exploits both social and technical, and I'm surprised by the amount of people that are just OK with using it. Yes I can create a separate SSID and VLAN that blocks all network access to my other networks, but that doesn't stop a potential snooping neighbor from cracking the WPA2-PSK network and viewing my camera feeds. Also, each additional SSID I have active decreases wifi performance, so I'd rather have as few as possible. RADIUS assigned VLANs is the way to go to solve this, but guess what it requires? 802.1x

It seems like the only cameras I can use with 802.1x are either the (imo) overpriced Axis cameras, or create something custom using a Raspberry Pi and camera modules. Anyone have any other ideas on solving the snooping neighbor problem?
Welcome @Pilot

Q: Why are there no wireless 802.1x aka WPA2-Enterprise compatible cameras out there? Am I just not finding them? WPA2-PSK is vulnerable to many exploits .. Anyone have any other ideas on solving the snooping neighbor problem?

A: WIRED.

Seriously, go with a wired solution.
 

PiIot

n3wb
Joined
Mar 30, 2020
Messages
13
Reaction score
6
Location
Washington
I have 8 poe cameras already. The camera angle I'm wanting is a 300ft+ run from my server cabinet. I'd rather not go through all the hassle doing that long of a cable run when I could get a wireless camera configured much easier. There are definite use cases for wireless cameras as much as people want to deny it.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
33,458
Reaction score
12,464
Why are there no wireless 802.1x aka WPA2-Enterprise compatible cameras out there? Am I just not finding them? WPA2-PSK is vulnerable to many exploits both social and technical, and I'm surprised by the amount of people that are just OK with using it. Yes I can create a separate SSID and VLAN that blocks all network access to my other networks, but that doesn't stop a potential snooping neighbor from cracking the WPA2-PSK network and viewing my camera feeds. Also, each additional SSID I have active decreases wifi performance, so I'd rather have as few as possible. RADIUS assigned VLANs is the way to go to solve this, but guess what it requires? 802.1x

It seems like the only cameras I can use with 802.1x are either the (imo) overpriced Axis cameras, or create something custom using a Raspberry Pi and camera modules. Anyone have any other ideas on solving the snooping neighbor problem?
There are no known vulnerabilities to wpa2-psk, krack was patched. If you ware paranoid, you can always use a wifi bridge that supports the protocol you want. This will give you the added benefit of allowing you to use a much better camera than those that currently support wifi and have a much more stable connection.
 

PiIot

n3wb
Joined
Mar 30, 2020
Messages
13
Reaction score
6
Location
Washington
All it takes is time to crack wpa2-psk, and there are plenty of examples online of how to: How to Hack Wi-Fi: Cracking WPA2-PSK Passwords with Cowpatty Time isn't an issue with a nosy neighbor. Sure, you could rotate your PSK's once a month or so to lower your risk, but since that task would require multiple manual steps it is out of the question for me.

Your wifi bridge suggestion is good though, thanks. This is basically what I was thinking with the raspberry pi + camera module, however if using the pi as a wifi bridge, I can open up my options to higher quality cameras. This seems like the best route so far in terms of cost and effort.
 

pov2

Getting the hang of it
Joined
Sep 7, 2018
Messages
231
Reaction score
41
Location
Canada
@Pilot, I am with you here. I am not OK with WPA2-PSK. Unfortunately, not only cameras don't support WPA2-Enterprise. There are many other devices, and some of them don't have 5 GHz radios. I don't like it but I am forced to keep a 2.4 GHz WPA2 SSID on my access point. Without those devices I would have had only a single 5 GHz WPA2-Enterprise SSID. One example of a device I can't live without is my ecobee thermostat. It doesn't support 5 GHz nor WPA2-Enterprise. And I can't even use a WiFi bridge with it as it doesn't have Ethernet. Sigh...
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
33,458
Reaction score
12,464
All it takes is time to crack wpa2-psk, and there are plenty of examples online of how to: How to Hack Wi-Fi: Cracking WPA2-PSK Passwords with Cowpatty Time isn't an issue with a nosy neighbor. Sure, you could rotate your PSK's once a month or so to lower your risk, but since that task would require multiple manual steps it is out of the question for me.

Your wifi bridge suggestion is good though, thanks. This is basically what I was thinking with the raspberry pi + camera module, however if using the pi as a wifi bridge, I can open up my options to higher quality cameras. This seems like the best route so far in terms of cost and effort.
It would take many many years, longer than your lifetime to hack a good password with brute force.
 

PiIot

n3wb
Joined
Mar 30, 2020
Messages
13
Reaction score
6
Location
Washington
@Pilot, I am with you here. I am not OK with WPA2-PSK. Unfortunately, not only cameras don't support WPA2-Enterprise. There are many other devices, and some of them don't have 5 GHz radios. I don't like it but I am forced to keep a 2.4 GHz WPA2 SSID on my access point. Without those devices I would have had only a single 5 GHz WPA2-Enterprise SSID. One example of a device I can't live without is my ecobee thermostat. It doesn't support 5 GHz nor WPA2-Enterprise. And I can't even use a WiFi bridge with it as it doesn't have Ethernet. Sigh...
I guess I don't have as big of an issue with putting wifi devices like thermostats on the wpa2-psk ssid/vlan and segregating them off other than MQTT or TLS ports. How much access/damage could someone do if they got into your thermostat?
 

