PDA

View Full Version : WPA for Squeezebox 1



conholio
2005-06-14, 01:30
Hi,

the firmware for Squeezbox 2 has support for WPA, but the firmware for SB 1 is limited to WEP. As everyone knows, current tools can crack WEP within minutes - without needing to sample gigabytes of data first as the first crackers needed.

IIRC, the problem with WPA was that the supplier must include it into his firmware and the guys at Slimdevices are working on it (http://lists.slimdevices.com/archives/discuss/2004-February/025314.html)
. Since it is supported on SB 2 I think it should be possible now for SB 1.

So, please update the firmware for SB1 once more to make our WLANs more secure.

Thank you.

mherger
2005-06-14, 01:59
> the firmware for Squeezbox 2 has support for WPA, but the firmware for
> SB 1 is limited to WEP. As everyone knows, current tools can crack WEP
> within minutes - without needing to sample gigabytes of data first as
> the first crackers needed.

That's the reason why I recently bought another wireless router to create
some kind of DMZ for my music players exclusively (1xSliMP, 2xSB1,
1xSB2)...

--

Michael

-----------------------------------------------------------
Help translate SlimServer by using the
StringEditor Plugin (http://www.herger.net/slim/)

dean
2005-06-14, 07:05
Alas, we're limited by the firmware available for the wireless cards
inside Squeezebox1.

Unfortunately, the card manufacturers have stopped developing
firmware for this card (indeed, they have completely stopped
manufacturing this card) and haven't added WPA, so at this point it
seems very unlikely that WPA will be added at this point.



On Jun 14, 2005, at 1:30 AM, conholio wrote:
> the firmware for Squeezbox 2 has support for WPA, but the firmware for
> SB 1 is limited to WEP. As everyone knows, current tools can crack WEP
> within minutes - without needing to sample gigabytes of data first as
> the first crackers needed.
>
> IIRC, the problem with WPA was that the supplier must include it into
> his firmware and the guys at Slimdevices are working on it
> (http://lists.slimdevices.com/archives/discuss/2004-February/
> 025314.html)
> . Since it is supported on SB 2 I think it should be possible now for
> SB 1.
>
> So, please update the firmware for SB1 once more to make our WLANs
> more
> secure.

alex wetmore
2005-06-14, 09:44
On Tue, 14 Jun 2005, Michael Herger wrote:
>> the firmware for Squeezbox 2 has support for WPA, but the firmware for
>> SB 1 is limited to WEP. As everyone knows, current tools can crack WEP
>> within minutes - without needing to sample gigabytes of data first as
>> the first crackers needed.
>
> That's the reason why I recently bought another wireless router to create
> some kind of DMZ for my music players exclusively (1xSliMP, 2xSB1, 1xSB2)...

I use this method too. 802.11b routers are cheap and it also keeps
the SB1 from slowing down your otherwise all 802.11g network.

Just setup the firewall on the 802.11b router so that the SB1 can only
talk to your SlimServer on the appropriate ports. Even if someone
breaks your WEP they won't gain anything beyond being able to run
SoftSqueeze and listen to your music.

alex

Danny Rego
2005-06-15, 06:58
It figures...I finally get my SB2, with plans of retiring the SB1 to be a
wireless around-the-house unit...and now I have to worry about my network
getting hacked if I allow for the older type of wireless access.

grrr...

Danny Rego


----- Original Message -----
From: "dean blackketter" <dean (AT) slimdevices (DOT) com>
To: "Slim Devices Developers" <developers (AT) lists (DOT) slimdevices.com>
Sent: Tuesday, June 14, 2005 10:05 AM
Subject: Re: [Developers] WPA for Squeezebox 1


