The Cisco Valet: Easy Setup, but is it Secure?

A PR firm representing Cisco asked me if I wanted to review the Cisco Valet, which is a line of "surprisingly simply home wireless" devices that, I have to say, does what it says on the tin. It is by far the easiest setup process I've seen.

The first thing I noticed was the packaging. A complete lack of technical jargon or marketing about how this router compares to the others they sell. There most technical things on the box are in small print and are just basically a list of system requirements and a warning that, due to a number of factors, your wireless speeds and range may vary.

When I did the initial setup, I used my Mac--usually a stumbling block for these so-called "easy setup" programs. The Easy Set Up key is little more than a Flash drive that contains some documentation and the Cisco Connect application. Launching the Cisco Connect gives you a screen that tells you to do do three things:

  • Plug the router into your Internet connection
  • Plug the router into your power
  • Click next

In less than the five minutes it tells you it could take, I had a screen that told me my router was set up and I was connected to it. Sweet! You could, of course, do some additional configuration of the router. A very simple interface is presented for doing this (click image for larger view):

The add device option gives you the settings you need to configure a device. Obviously, it's going to vary by device manufacturer. Once it has detected the device has connected, you can then "name" the device for later. Handy!

I didn't mess with the parental controls--I almost never find them granular enough for my tastes. However, it appears they do some category-based URL filtering and allow you to blacklist sites. The problem is the restrictions are per-host, meaning you have to select the individual hosts that you wish to restrict. You also can't whitelist sites or create a default URL filtering policy that applies to all connected hosts. That said, it's more functionality than I've seen in a typical consumer router.

The guest access feature is quite handy as well. Cisco Valet creates a second (open) SSID that your guests can use to access the Internet. It is segmented off from your regular wireless network and presents a captive portal to your guests, whom must enter a password before they are allowed access to the Internet:

Of course, you can disable this feature as well.

When the router is first configured, the SSID is set to a random adjective-noun word combination and the password is set to a 10 character random string. In the Valet Settings, you can change these things to something. You can also save this to the Easy Setup Key (or create a new one using any standard USB thumb drive) that will allow you easily configure other Mac or Windows computers in your house with the correct wireless settings.

And, of course, there's the Advanced Settings, which fires up a web browser with a typical Linksys-style web interface for configuring the router (though it is entirely Cisco-branded now). This is where the geek settings are, of course, and are, "advanced." I'm sure given the relatively ease through which computers can be added and the basic settings can be configured, there will rarely be a reason for most people to ever visit the advanced settings.

But Is It Secure?

Most reviews stop here. They are quite happy that someone has finally come up with a wireless router that almost anyone with even rudimentary computer knowledge could configure and use. That is a feat worthy of praise, no doubt.

I am not most people. I wonder, in the back of my mind, does Cisco make this device easy to use, yet actually make it secure? The answer is not surprising--to me at least.

First, it's probably worth pointing out that I work for a competitor to Cisco: Check Point Software Technologies. We don't compete in the consumer market, really, but we certainly in the enterprise network security market. That doesn't affect my opinions here, but I figure I should disclose that since some might consider it a conflict of interest.

Prior to proceeding with the setup wizard, I saw what the router was broadcasting by default--a WPA-protected access point named CiscoXXXXX (where XXXXX corresponded to the last 5 digits of the device serial number). My guess is the router is preconfigured with some default WPA password that the Cisco Connect software then changes to something else, which it then tells you after the setup is complete.

Cisco gets props on a number of things security related:

  • Choosing a random network name (SSID)--most manufacturers use a known default
  • Configuring WPA as a default
  • Choosing a random password that contains numbers, upper and lower case letters, and special symbols

All three of these things are good. By choosing a random SSID and a random password, it makes it harder for someone to brute-force (i.e. guess every possible password) access to the wireless access point.

While these are far better than what I've seen from others, it's, unfortunately, not enough. To be relatively safe from a brute-force attempt, the passphrase needs to be at least 20 characters--random ones at that. Also, it defaults to WPA/WPA2 mixed mode, which allows you to use the TKIP, which may be needed for some legacy hardware, is not the most secure. You can change to WPA2, which only supports AES. It would be nice if you could change the rekey interval, but I don't see a way to do that from the advanced settings.

There are a couple of other dangerous settings enabled by default:

  • Universal Plug and Play is enabled by default (which, when paired with malware, could easily make your computers more vulnerable to attacks)
  • WMM Support (in the QoS section) which, when enabled, makes your network a little more susceptible to hacking when WPA (not WPA2) is enabled.

