Question Security problem with powerline adapters

[tablespoon]

Hi, I bought a pair of powerline adapters. According to the manual, they came with the same encryption key. It advises the user to press a button of each unit for certain seconds within certain X minutes so that a new randomly generated key is created just for the two units to communicate securely. I did that and the speed is about the same as what I could obtain through WiFi. So far so good.

Next, I opened a new box. I plugged in one adapter to another AC outlet after much more than that certain X minutes have passed. This should simulate the situation that my neighbor in the building got the same product. By default, this 3rd unit should use the default key set by the factory and my PC should not be able to connect to the internet using my router because I have created a new randomly generated key for the 1st and 2nd units only. To my surprise, without pairing, when I connected the ethernet port of my PC to this 3rd unit, I could access the internet immediately. Does that mean such so-called randomly generated key does not work?

 

[Tech Junky]

Does that mean such so-called randomly generated key does not work?

I think it's a bit of a gimmick that such devices would find each other and pair with each other whilst using a crypto key w/o some way of being able to input said key. Then again some BT devices pair w/o entering a pair code but, much more limited distance than a copper powerline. I don't see how a small gadget like this sort of thing could have enough CPU to generate a crypto key anyway.

The thing I would be testing knowing that they aren't crypto is if you unplug the other nodes do you connect to anyone else's network? If you don't see anything then it should be all clear to use them.

 

[tablespoon]

I asked their tech support how such a key is generated and whether or not the seed for the random number generator could be changed. They had no idea. They just told me to read the manual which only stated that it uses 128-bit AES encryption.

In hardware, can the device itself change the seed to create a different sequence of randomly generated numbers/keys?

There is no way for the user to decide the key. Moreover, it looks like there is also no way to do a firmware update in case of discovery of vulnerability. In my test, an adapter with a different key could join my network. I reset everything and did the test again. Same result. It is kind of scary.

I don't quite understand your suggested test. Could you please clarify? Adapter1 is connected to the ethernet port of the router and an AC-outlet. Adapter2 is connected to my PC and an AC-outlet. After setting a randomly generated key and waited for a few minutes, I added Adapter3 to another AC-outlet. Then, I removed the ethernet cable from Adapter2 and plugged it into Adapter3. Since Adapter3 is using the default key and also had not been paired with Adapter1, my PC should not be able to access the internet via Adapter3 but I could.

The manual just mentioned that if I don't create a randomly generated key, especially in an apartment, dorm environment where people from other units could share the same power line, there is a security risk.

Checked the manual of several such products and they are all the same. Sounds like I have to forget about this approach.

 

[Tech Junky]

Just plug a single adapter into an electrical outlet and see if your computer sees a network connection w/o anything connected to your existing network.

When generating SSH keys for routers and switches in the networking world it takes some considerable CPU cycles. That's my doubt in the simple little plug actually generating keys and pairing. The fact that you "paired' 2 of them and plugged in a 3rd w/o pairing it to the existing network means it's all fluff when it comes to encryption.