gbadev.org forum archive

This is a read-only mirror of the content originally found on forum.gbadev.org (now offline), salvaged from Wayback machine copies. A new forum can be found here.

DS Misc > wifi for linux

#154136 - maximAL - Fri Apr 11, 2008 9:20 pm

hi,
so, i finally wanted to get both my DS and wii online. but what puzzles me is that the DS only supports WEP. now, i live in a students hostel with a pretty high potential of bored nerds who might crack my connection to do shit with it (or just use my [limited] traffic volume).
only way to have a secure connection would be the official nintendo wifi connector (since it's protocol is proprietary). too bad it only runs on windows...even only win XP, for gods sake...
so, i found out there is a way to hack other wlan hardware using the ralink RT2500 or RT2560 chipset. but obviously only under windows, too...

is there really 100% no way to have a secure connection under linux?

#154140 - Abcd1234 - Fri Apr 11, 2008 10:00 pm

Correct.

Of course, it's obviously you already knew that, so I'm not sure why you're asking. :)

#154141 - maximAL - Fri Apr 11, 2008 10:04 pm

no, i actually wasn't sure if there are fixed linux drivers for those ralink cards around somewhere.

#154158 - takieda - Sat Apr 12, 2008 1:18 am

Wireless in and of itself is unsecure. There is absolutely no way to secure it completely, as there will always be those who can and will crack through it. (of course Nintendo's dongle is always a good plus - and you *might* be able to get it working through ndiswrapper on Linux). That being said, WEP can provide enough security, if added to a few other additional security tips.

obviously, you'll want to use wep 128 bit.
Secondly, IP address filter, and set the IP address of your Wii and DS - do not use DHCP.
Third, MAC address filter. Of course, make sure the filters are set to bar anyone NOT listed.
Don't broadcast SSID (this causes problems with some homebrew, but then again, so does WEP it seems).
Change the subnet from the traditional 192.168.x.x to something completely off the wall (but within the realm of usability). An uncommon one would be 10.0.x.x

Something else I've not looked into, however, you can check to see if any router has the ability (or hacked firmware has the ability) to sense suspicious activity, like the ones used to crack through WEP connections, and automatically shut off wireless until a wired connection can be initiated. This would, of course, stop people from ever being able to hack it, as it would simply drop from view if they tried anything, BUT would be a bit annoying to you if they attempted right in the middle of you using it (which really wouldn't change anything, as the WEP hacks are based on forcing a disconnect with legitimate connections).

**edit** personally, I have my wireless open with only a MAC filter on. I then have logging out the wazoo to see just what people do. I get regularly around 30 attempts a day to connect to my wireless router, though most of them are from the same people. I'm still trying to figure out if their computers are just trying to connect or if they're honestly thinking they'll get through.
_________________
Est Sularis Oth Mithas - My Honor is My Life
(\_/)
(o.o)
(> <) This is The Bunny. Copy The Bunny into your signature to help him on his way to world domination.

Last edited by takieda on Sat Apr 12, 2008 1:58 am; edited 1 time in total

#154161 - tepples - Sat Apr 12, 2008 1:53 am

maximAL wrote:
the DS only supports WEP. now, i live in a students hostel with a pretty high potential of bored nerds who might crack my connection to do shit with it (or just use my [limited] traffic volume).

No, they'll crack someone else's open connection first, and barring that, they'll crack someone else's 64-bit WEP before your 128-bit. Analogy to wilderness survival: if you and someone else are fleeing from a tiger, you don't have to outrun the tiger. By the time someone has cracked your 128-bit WEP with MAC filtering, he could have just plugged into someone's wired network. So I would recommend following takieda's pragmatic advice, with the added step of turning off your router's radio when you're done with the DS.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.

#154172 - Tikker - Sat Apr 12, 2008 4:55 am

takieda wrote:


obviously, you'll want to use wep 128 bit.
Secondly, IP address filter, and set the IP address of your Wii and DS - do not use DHCP.
Third, MAC address filter. Of course, make sure the filters are set to bar anyone NOT listed.
Don't broadcast SSID (this causes problems with some homebrew, but then again, so does WEP it seems).
Change the subnet from the traditional 192.168.x.x to something completely off the wall (but within the realm of usability). An uncommon one would be 10.0.x.x



lots of disinformation here

turning off SSID broadcast is meaningless as a security measure (ssid is included in every packet sent to and from the AP, so removing it from the beacon drops maybe 10-20% of the SSID sightings)

DHCP or no DHCP if someone's already sniffing your traffic, they're going to know what your subnet is. there's lots of reasons to use static addressing over dynamic, but security isn't really a big part of that

changing the actual subnet again, not really much of a factor in security

#154179 - masscat - Sat Apr 12, 2008 11:41 am

Have a look around http://rt2x00.serialmonkey.com/ for information (possibility?) on using rt2x00 chipset wireless adapters as an AP under linux.