The Nintendo DS Factor

One rather common WiFi-enabled device in any household with children is the Nintendo DS. This device does not support WPA at all. Even the newer DSi, which does support WPA, doesn't support it for DS games. This means, if you want your kids to be able to use the WiFi features of their DS games, they won't be able to use them unless you use WEP for your wireless security, which is not recommended.

This is, in my opinion, one big disappointment with the Cisco Valet. There is no way to allow a Nintendo DS to use the Guest wireless without using WEP. They could very easily allow the whitelisting of certain MAC addresses to be allowed to access the Guest wireless (which is open, unencrypted, and will work with the DS) without requiring web-based captive portal authentication.

Other Minor Gripes

The Cisco Connect software allows you to configure items that cannot be configured with the Advanced Settings interface, namely the Guest wireless access. I would like to be able to change the default IP range used for the Guest wireless and, possibly, whitelist certain machines as I described above.

By default, the router administration password the same as the WPA password. This does make it easier for end users, but I think you should be able to set them independently in the Cisco Connect software.

I also do not see a way through the Cisco Connect software to upgrade the firmware for my router. This is a necessary, sometimes daunting task, especially given the number of hardware variations that can exist even with the same model. There's no reason Cisco couldn't have made this process as simple as they've made everything else--push a button and it takes care of the rest.

And, of, course, my security gripes above. While they went a lot farther than I've seen other manufacturers go, they could have gone just a little farther in choosing more secure defaults, possibly with an optional "security settings" page so you don't have to hunt in the Advanced Settings interface to make the wireless connectivity more secure.

All in all, though, I am very impressed with the product. I could easily see myself recommending this product to my non-technical friends and family as a dirt simple way to share their Internet connection and create their own personal wireless hotspot.

The only people I cannot recommend this product to are Linux users who lack a Windows or Mac machine on which to run the Cisco Connect software. Since the initial setup of this router cannot happen without the Cisco Connect software, which does not run on Linux, your "out of the box" experience will be less than fulfilling. You only need the software the first time, of course, but you might be better off with a Linksys-branded router.

So yes, Cisco did it. They made WiFi easy for normal people to set up. Using the Easy Setup Key, I set up four different Windows computers with my Cisco Valet settings in a matter of minutes. It was drop-dead simple. I wish they spent a little more time on the security side of things, but this is a tough one to do without making things more inconvenient for users. Given what Cisco was aiming for here, I think they nailed it.

Proof of iSkoot Passing Credentials In The Clear

Dan York asked for this. Here's the tell-tale sign from tcpdump that the user information is in the clear. Obviously, I used a different username than my own here as obscuring my password was difficult:

10:29:56.656220 IP 10.3.2.124.43852 > 69.25.76.54.80: P 1:410(409) ack 1 win 64240 <nop,nop,timestamp 415368834 3930262309>
0x0000:  4500 01cd 747d 4000 4506 21e0 0a03 027c  E...t}@.E.!....|
0x0010:  4519 4c36 ab4c 0050 1c0c e369 bc2c c4f5  E.L6.L.P...i.,..
0x0020:  8018 faf0 2fba 0000 0101 080a 18c2 0682  ..../...........
0x0030:  ea43 0b25 4745 5420 2f73 6372 6970 742f  .C.%GET./script/
0x0040:  6765 745f 7265 675f 6b65 792e 706c 3f6e  get_reg_key.pl?n
0x0050:  616d 653d 696e 7365 6375 7265 2d75 7365  ame=insecure-use
0x0060:  7226 7061 7373 3d69 6e73 6563 7572 652d  r&pass=insecure-
0x0070:  7061 7373 776f 7264 2673 6964 3d77 6b53  password&sid=wkS
0x0080:  6870 4363 5933 3962 5426 6275 696c 643d  hpCcY39bT&build=
0x0090:  6953 6b6f 6f74 2d53 3630 2664 6576 6963  iSkoot-S60&devic
0x00a0:  653d 4e4f 4b49 412d 4e39 3526 6361 703d  e=NOKIA-N95&cap=
0x00b0:  6368 6174 3a32 2c70 7573 683a 3226 6e65  chat:2,push:2&ne
0x00c0:  7477 6f72 6b3d 736b 7970 6526 6c61 6e67  twork=skype&lang
0x00d0:  3d45 4e26 7665 7273 696f 6e3d 312e 312e  =EN&version=1.1.
0x00e0:  3539 2661 6374 3d31 2666 7764 6e62 723d  59&act=1&fwdnbr=
0x00f0:  2532 4231 3336 3039 3831 3634 3136 2666  %2B13609816416&f
0x0100:  6972 7374 7573 653d 3230 3038 2d30 342d  irstuse=2008-04-
0x0110:  3236 2d30 302d 3537 2673 6571 3d36 2663  26-00-57&seq=6&c
0x0120:  6c69 643d 556e 6176 6169 6c61 626c 6520  lid=Unavailable.
0x0130:  4854 5450 2f31 2e31 0d0a 486f 7374 3a20  HTTP/1.1..Host:.
0x0140:  6973 6b2d 626f 732d 6170 7031 2e69 736b  isk-bos-app1.isk
0x0150:  6f6f 742e 636f 6d0d 0a41 6363 6570 743a  oot.com..Accept:
0x0160:  2074 6578 742f 706c 6169 6e0d 0a55 7365  .text/plain..Use
0x0170:  722d 4167 656e 743a 2069 536b 6f6f 7420  r-Agent:.iSkoot.
0x0180:  5379 6d62 6961 6e0d 0a58 2d4e 6f6b 6961  Symbian..X-Nokia
0x0190:  2d4d 7573 6963 5368 6f70 2d56 6572 7369  -MusicShop-Versi
0x01a0:  6f6e 3a20 312e 302e 300d 0a58 2d4e 6f6b  on:.1.0.0..X-Nok
0x01b0:  6961 2d4d 7573 6963 5368 6f70 2d42 6561  ia-MusicShop-Bea
0x01c0:  7265 723a 2057 4c41 4e0d 0a0d 0a         rer:.WLAN....