PiIot

n3wb
Joined
Mar 30, 2020
Messages
13
Reaction score
6
Location
Washington
It would take many many years, longer than your lifetime to hack a good password with brute force.
Best case scenario, sure. Worst case scenario though? They crack it on the first attempt. I'd rather there be no scenario at all and have the network un-crackable using EAP-TLS. I also would not prefer to give visiting guests a 20+ character randomized special/number/uppercase/lowercase/whatever password.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
33,458
Reaction score
12,464
Best case scenario, sure. Worst case scenario though? They crack it on the first attempt. I'd rather there be no scenario at all and have the network un-crackable using EAP-TLS. I also would not prefer to give visiting guests a 20+ character randomized special/number/uppercase/lowercase/whatever password.
There is no way it can be cracked on the first attempt unless you are using dictionary words.
Your guests can be given access to a guest network that does not allow traffic between the guest devices. Almost every consumer router supports this.
 

PiIot

n3wb
Joined
Mar 30, 2020
Messages
13
Reaction score
6
Location
Washington
i would be more concerned about someone jamming the wifi signal. A very simple process, and does not cost a lot to build a simple tune-able transmitter.
Watchdog alerts in blueiris. Also, if someone is coming to my house with a wifi jammer, they can just as simply put on a mask and knock my PoE cams off with a baseball bat. Watchdog push notification on my phone > call the police. That's about all you can do in that situation.
 

PiIot

n3wb
Joined
Mar 30, 2020
Messages
13
Reaction score
6
Location
Washington
There is no way it can be cracked on the first attempt unless you are using dictionary words.
Your guests can be given access to a guest network that does not allow traffic between the guest devices. Almost every consumer router supports this.
Oh there's always a chance that it gets cracked on the first attempt. What makes you think every brute force attack out there starts with 00000 and then tries 00001, 00002, 00003...? What if your neighbor saw you or someone connecting to your wifi and noticed the amount of digits you put in? What if they overheard you telling someone the PSK from a distance, but only caught a portion of it. Those two examples would substantially lower the amount of time to crack. What I'm saying is that I want there to be a 0% chance of a crack happening. EAP-TLS.

Adding another SSID for a separate guest network is not ideal due to multiple SSID's causing wifi performance issues. I want as few SSID's as possible. I have two right now, a WPA2-PSK for one-off devices like Chromecast and Sonos, as well as guests. I then have a WPA2-Enterprise network using EAP-TLS for any secure communication.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
33,458
Reaction score
12,464
Oh there's always a chance that it gets cracked on the first attempt. What makes you think every brute force attack out there starts with 00000 and then tries 00001, 00002, 00003...? What if your neighbor saw you or someone connecting to your wifi and noticed the amount of digits you put in? What if they overheard you telling someone the PSK from a distance, but only caught a portion of it. Those two examples would substantially lower the amount of time to crack. What I'm saying is that I want there to be a 0% chance of a crack happening. EAP-TLS.

Adding another SSID for a separate guest network is not ideal due to multiple SSID's causing wifi performance issues. I want as few SSID's as possible. I have two right now, a WPA2-PSK for one-off devices like Chromecast and Sonos, as well as guests. I then have a WPA2-Enterprise network using EAP-TLS for any secure communication.
A neighbor is peering into your windows while you enter your password? They have set up surveillance to catch you the ones a year that you have to enter a new device password? That’s just an insane level of paranoia. If you’re going to go that far what’s the say that the protocol you use has not been cracked but you don’t know about it yet. Perhaps your router had been compromised during the manufacturing process or at some later point. Perhaps one of the Wi-Fi devices on your network is compromised You can go on and on but at some point you need to stop.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
10,065
Reaction score
7,652
Location
USA
Why are there no wireless 802.1x aka WPA2-Enterprise compatible cameras out there?
Allow me to illustrate the reason with a venn diagram:

1585598420690.png


As fenderman pointed out, it is easy and not terribly expensive to add your own wifi bridge, and then you could even secure the communications with a VPN if you wanted to.
 

PiIot

n3wb
Joined
Mar 30, 2020
Messages
13
Reaction score
6
Location
Washington
A neighbor is peering into your windows while you enter your password? They have set up surveillance to catch you the ones a year that you have to enter a new device password? That’s just an insane level of paranoia. If you’re going to go that far what’s the say that the protocol you use has not been cracked but you don’t know about it yet. Perhaps your router had been compromised during the manufacturing process or at some later point. Perhaps one of the Wi-Fi devices on your network is compromised You can go on and on but at some point you need to stop.
If you've figured out how to crack a 2048bit encrypted SSL cert, then my wifi network is the last thing you're going to be looking at lol. These things I'm worried about are all within my control and fairly simple to configure. Manufacturing processes aren't.
 

PiIot

n3wb
Joined
Mar 30, 2020
Messages
13
Reaction score
6
Location
Washington
Allow me to illustrate the reason with a venn diagram:


As fenderman pointed out, it is easy and not terribly expensive to add your own wifi bridge, and then you could even secure the communications with a VPN if you wanted to.

Seems pretty wild to me that a "security camera" wouldn't have the most secure methods of communication available to it - and no one seems to care. Now I might be assuming a little much here, but if I can use a rpi to connect to my 802.1x network, I can almost guarantee that the WNICs in most wireless cameras have the same ability. How much effort would it take to code something like this in? wpa_supplicant.conf(5) — wpasupplicant — Debian stretch — Debian Manpages I bet not much.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
10,065
Reaction score
7,652
Location
USA
Seems pretty wild to me that a "security camera" wouldn't have the most secure methods of communication available to it - and no one seems to care
They are physical security devices. IP cams have an utterly terrible track record when it comes to cybersecurity.

I'm sure the hardware itself is more than capable of WPA2-Enterprise. But the camera manufacturers likely don't think it is worth the effort to develop the necessary GUIs, APIs, and documentation, and then support it when people can't make it work because it is over their heads.
 
Top