Hi All,

I'm new to BBHN, and I've set up a toy network with three nodes.  So far, I am very impressed.  I'm looking to get our local club (W1EE, Stamford Amateur Radio Association) working with this technology.

One thing that concerns me about a wide-area deployment in a populated region is the potential for interference.  If I understand correctly, the only thing that one needs to join a BBHN mesh is the SSID of that mesh, which is standardized and broadcast.  This means that a curious person, be they well-intentioned or malicious, could with a little effort join a mesh and cause a variety of problems.  I understand that the whole point of BBHN is to make it easy for nodes to connect, but human nature being what it is, there is potential for disruption.

Am I correct? And if so, has any thought been given to how to exclude malicious nodes?

73,

Andy, N2CN

Short Answer: Absolutely Nothing

BBHN nodes are basically the same as an open voice repeater with no PL tone set.

Now the setup is a bit more complicated than just connecting to the SSID, you would need to run a few additional programs to actually transmit data over the network.

The default deployment keeps random devices from doing too much (except sending “HEY IM HERE” ) but does nothing to stop a rouge BBHN device from connecting or a rouge person whom has the skill to understand just what they are looking at.

Has core looked into any method to solve this: I don't know to be honest.

Have I looked into ways to solve this: Yes, but none of them are that great unless it makes it into a core build they all honestly need some work before I blurt them out (need a lot more testing and thought)

I haven't seen that many people ask this question (which I believe is a good question). I would say the more people speak up and specify it as something they need to be able to deploy the more likely it would be to land on a desk and be looked at

Hi Andy,

I agree that we should be concerned with malicious access to our nodes. However I believe there are several factors that greatly reduce the likelihood of this occurring.

1. Few hams even know this technology exists let alone non hams.
2. The use of directional antennas that are horizontally polarized greatly reduces how many people are even in range of a node.
3. Nodes do have custom passwords for changing the settings so at least control of the node is protected.
4. Each node lists all nodes it is connected to or has been connected to. This list contains call signs. A quick search online will tell you if the callsign is real or not. If not then alert your local ham clubs that you need help tracking down someone who is illegally operating.
5. Various devices that you would connect to a node such as a computer, regular wifi hotspot, file servers, webcams, and other devices have their own configuration software that typically allows the use of a password to protect access to that device.

"1. Few hams even know this technology exists let alone non hams."

I would be less worried about the hams,  worry about the 13-16 year old down the block who enjoys a computer networking challenge (I've been there, done that myself -- I was almost running the networks for the local school district back when I was a student (Elementary through High School) as I was often the go-to student who could point out the issue.

Also with beacons up to 10x a second with the default SSID your not exactly hidden either.

"2. The use of directional antennas that are horizontally polarized greatly reduces how many people are even in range of a node."

That is not really security, but yes it will reduce the number of people whom can directly get to a node, however all you need to do is get to ANY node and your on the entire network and maybe make it more likely that your actions will be seen.

"3. Nodes do have custom passwords for changing the settings so at least control of the node is protected."

This is true, so long as you don't log in over WIFI (no encryption)  it protects the node from being taken over until the password is found (brute force attack -- nothing is built in to lock users out on repeat incorrect passwords.) Worse yet, once the GUI password is found it is also the ROOT password for the node itself letting an attacker install anything they want.

"4. Each node lists all nodes it is connected to or has been connected to. This list contains call signs. A quick search online will tell you if the callsign is real or not. If not then alert your local ham clubs that you need help tracking down someone who is illegally operating."

So you know you have a bad egg but you can't do anything to stop them. IF its a bogus callsign you still have to track them down,  this wont be easy or fun.  Point 2 comes back to haunt you now,  now you have to be IN THE PATH of the signal,  you can get a good idea of where it is with some highly directional antennas but than you still have to get there and get close (as you will be relying on non beam path signal to guide you)  The node in question would also need to still be online while searching.

"5. Various devices that you would connect to a node such as a computer, regular wifi hotspot, file servers, webcams, and other devices have their own configuration software that typically allows the use of a password to protect access to that device."

Well that will keep them off the device (again pay attention to passwords, if your in an area that allows encryption than they are fairly safe, if no encryption is allowed than the passwords may be sent every time you log into the device) 

We are talking about computers which are known for security vulnerabilities however no matter what so we can't guarantee this will stop an attacker.   Even if it does, you still have the issue of all other nodes helping in distributing traffic.