> Alas, we're limited by the firmware available for the wireless cards
> inside Squeezebox1.
>
> Unfortunately, the card manufacturers have stopped developing firmware
> for this card (indeed, they have completely stopped manufacturing this
> card) and haven't added WPA, so at this point it seems very unlikely that
> WPA will be added at this point.
>
>
>
> On Jun 14, 2005, at 1:30 AM, conholio wrote:
>> the firmware for Squeezbox 2 has support for WPA, but the firmware for
>> SB 1 is limited to WEP. As everyone knows, current tools can crack WEP
>> within minutes - without needing to sample gigabytes of data first as
>> the first crackers needed.
>>
>> IIRC, the problem with WPA was that the supplier must include it into
>> his firmware and the guys at Slimdevices are working on it
>> (http://lists.slimdevices.com/archives/discuss/2004-February/
>> 025314.html)
>> . Since it is supported on SB 2 I think it should be possible now for
>> SB 1.
>>
>> So, please update the firmware for SB1 once more to make our WLANs more
>> secure.
>

robinbowes
2005-06-15, 08:33
It figures...I finally get my SB2, with plans of retiring the SB1 to be a
wireless around-the-house unit...and now I have to worry about my network
getting hacked if I allow for the older type of wireless access.

grrr...


Danny,

Restricting access to the MAC address of the SB should tighten things up a bit.

R.

Danny Rego
2005-06-15, 09:48
Ahhhh.....so I could just allow the SB to access the network wirelessly at
the router?

(I don't own a wireless router yet...so I'm not sure what they are capable
of)

In most wireless routers, can you turn on WEP and WPA, and have one
restricted to certain MACs.....and the other fully open? I'll probably be
picking up the latest greatest Linksys when I decide to make this last jump.

Danny Rego


----- Original Message -----
From: "robinbowes" <robinbowes.1qoccb (AT) no-mx (DOT) forums.slimdevices.com>
To: <developers (AT) lists (DOT) slimdevices.com>
Sent: Wednesday, June 15, 2005 11:33 AM
Subject: [Developers] Re: WPA for Squeezebox 1


>
> Danny Rego Wrote:
>> It figures...I finally get my SB2, with plans of retiring the SB1 to be
>> a
>> wireless around-the-house unit...and now I have to worry about my
>> network
>> getting hacked if I allow for the older type of wireless access.
>>
>> grrr...
>>
>
> Danny,
>
> Restricting access to the MAC address of the SB should tighten things
> up a bit.
>
> R.
>
>
> --
> robinbowes
>

alex wetmore
2005-06-15, 10:32
On Wed, 15 Jun 2005, Danny Rego wrote:
> Ahhhh.....so I could just allow the SB to access the network wirelessly at
> the router?

Yes.

> (I don't own a wireless router yet...so I'm not sure what they are capable
> of)
>
> In most wireless routers, can you turn on WEP and WPA, and have one
> restricted to certain MACs.....and the other fully open? I'll probably be
> picking up the latest greatest Linksys when I decide to make this last jump.

No.

Find a used 802.11b router for the SB1. They are cheap, if not free,
from friends who upgraded to 802.11g. On the SB1 router have MAC
filtering and firewall rules that only allow it to talk to your
Slimserver. Use WEP or not, it doesn't really matter because the
network won't be useful to anyone unless they spoof the MAC of your
SB1 and want to listen to your music.

I think this is the third time that I've posted this suggestion
in this thread.

alex

Danny Rego
2005-06-15, 11:00
I know...I've seen it before, but I don't want to worry about setting up a
complicated network. I realize that what you are suggesting isn't THAT
complicated, but still...just looking for simple. The more parts required
for the network to function...the more things can go wrong.

Thanks for the info though.

Danny Rego


----- Original Message -----
From: "alex wetmore" <alex (AT) phred (DOT) org>
To: "Slim Devices Developers" <developers (AT) lists (DOT) slimdevices.com>
Sent: Wednesday, June 15, 2005 1:32 PM
Subject: Re: [Developers] Re: WPA for Squeezebox 1