I did some cursory looking around at the data stream again and saw that pretty much everything is being shuttled around in the clear.

For the sake of argument, I looked at a Skype Mobile session. The only piece of information I saw in the clear was some basic information about my handset. Nothing that wouldn't normally be disclosed when accessing a web site.

While it's true that iSkoot is disclosing stuff, let's put this into perspective for a moment. The only realistic way this could be "discovered" is someone gets into a router like I did and dump the traffic, which is possible, but not terribly. The other possibility is if you use iSkoot over WiFi. Someone within sniffing distance could easily pull the unencrypted information out of the air, assuming the WiFi access point was open or the WEP or WPA key was known.

That all being said, there's absolutely no excuse for not encrypting the information with SSL and using HTTP POST instead of HTTP GET.

iSkoot Transmits Your Data In The Clear

Various people are thinking that Skype Mobile is basically an unbranded iSkoot, which does the same thing in much the same way. Generally speaking, they seem to do the same thing, but they do it very differently. Packet traces don't lie.

I loaded up iSkoot on my Nokia N95 and accessed the iSkoot service via WiFi. I did this so I could capture what the iSkoot client was sending out so I could see the difference. And oh, boy was it different--different enough that I would think twice about using iSkoot.

First of all, Skype appeared to use a TCP connection on a non-standard port. Fine with me. I looked at the raw packets generated by Skype Mobile and saw an opaque blob--exactly what I expected to see.

iSkoot uses TCP port 80--the same port used by HTTP, the lingua franca of downloading web pages. It sends various things as a series of HTTP GET calls. The scary part of this that your text chat messages--and lots of other interesting information, including your Skype credentials--is being transmitted in the clear. That's right, iSkoot takes all that perfectly good encryption that Skype employs and throws it out the window. For no good reason.

Until iSkoot fixes this problem--and it would be very easy for them to do so (ever hear of SSL?)--I cannot in good conscious recommend using iSkoot.

UpdateIssue is resolved in their latest Symbian/S60 client.

WiFi and Windows XP Tips

Being that I am in the Bay Area, and my Aunt and her kids live down in the Santa Cruz area, every once in a while I feel the need to go down there and see them. This time, I even gave them more than a few hours of notice that I was coming so I could see at least one of my cousins, whom complains she never gets to see me.

Anyway, after the usual discussions about my mom, the rest of the family, politics and religion, the conversation drifted into computers. Apparently, my uncle had bought a Linksys WRT54GS and was trying to use his laptop in the living room. He had bought one of those WiFi repeaters that Linksys sells because he was having signal issues. He was worried, rightfully so, about not having any of this secured.

The Linksys WiFi repeater is particularly difficult to configure, since it has no Ethernet port. It's even worse when you are trying to use it with WPA. I eventually gave up using it myself. I found that proper location of the WiFi router, hi-gain antennas, and third-party firmware such as DD-WRT resolved the vast majority of my issues. The main reason for the third party firmware: the ability to adjust your transmit power to at least 50mW. Unfortunately, he has one of the newer WRT54GS units. You know, the ones Linksys neutered so that it is difficult to flash third party firmware on them. Still, antennas and orientation will work wonders.