Background:

My day job has me titled as a Sr. Systems Enginer -- I deal with consulting on and deploying security solutions from the desktop up to the infrastructure layer

Well, that is always an option. 

I tend to prefer to find balance, a method that allows an acceptable level of risk to reward.

No computer based system will ever be 100% secure, the only way to do that is as you mention to unplug.  One does need to understand the risks involved to judge for themselves the risk/reward.

The point to be made though is a BBHN network is much more complex in a computer security nature than most other protocols are.  The next closest protocol is Packet with an IP stack but that never really took off so much of the ham radio security side was never developed, after that Packet with a BBS(Winlink over  falls into this category as well)   Much less flexible, limited risk vectors compared to WIFI.

Thank you both for your responses.

73,

Andy, N2CN

The short answer is "normal" wifi users won't be able to connect.  With some effort, a computer/wireless savvy person can figure us out and hook in.

If the bad guys see your SSID and Google it, they can figure out you're using BBHN.  Once they figure out you're using BBHN, they can find our web site, find a WRT-54G  or Ubiquiti of the appropriate version, flash BBHN code onto it, and set it up, they're in.

There are other ways to sneak onto the network, but they require more skill and effort.

Once they figure out you're using BBHN, or simply that you're using OLSR, they can take another type of device, install OLSR and maybe a few other things, figure out how to configure it, and then they're in.  That's considerably more difficult than installing BBHN on a WRT-54G. 

If they simply want to listen in, there are a number of free programs that will record every packet that goes by.  The messages will be broken into chunks and mixed in with other stuff, but with some low grade computer skills, it's not that hard to reassemble the original message. 

Realize that we're not that attractive of a target in a lot of ways. You're never going to have a BBHN network that blankets a city where you can just hook into it with your laptop or a WRT54G with a stock antenna.  You need to be near someone's BBHN node, or be able to connect to someone's long range directional mesh node antenna. 

In order to connect to someone's long range directional mesh node, you have to be in the beam, which is probably somewhat narrow.  You probably need to have a beam antenna yourself, unless you're close.  Realize that even if the other node you're trying to connect to has a gain antenna or even an amp, you can't send data through him, unless he can hear your signal.  Since there are a lot of other wireless devices in the beam, it's a lot harder for him to hear you than it is for you to hear him.

Even if someone is near your BBHN node, you have your BBHN node set as an internet gateway, and he wants to steal internet from you, it's very difficult for him to hook up to the mesh node, unless he buys and sets up a WRT54G for BBHN.

BITE YOUR TONGUE MICKEY !!

World Mesh Domination!

5 years and I should be able to sit anywhere in Central Texas and dial my portable VoIP phone and ring the wife (KA5HHZ).

OMG !! WAIT !! Thats ANOTHER way she will be able to bug me! NO We cant have this! Nevermind!

(and yes, she reads these forums... LOVE YOU HUNNY   lol)

While I don't have a solution for keeping people out (because I am not a tech savvy person), maybe we should rethink our security measures. The group that we have in NE Wisconsin are discussing this very thing and some thoughts have come up for consideration that I feel have some merit, We try so hard to keep people out. How about security measures that are more useful for us. Just like intentional interference is dealt with by the FCC, as long as we can find them. How can we do the same with our security. Make it so transparent that anybody accessing  is known. I realize I am talking crazy here, but are there ways to make it so that the violator is spending more time trying to be obscure and untraceable. Kind of like a digital exploding dye pack like they used to put on clothes. Your computer is marked and the point of access is more traceable because it is quickly triangulated within the MESH. You can't interface with the MESH without a "handshake" of your interface with the MESH. Can some tech savvy person make my thoughts and brainstorms sound real?

Rodney, kd0ebt

Any node on the mesh CAN be found which one it is connected to.

See the bottom picture at

http://www.broadband-hamnet.org/visual-of-a-mesh-network.html

It shows what links through who.

That is a built in plugin to OLSR, called Dot Draw, and a simple perl script can produce the image.

KTF

Well knowing what node they came in on is a start.

Having a feed do RF strength, antenna type, direction, phase, exact location , etc combined could lead to some interesting target profiling IF you get multiple nodes in range.

Doesn't keep them out but may make it useful to track down.