> On Wed, 15 Jun 2005, Danny Rego wrote:
>> Ahhhh.....so I could just allow the SB to access the network wirelessly
>> at the router?
>
> Yes.
>
>> (I don't own a wireless router yet...so I'm not sure what they are
>> capable of)
>>
>> In most wireless routers, can you turn on WEP and WPA, and have one
>> restricted to certain MACs.....and the other fully open? I'll probably
>> be picking up the latest greatest Linksys when I decide to make this last
>> jump.
>
> No.
>
> Find a used 802.11b router for the SB1. They are cheap, if not free,
> from friends who upgraded to 802.11g. On the SB1 router have MAC
> filtering and firewall rules that only allow it to talk to your
> Slimserver. Use WEP or not, it doesn't really matter because the
> network won't be useful to anyone unless they spoof the MAC of your
> SB1 and want to listen to your music.
>
> I think this is the third time that I've posted this suggestion
> in this thread.
>
> alex
>

JJZolx
2005-06-15, 11:10
Ahhhh.....so I could just allow the SB to access the network wirelessly at
the router?

MAC address filtering adds very little to WIFI security. MAC addresses are broadcast in the clear by access points and client devices and are easily spoofed. Anyone that can crack a WEP key will have little trouble spoofing a MAC address.


(I don't own a wireless router yet...so I'm not sure what they are capable
of)

In most wireless routers, can you turn on WEP and WPA, and have one
restricted to certain MACs.....and the other fully open? I'll probably be
picking up the latest greatest Linksys when I decide to make this last jump.

No. Which is why adding a second WEP-only access point was suggested. You can pick one up on eBay for under $20 these days.

Peter Watkins
2005-06-15, 11:41
On Wed, Jun 15, 2005 at 02:00:09PM -0400, Danny Rego wrote:
> I know...I've seen it before, but I don't want to worry about setting up a
> complicated network. I realize that what you are suggesting isn't THAT
> complicated, but still...just looking for simple. The more parts required
> for the network to function...the more things can go wrong.

Another option would be to buy an 802.11g bridge and use the ethernet
port on your SB1. Then you'd have a safer network w/o having to worry
so much about adding firewall rules (especially *outbound* rules, given
that AP devices are more likely to focus on *inbound* rules) to your APs.
Also the bridge route would keep you on the same 2.4 GHz channel and be
less likely to conflict w/ neighbors, cordless phones, etc.

Naturally, a "g" bridge costs more than a "b" AP -- $50 - $150 where
you probably could get a "b" AP for $0 - $10.

Also, this "b" AP plan probably wouldn't work so well if you had more
than one SB1, as SlimServer likes to know clients by MAC or IP -- if you
kept the SlimServer host only on the "g" network, it would see the same
MAC and IP for all the SB1 devics that sat behind the "b" AP's network
address translation table. To make the "b" AP plan work with multiple
SB1s, you might have to connect your SlimServer box to the "b" AP,
either as its main/only connection, or as a non-default netmasked
setup -- which bring up more concerns, though it's doable. Or maybe
SlimServer can deal with N clients with the same NATed IP address,
and all woudl be fine. I dunno, I only have one SB. ;-)

-Peter

> ----- Original Message -----
> From: "alex wetmore" <alex (AT) phred (DOT) org>

> > Find a used 802.11b router for the SB1. They are cheap, if not free,
> > from friends who upgraded to 802.11g. On the SB1 router have MAC
> > filtering and firewall rules that only allow it to talk to your
> > Slimserver. Use WEP or not, it doesn't really matter because the
> > network won't be useful to anyone unless they spoof the MAC of your
> > SB1 and want to listen to your music.

alex wetmore
2005-06-15, 12:58
On Wed, 15 Jun 2005, Peter Watkins wrote:
> Or maybe SlimServer can deal with N clients with the same NATed IP
> address, and all woudl be fine. I dunno, I only have one SB. ;-)

It doesn't seem to be able to deal with this, at least from my limited
testing.

alex

radish
2005-06-15, 14:28
Just to chime in with my setup, which seems to work well with multiple SBs.

