Major Security Flaw in AI-Mesh using AXE11000 as primary with non 6GHz nodes

[TechGuy42]

After further troubleshooting this issue, I changed the WiFi 6 SSID so all 3 radios should broadcast separate SSIDs... after resetting and re-configuring the node, it started broadcasting the AXE11000's 6 GHz WiFi SSID as the node's 5GHz SSID but as an open network. Now that this open network has a unique SSID, I was able to connect to it and it gave me an internet connection.

I feel this is a major security risk to anyone using a non WiFi 6 node with the AXE11000 as the primary, its quite easy for this to go unnoticed especially if someone uses the same SSID for all three radios. Customer service could care less... someone will contact me "within 48 hours" and I've heard that on 4 separate calls this past week but their last email was 2 weeks ago

Nearly $600 for this router and you'd think their support would put more urgency to squashing security related bugs

For reference, here is the thread detailing how I discovered this and what the expected behavior should be

[Saltgrass]

What you are pointing out has been known for a while. But since your mesh notes cannot see the 6 GHz radio, it is doing something else, possibly related to the Back Channel. If you figure it out for sure, let us know.

Having an unsecured 6 GHz radio might cause you problems if someone has a phone with that capability. I keep mine set to WPA3 so a user has to have a password to get on that network.

As an update to everyone, I am now on Windows 11 (21H2) and even though the announcement about Win 11 states 6 GHz capability has been included, I still cannot get my computer to set up the radio without the registry mod. or sign in using the password option..

[TechGuy42]

Having an unsecured 6 GHz radio might cause you problems if someone has a phone with that capability. I keep mine set to WPA3 so a user has to have a password to get on that network.

I think I'm not explaining myself well, there is no issue with the AXE11000 6GHz... it puts a password if I set it to wpa3 and type one in, I just dont have any devices to connect to 6GHz yet so I've turned off the 6GHz radio on the AXE11000.

The issue is that the mesh node (AC68U) is broadcasting an open 5GHz network when its set to be wpa2... and this network SSID matches whats typed in on the AXE11000 6GHz radio, so the node (AC86U) is also broadcasting the incorrect SSID with no way to change either setting. I can only turn off WiFi 5 on the node (AC68U) so that nobody can connect to the open network

[Saltgrass]

I think I'm not explaining myself well, there is no issue with the AXE11000 6GHz... it puts a password if I set it to wpa3 and type one in, I just dont have any devices to connect to 6GHz yet so I've turned off the 6GHz radio on the AXE11000.

The issue is that the mesh node (AC68U) is broadcasting an open 5GHz network when its set to be wpa2... and this network SSID matches whats typed in on the AXE11000 6GHz radio, so the node (AC86U) is also broadcasting the incorrect SSID with no way to change either setting. I can only turn off WiFi 5 on the node (AC68U) so that nobody can connect to the open network

Sometimes it is hard to understand certain aspects of the settings. But I can put a password in the 6 GHz radio, I just can't sign in to that from my computer. It says the radio is using an out of date security and just won't connect. I can use the 6 GHz Radio if I leave it open with the Enhanced Open option..

Are you using Ethernet Back Haul? If you aren't then the 86U has to connect to the AXE11000 with one of it two radios..and you can check how good that connection is.. I start getting confused about this time because I am not that familiar with how the Mesh works. But I do know Ethernet does show a network SSID when connected from a computer..

When you get a new Wi-Fi card and Microsoft or Intel turn on the 6 GHz radio on our systems, maybe will have a better idea of what is happening.

[wilsondenq]

After further troubleshooting this issue, I changed the WiFi 6 SSID so all 3 radios should broadcast separate... after resetting and re-configuring the node, it started broadcasting the AXE11000's 6 GHz WiFi SSID as the node's 5GHz SSID but as an open network. Now that this open network has a unique SSID, I was able to connect to it and it gave me an internet connection.

I feel this is a major security risk to anyone using a non WiFi 6 node with the AXE11000 as the primary, its quite easy for this to go unnoticed especially if someone uses the same SSID for all three radios. Customer service could care less... someone will contact me "within 48 hours" and I've heard that on 4 separate calls this past week but their last email was 2 weeks ago

Nearly $600 for this router and you'd think their support would put more urgency to squashing bugs

Did your issue like this thread? https://rog.asus.com/forum/showthrea...Only-quot-SSID

[TechGuy42]

Are you using Ethernet Back Haul?

Yes

Heres my attempt at a visual of how it should broadcast like this:
EXPECTED BEHAVIOR
(AXE11000) Primary
2.4 SSID- A password protected
5 SSID- B password protected
6 SSID- C password protected

(RT-AC68U) Node
2.4 SSID- A password protected
5 SSID- B password protected

However, it behaves like this:
UNEXPEXTED BEHAVIOR
(AXE11000) Primary
2.4 SSID- A password protected
5 SSID- B password protected
6 SSID- C password protected

(RT-AC68U) Node
2.4 SSID- A password protected
5 SSID- C open network

As you can see, AC68U broadcasting SSID C when it should be broadcasting SSID B, because SSID C is configured for the 6GHz radio on the AXE11000

[TechGuy42]

Did your issue like this thread? https://rog.asus.com/forum/showthrea...Only-quot-SSID

No, that is a separate issue, another thread I made to keep each issue separate to its own thread

[Saltgrass]

Yes

Heres my attempt at a visual of how it should broadcast like this:

However, it behaves like this:

(AXE11000) Primary
2.4 SSID- A password protected
5 SSID- B password protected
6 SSID- C password protected

(RT-AC68U) Node
2.4 SSID- A password protected
5 SSID- C open network

If the 68U had an open network then you could get on it without a password. Just like I can get on the 6 GHz network when it is set to open..

Can you log on to any of your networks without a password? If you try, make sure and tell Windows to "Forget" all you networks so it won't automatically enter a password for you.

Try unplugging the Ethernet Back Haul so all traffic has to go to the Router using Wireless. Try turning off Wireless on the AXE11000 when you have the Ethernet Back Haul connected and see if you can still connect to the Internet..

Are you showing any unsecured networks in your area? I am fairly sure you are not at risk because of an open network.

[TechGuy42]

If the 68U had an open network then you could get on it without a password

Yes, exactly... But that is a big problem when that network is supposed to have a password. If I leave the 68U 5GHz radio on, it is always open network and I can connect... but it should have password so this is a problem

Try unplugging the Ethernet Back Haul so all traffic has to go to the Router using Wireless. Try turning off Wireless on the AXE11000 when you have the Ethernet Back Haul connected and see if you can still connect to the Internet..

I have tried every variation of radios on/off and with/out ethernet backhaul, no matter how I configure... the 68U is always broadcasting 5GHz as open network when its suppose to have password

Are you showing any unsecured networks in your area? I am fairly sure you are not at risk because of an open network.

There are no open networks near me, if I leave the 68U 5GHz radio on, anyone driving by or neighbors can connect so yes this is a major security risk

[Saltgrass]

Let's try one more thing. When you are connected to the "Open" network, if you look in settings, Wi-Fi-, it shows the network profile type. Look down below the SSID section and see what the Security type: is.

In Win 11, you can just select the info symbol on your connected network to go to the same place..

I suppose I need to set my AX92U up again as a Mesh Node to test..