Later on, I had pulled out my MacBook to show some photos and videos I took with my various Nokia handsets. They really liked the FrontRow interface of the Mac. After we finished with that, I had iStumbler running and picked up a half dozen WiFi access points--most of them on channel 6. Of course their access point was also running on channel 6. I suggested changing to either channel 1 or channel 11. Of course, I suggested killing that WiFi repeater because even I have a problem configuring that thing. I can't imagine my uncle, who is a semi-computer literate person in his 60s, trying to accomplish this.

Then we got onto the whole spyware/virus/cookie thing. Like most people, they are running on their computers as administrator. That's dangerous, even for someone like me who knows what they are doing. It is not a very good idea for most people to operate in that fashion. Of course, Microsoft and application vendors make it difficult to do properly. You should also use Firefox instead of Internet Explorer and/or configure Internet Explorer with safer default settings to reduce your exposure risk.

Because the above was a lot of information, I am going to summarize in bullet form with links to tools and articles.

WiFi Hints

  • Don't buy a repeater. They are almost never easy to configure.
  • Buy a higher-gain antenna set for your router. If your router doesn't have detachable antennas, get a router that does.
  • If you have a Linksys WiFi router, vertically mount the unit on the wall so the antennas and the rest of the unit is a flat plane. This maximizes the router's ability to broadcast. You may need a Linksys SM-1 mounting bracket to accomplish this. I bought them on eBay, but you can get them on Amazon.com and other places.
  • Check what channel your neighors are using. Pick a less-crowded channel. Channel 6 is the default for most routers. Use a tool like NetStumbler (PC) or iStumbler (Mac) to find out what WiFis are in use in your neighborhood. Look for routers in channels 1, 6, and 11. Choose one of these three with the least amount of routers.
  • If you're willing to spend money on new cards and new routers, go get one of the Draft-N WiFi routers and cards (from the same manufacturer). Your range should improve.
  • Configure your router to use WPA. Use a totally random, long, secure passphrase from grc.com/passwords.

Protecting Your Windows XP Box

  • If you haven't already, make sure Service Pack 2 is loaded.
  • Enable the firewall if it's not already.
  • Use Firefox!
  • If you must use Internet Explorer, set your default security settings in Internet Explorer to HIGH. This can be done under Tools > Internet Options > Privacy tab. This will prevent sites you don't explicitly trust from running ActiveX controls, Javascript, or anything like that. You can then click on the Sites button to add the sites you trust. Yes, this takes a little due-diligence on your part, but you really block against unwanted things entering your platform via Internet Explorer.
  • Use Limited user accounts on Windows XP. Each person that uses your PC should have an account that is a Limited user. This should stop most malware from doing anything to the computer aside from possibly deleting user data. It also prevents stupid user mistakes as well. They can still run programs, of course, but they cannot be permanently installed by a Limited user. One administrator account should exist on the computer, but nobody should use it on a regular basis except to install new software or browser plugins. User accounts can be edited by going to Start > Control Panel, then click on User Accounts, and then either create new accounts as appropriate, or editing the existing accounts and clicking on "Change my account type" and setting the type to Limited.

Of course, after my uncle and my cousin saw how sexy my Mac was, how you could also run Windows on it, and how easy it was to use, they were thinking maybe they'd buy a Mac next. Considering the price isn't all that different nowadays, it's worth it to buy a compuer capable of running two operating systems (MacOS and Windows) instead of just one (Windows).

My Response to the Whisher Folks

I love the blogosphere. It's a conversation. Lately, it's been interesting. Today, I am responding to Mike Puchol at Whisher on my FON vs Whisher posting:

Thanks for sharing your concerns about Whisher, but I believe your analysis is not accurate in some aspects. First, Whisher works on top of FON, that means, you can share your Fonera with others through Whisher. That a few hackers can open the Fonera and reflash it does -not- mean the thousands of non-technical users out there will be able to do the same.

The Linksys routers that FON originally sent out are, in fact, very easy to hack. Just load new firmware. The LaFonera routers are a little more difficult, from what I've read.  I have no doubt that the FON hackers will find a way to make that process a little easier. I certainly don't need to hack a FON router except as a curiousity--I have more than enough WiFi access points already.

My understanding was that the service required WEP/WPA, which at least my Linksys FON router won't do. I believe the new LaFonera routers support dual SSID and thus would support the possibility of Whisher. I did order a new LaFonera to confirm that for sure.