I have a general purpose G network which hooks up to my cable modem, and allows the various machines in my apartment to get online, share files etc. The HTPC which doubles as a slimserver is also on this network via a PCI wifi card. For performance reasons I keep my two SBs (1x SBG & 1x SB2) on a seperate B network. I have a second router set to run in B only, on a different channel. It has nothing connected to it's WLAN port, and the HTPC has a ethernet connection to one of it's LAN ports. The SBs connect to it via wifi. Thus, the SBs themselves can only see each other and the HTPC, the HTPC can see two seperate networks. Internet radio streaming etc seem to work fine (I had initially thought I'd have to tell it to use specific interfaces but windows' routing seems to handle it just fine).

mikeb
2005-06-15, 22:11
On Wed, Jun 15, 2005 at 02:41:28PM -0400, Peter Watkins wrote:
:
: Also, this "b" AP plan probably wouldn't work so well if you had more
: than one SB1, as SlimServer likes to know clients by MAC or IP -- if you
: kept the SlimServer host only on the "g" network, it would see the same
: MAC and IP for all the SB1 devics that sat behind the "b" AP's network
: address translation table. To make the "b" AP plan work with multiple
: SB1s, you might have to connect your SlimServer box to the "b" AP,
: either as its main/only connection, or as a non-default netmasked
: setup -- which bring up more concerns, though it's doable. Or maybe
: SlimServer can deal with N clients with the same NATed IP address,
: and all woudl be fine. I dunno, I only have one SB. ;-)

You can just use an 802.11b router without NAT or an 802.11b bridge.
There is no requirement that an 802.11b capable device must perform
NAT for devices behind it.

Then hook up the bridge/router to a firewall to protect the rest of
your home network. You can do that a number of ways depending on
the hardware available and design of your existing network.

Hope that helps.

--mikeb

:
: -Peter

--
Mike Benjamin = mikeb (AT) mikeb (DOT) org

Fifer
2005-07-11, 07:41
I've just gotten interested in this subject as my SB2 is en route and I want to continue to use my SB1 and improve my WiFi security. Can't the 802.11b card in the SB1 be replaced by a card that's capable of WPA, or is there something specific about the included card that the SB1 needs to see? I'd have hoped, given that PCMCIA cards operate to a standard, that the SB1 firmware could be modified to 'turn on' WPA on a capable card. Is the issue that WPA only comes with 802.11g and SB1 cannot drive 'g' for some reason?

dean
2005-07-11, 08:08
There aren't any compatible PCMCIA cards for the SB1 that support
WPA, as far as I know. Even if you were to find one, there's no
support in the SB1 firmware to configure and use WPA (we'd need a
card to begin to write that code.)

-dean



On Jul 11, 2005, at 7:41 AM, Fifer wrote:

>
> I've just gotten interested in this subject as my SB2 is en route
> and I
> want to continue to use my SB1 and improve my WiFi security. Can't the
> 802.11b card in the SB1 be replaced by a card that's capable of
> WPA, or
> is there something specific about the included card that the SB1 needs
> to see? I'd have hoped, given that PCMCIA cards operate to a standard,
> that the SB1 firmware could be modified to 'turn on' WPA on a capable
> card. Is the issue that WPA only comes with 802.11g and SB1 cannot
> drive 'g' for some reason?
>
>
> --
> Fifer
>

alex wetmore
2005-07-11, 08:11
On Mon, 11 Jul 2005, Fifer wrote:
> I've just gotten interested in this subject as my SB2 is en route and I
> want to continue to use my SB1 and improve my WiFi security. Can't the
> 802.11b card in the SB1 be replaced by a card that's capable of WPA, or
> is there something specific about the included card that the SB1 needs
> to see? I'd have hoped, given that PCMCIA cards operate to a standard,
> that the SB1 firmware could be modified to 'turn on' WPA on a capable
> card. Is the issue that WPA only comes with 802.11g and SB1 cannot
> drive 'g' for some reason?

It'll probably cost you less money to get a dedicated AP/Router for
your SB1 than to buy a G card for it. You can pick these up cheaply.
Just configure the firewall rules on the router so that the wireless
can only talk to your slimserver. Even if someone breaks into your
WLAN they won't be able to do anything but emulate a Squeezebox and
listen to your music.

The main downside is that you'll now be using two wireless channels
instead of one.

alex