Jan 12
It’s a valid point that’s been raised several times - and although I’m no network security expert I know enough to hopefully be able to explain mesh networking from a security point of view to alleviate your concerns.
Firstly - do you honestly believe that your computer and home network are completely secure? The only way you can guarantee that is to unplug from the Internet, disable all your wireless networking, Bluetooth and IR communication features on your computer(s) and ensure all network cabling is physically secure in your house. And then on top of that never stick a floppy disk, CD-ROM or USB thumbdrive in your computer. Just to be safe, don’t install any software either … in fact don’t even turn your computer on.
That might sound a little over the top … but it’s true. If you use Bluetooth, or you’re connected to the Internet and you install software you are taking risks. Security risks. We mitigate the risks through the use of firewalls, anti-virus software, requiring authentication to log onto a computer and physical security of our home computer … nevertheless you are taking risks.
Now the reason I’m saying this is because I need to give you some context for my next statement:
Merakis are not secure.
They do not encrypt data.
Doesn’t this mean that if we use Merakis or connect to a wireless mesh network we’re leaving ourselves wide open to attack by the hordes of malicious hackers out there?
No.
See this diagram below:
It shows a computer (could be yours) connecting through a wireless router (in this example, not a Meraki) to a server via the Internet; could be a website or your Internet Banking, however in this example we’re connecting via SSL (for example 128-bit) and WEP (probably 64-bit).
Is this situation secure? We call it secure - because no-one likes to hear “mostly secure”. A couple of months ago the UK Government lost data disks with the personal information including banking information of 7.25 million families. I refer to that incident because even if your connection from your computer to the server via the Internet is (mostly) secure that information is not encrypted before you type it in and once it exits the SSL-WEP tunnel at the far side (otherwise it would be of no use to the business you’re providing personal information to).
In the early days of e-commerce you might have provided your credit card details on a “secure” website (even using SSL) … and that information would be transmitted, encrypted, through the tunnel … and then wind up as a plain text email in a staff member’s inbox where they would then manually type that into an EFTPOS terminal. It’s not that bad anymore as human involvement in the payment processing loop has been largely replaced by payment gateways - nonetheless I want you to realise the sorts of risks you take every day.
Now in the Meraki model, that WEP encryption from the computer to the wireless router (the Meraki) is not there. If you’re using Internet Banking that SSL encryption is still in place, with a 128-bit key which is quite secure. But any non-SSL encrypted data from your computer to the router is being sent as plain unencrypted data packets. That’s only for people connecting via wireless networking. If you’re hardwired into the router with CAT5 cabling and leaving Meraki wireless open for other people then this is not an issue for you.
But what about those hordes of hackers out there?
In risk management we weight risks based on their likelihood and consequence. What is the likelihood of someone within range of your wireless network (100 feet?) having the equipment, software and skills to capture your data packets and assembling them or extracting text strings? If they did manage to do that, what is the consequence of them knowing what web pages you’ve downloaded … because remember your Internet Banking is still secure using SSL, so this is just plain ol’ web browsing.
Now put this in the context of the myriad of other information security risks with your computer and your network … and hopefully you’ll realise that this is really nothing to be worried about - though of course you should take it into consideration as with all security issues as part of a general computer and network security risk management and planning.
