On Sunday, the digital rights’ group launched its software at the HOPE X hackers conference in New York, and also made a call to all hackers to do what they do best – help the organization “test, develop, improve, and harden” the Open Wireless Router, which will run on Netgear WNDR3800 hardware.
The goal of the project is to allow small businesses and home users to easily allow guests to access their open networks, without sacrificing user security (from exposed WPA2 network passwords). EFF also seeks to allow users to “share a bounded portion of [their] bandwidth on the open network, so guest users cannot slow down your internet connection or use a large portion of your monthly quota,” the group’s website said.
Open Wireless Router will also include automatic updates, which will make us of Tor to thwart attacks targeting such processes. Of its mission, EFF also said that it hopes to change the fact that “most or all existing router software is full of XSS and CSRF vulnerabilities.”
In August, the software is expected to undergo its fair share of testing at the DefCon hacking conference, since it will be one of nine routers hacked in the SOHOpelessly Broken contest, which aims to uncover previously unknown bugs in consumer wireless routers.
On Monday, Ranga Krishnan, a technology fellow at EFF, told SCMagazine.com in an email correspondence that the organization doesn’t currently have the resources to support multiple platforms, but it encourages the hacker community to adapt the software for other hardware models.
“Our goal is to provide a good example that hackers and the industry can adopt into other platforms and products,” Krishnan said. “We are exploring a more modern hardware platform that can be the basis of a consumer-focused release down the road. However, for now, we will only be supporting [Netgear] WNDR3800 as the platform that hackers can use to help us improve the software,” he continued.
The software will support EAP-TLS encryption, allowing certificate-based authentication which “provides each guest a secure encrypted Wi-Fi connection equivalent to WPA2 encryption,” Krishnan explained, without controlling guest access through the widely published, or insecure, WPA2 password. He later added that OWR will isolate guest Wi-Fi traffic via a firewall, so guest users are not able to access the business private network or services.
In a Monday interview with SCMagazine.com, Craig Young, a security researcher with Tripwire’s vulnerability and exposures research team (VERT), said that EFF’s work in Wi-Fi router security was “very exciting,” and that the group was “going about this in the right way,” by engaging the hacker community to lend a hand.
“For those of us who have been doing this awhile, it gets very frustrating to continuously report the same [wireless router] vulnerabilities [to vendors] model after model, and see new products that are being made with the same mistakes that are in older versions,” Young said. “My hope is that the vendors might actually take a look at the project and start pulling some of [the OWR] code into their products,” he said.