Course until you do would still be good to be isolate the node somehow.

So where I'm going with this, and the reason I asked the question in the first place, is that it may be useful to provide an option in a mesh to include a "shared secret" that allows authenticated (but still unencrypted) communication to take place.  Every node wishing to participate in the mesh would have to know the shared secret.  I see it functioning somewhat like CHAP (Challenge-Handshake Authentication Protocol).  I think this would have to be implemented somewhere in the middle of the Hamnet protocol stack.  This scheme would prevent a rogue node from being able to create links to other nodes, effectively excluding it from the mesh.

Funny you should mention that...

Was just just some talking on that solution with a few people:

Would the following scenario meet your request:

A shared key is inserted into the system

No secuirity is done with this shared key to stop you from sending traffic to the local nodes (aka those in direct earshot) 

Without the correct key you DO NOT show up on the mesh as an available node, nor are you able to inject routes into the mesh wide table. 

The key itself is never sent over the network only a hash of the messages and key combined so the other side can hash the message and see if it's the same key or not and choose to reject it.

(And just had another idea but based on your chap comment would have to see how easy it be to extend but more on that after I mull on it)

At the moment there are plans to restore the use of the olsrd "secure" module ( BBHN->ticket:37 ) which provides a hashed checksum onto messages based on a shared secret key allowing each side to verify that a node submitting packets to the mesh know the same key.

If the hashing doesn't match the packet it is thrown out of OLSR (and the route is never added) and your not allowed to access the entire mesh.

This module was in 0.4.3, was removed in 1.0.0 and is currently planned to go into next release.

This will NOT protect against a user speaking directly to a node and using any services it has published (internet included) but it will help limit a user from injecting into nodes and being able to easily traverse across the entire mesh network.

The problem with the "old" way of doing security is that all someone has to do is see the SSID of "Broadband-hamnet-v1" or whatever it is, google that, and finding our web page.  From there, they can download the code to a WRT-54G, and they're in. 

Using the olsrd-secure does make it more difficult for a bad guy to use a mesh network with unsupported hardware, but it does nothing to stop a bad guy from using the readily available code on supported hardware. 

Even without olsrd-secure, the difficulty of connecting unsupported hardware is quite high, since you have to figure out and configure olsr and some other things. 

In the current configuration, in order to connect a "rogue" node on unsupported hardware, you have to recognize the Broadbandhamnet-V1 SSID, figure out that it's OLSR, configure an OLSR node, put BroadbandHamnet-V1 as the SSID, and do whatever other tinkering is necessary to make it connect.   It's much easier to just use the supported hardware and software, which lets anyone in.

I think the "security" from olsrd-secure is mostly smoke and mirrors for a project like ours.

The other way to add some security would be to add some form of key exchange but require the user to enter the key when configuring the software.  Then distribute the key through some "secure" means.

This has the very big disadvantage of having a fragmented BBHN system.  If everyone doesn't use the same key, your networks will no longer mesh.  If you have some sort of emergency, volunteers from another area won't be able to bring their equipment and help out.  This is a big impediment in the "seconds = lives" environment of an emergency.  

Even in non-emergency operation, it presents problems.  You have to figure out a secure key management scheme.  Many new users have enough trouble just loading the software right now.  How are you going to validate new hams and distribute the key?  How many people are going to screw it up somehow even after they get the key?  Is each BBHN "community" going to have a separate key?  How do you coordinate which area uses which key?  e.g. all the problems that make any secure key distribution and management system a pain in the neck.

I certainly see this as one of the many reasons an area may want to change the key for the area.

I see the Mesh as the next step in amateur radio as well. It will take time to build up the infrastructure but in time we can build up heck of a network.

It is after all "Broadband-Hamnet" not "setup-only-in-a-disaster-net"  we should use it to what its full potential.  It is why I got involved in the project.

Out here in SOCAL  setting up infrastructure will actually be a requirement, we have LOTS of valleys that we have to fill in, having long running networks is a certain need.  We can not just setup for 4 days and be gone, we need to have it in place if we expect to use it out here.

Personally, I dream big, I look forward to the day when a packet can make it from SOCAL to Maine on RF alone (ya I know, very big dream, but hey got to have a goal right?) Some of the packet networks in the past had some very large networks going over time,  packets found a way across the globe, as hams we should be able to do it again.