1. Whisher is a LOT more than a WiFi finder/IM application. It offers controlled WiFi sharing, and more information about the signals present than any other application out there, such as average signal strength (useful for finding the best spot other people connected from) and availability. On top of that, file sharing over WiFi is also available, meaning you can transfer large amounts of data in very short time, and we made it as easy as drag &amp; drop. It offers IM, of course, and this will improve over the next few weeks with some nice extra twists - but the you also get instant presence information about who is connected to the same WiFi as you are. Shall I go on? :) Geolocation of your buddies, local services that can be customized on a per-hostpot basis...

Knowing who is connected to the WiFi and providing some control over that is useful. I believe you get some of that information via the FON portal, but I haven't had any real users come use my access point since I am kind of in the middle of nowhere. Maybe they provide some control, but I doubt it.

Again, the file transfer, while I have no doubt it is fast and easy, is just not a compelling reason. Geolocation would be potentially interesting once a critical mass of Whisher-enabled hotspots is available, but right now, it's just a curiousity.

2. If you don't like to share your AP, then don't. You can still use all the other features that Whisher offers. If you do decide to share, you can do so in a controlled fashion, either you are OK with everyone having access to your WiFi, or you share in buddies-only mode, whereby only those in your buddy list will get your key. If someone wants to have access, they just need to ask you to add them to your buddy list, it's as simple as that. Finally, you can share in private mode, giving only your closest contacts VIP status, so not even your non-VIP buddies will be able to get in. Changing modes is basically clicking on a button - that is it, all done from the client.

Granular sharing is good, something FON lacks. However, I tend to either want to share with everyone or nobody. It's a much easier decision to make, and doesn't require software.

If you are worried about segregating your network from the public one, then just install a router with DD-WRT, which provides dual SSIDs, one you can share with Whisher in private mode, and the other in public mode. We have implemented a 'master' function, which is not yet available in the client, which lets you 'pool' access points, so that people connecting to any pooled node will join the same chatroom, have presence information, etc. about anyone connected on any of the other nodes. This way you could control both SSIDs with the client transparently. If you think FON is the only way to securely share WiFi, your analysis is not complete.

Actually, FON isn't exactly sure either. Dual SSIDs, which supposedly the latest LaFoneras support as well as DD-WRT firmware on Links devices, isn't the most secure either. In theory, if you somehow compromise the access point, you could potentially hop between networks. Even though the risk is fairly small, I don't personally take it. I run two physically different access points--one with FON and one without. In fact, I plug nothing into the FON access point except for the occasional test PC. I have them connected to different Internet connections as well. Even if someone does compromise the access point, there's nothing there for anyone to find.

3. Our business model is based on local &amp; premium services, advertising, and other revenue paths we have identified. We don't plan to charge for the client, or resell access. The are many incentives for using Whisher, from the philanthropist thought of free WiFi, to wanting to create a closed network with your friends &amp; family, and making it easy to manage.

I do have to agree that making it easy to manage a closed network of WiFis is kind of a neat idea. Whether or not other people will think it's a good idea remains to be seen.

You may want to work on creating a page or some documentation explaining to people how to more securely share their WiFi, and what place Whisher serves in that. A lot of people don't understand what WPA is and why using WEP or no encryption at all is an exceedingly bad idea (NEVER suggest WEP, always suggest WPA). I had to educate a neighbor about this recently as I went over to her house to help with with an unrelated issue. She had no idea that people could be using her network without her knowledge!

You can do "Free" WiFi with FON as well. All you have to do is create a local login and password in your FON portal and add that information to your splash page. Then anyone can use it.

In any case, I will be watching Whisher. I will probably load it up on a PC and make one of my routers Whisher-enabled, just because I'm a nice guy. Whether or not I will want to keep the client on at all times remains to be seen.

ZTE BAVO™ Home Gateway Mobile Router (EVDO/HSDPA)

Ran across this. Oh man this looks like an interesting device.

ZTE’s Home Gateway H110 comes standard with an Ethernet and PCMCIA Card Slot for Broadband access [via EVDO/HSDPA], with multiple LAN interfaces including four (4) Ethernet, two (2) FXS, one (1) FXO and (2) USB ports. In addition the H110 supports Bluetooth, Print and File Sharing, multiple VPN/VLAN support, and offers a superior user experience with innovative QoS, and a feature rich GUI. Whether you are at home or on the road, whether it is network computing, entertainment, Internet safety, or voice communication, the H110 Home Gateway provides you the total communication solution.

This could prove to be quite an interesting device. It is a little out of my price range, but it does combine several useful features into a tiny little box, which makes it worth considering.