My recommendation on setting up a wireless network for your DS (therefore insecure) would be to use a separate AP (either a physical box or the rt2x00 if you get it working).
Block all access from this AP to your LAN, only allow it to access your Internet connection. Therefore anybody borrowing your wireless network will only be able to nick a share of your Internet connection and not be able to do nasty things to your LAN and the PCs living on it.
If you do want your DS to access your LAN (maybe FTP or similar) then only open the needed ports.
When you are not using it, turn the AP off. Anybody nicking your wireless will get pissed off if it keeps disappearing and go off looking elsewhere.

#154180 - simonjhall - Sat Apr 12, 2008 11:49 am

I use an AP just for DS stuff - it's got no connection to the Internet or our LAN, it just goes into the second Ethernet connection on the back of my PC. A bit of firewall lovin', job done!

No WEP either - so if a hacker gets in they're gonna be disappointed pretty quick!
_________________
Big thanks to everyone who donated for Quake2

#154185 - Lazy1 - Sat Apr 12, 2008 5:45 pm

simonjhall wrote:
I use an AP just for DS stuff - it's got no connection to the Internet or our LAN, it just goes into the second Ethernet connection on the back of my PC. A bit of firewall lovin', job done!

No WEP either - so if a hacker gets in they're gonna be disappointed pretty quick!


That is an amazing idea, I just might do that.
Though maybe instead I'll redirect all http traffic to one of those sites you cannot un-see >)

#154215 - takieda - Sat Apr 12, 2008 11:06 pm

simonjhall wrote:
I use an AP just for DS stuff - it's got no connection to the Internet or our LAN, it just goes into the second Ethernet connection on the back of my PC. A bit of firewall lovin', job done!

No WEP either - so if a hacker gets in they're gonna be disappointed pretty quick!


I must admit, that is an excellent idea! Must now see how I can exploit it :)
_________________
Est Sularis Oth Mithas - My Honor is My Life
(\_/)
(o.o)
(> <) This is The Bunny. Copy The Bunny into your signature to help him on his way to world domination.

#154216 - takieda - Sat Apr 12, 2008 11:11 pm

Tikker wrote:
takieda wrote:


obviously, you'll want to use wep 128 bit.
Secondly, IP address filter, and set the IP address of your Wii and DS - do not use DHCP.
Third, MAC address filter. Of course, make sure the filters are set to bar anyone NOT listed.
Don't broadcast SSID (this causes problems with some homebrew, but then again, so does WEP it seems).
Change the subnet from the traditional 192.168.x.x to something completely off the wall (but within the realm of usability). An uncommon one would be 10.0.x.x



lots of disinformation here

turning off SSID broadcast is meaningless as a security measure (ssid is included in every packet sent to and from the AP, so removing it from the beacon drops maybe 10-20% of the SSID sightings)

DHCP or no DHCP if someone's already sniffing your traffic, they're going to know what your subnet is. there's lots of reasons to use static addressing over dynamic, but security isn't really a big part of that

changing the actual subnet again, not really much of a factor in security


Did you bother to read the very first thing I said here? I never said this was a perfect method. I never suggested it was unhackable, etc... what it DOES is make the potential hacker look at it and perhaps decide it's too much annoyance to try to hack through.

You had problem on top of problem and the puzzle becomes too complex for most to worry about.

The biggest security issue most anyone HAS to worry about is "script kiddies." i.e. the ones who run around with some program they found on the internet that can acquire the wep key for them, without them having any real knowledge of exactly HOW it works, thus artificially inflating their egos.

This is all a moot point in the end anyway. for the OP, simonjhall posted a very nice method for securing the situation.
_________________
Est Sularis Oth Mithas - My Honor is My Life
(\_/)
(o.o)
(> <) This is The Bunny. Copy The Bunny into your signature to help him on his way to world domination.