TheScotsman
Occasional Visitor
While playing with AiMesh and guest network access, I've uncovered a security issue - I think this is kind of an edge case, but given the way many of us hoard and reuse our older hardware I wanted to bring it to attention.
My AiMesh router is a GT-AXE11000, a tri-band router on 2.4GHz/5GHz/6GHz. The AiMesh node is an RT-AC5300, also tri-band but on 2.4GHz/5GHz/5GHz. The RT-AC5300 internals a a little peculiar so perhaps this is specific to that model. I have my main network SSID shared on all three bands of the GT-AXE11000 and SmartConnect enabled. 2.4GHz and 5GHz authenticate with WPA2-Personal (changed from the default WPA2/WPA3-Personal as that appeared to be tripping up a client); on 6GHz it's WPA3-Personal.
What I saw is that on the AiMesh node, the second 5GHz band is UNSECURED; no password required to connect to the network, and it provides connectivity just fine! On my phone's wifi list I can actually see two entries for the network, one with the lock, one without. I'm not sure if the mismatch is because of WPA3-Personal running on the router's 6GHz band (the only options are that or "enhanced open" so no way to test); or if it's not lining up the security parameters because of the frequency difference (maybe it doesn't know what to match with?). In any event, it opened up my core network - the only workaround I've found for now is to disable the radio for that 2nd 5Ghz band on the RT-AC5300 node, which makes the unsecured network disappear.
My AiMesh router is a GT-AXE11000, a tri-band router on 2.4GHz/5GHz/6GHz. The AiMesh node is an RT-AC5300, also tri-band but on 2.4GHz/5GHz/5GHz. The RT-AC5300 internals a a little peculiar so perhaps this is specific to that model. I have my main network SSID shared on all three bands of the GT-AXE11000 and SmartConnect enabled. 2.4GHz and 5GHz authenticate with WPA2-Personal (changed from the default WPA2/WPA3-Personal as that appeared to be tripping up a client); on 6GHz it's WPA3-Personal.
What I saw is that on the AiMesh node, the second 5GHz band is UNSECURED; no password required to connect to the network, and it provides connectivity just fine! On my phone's wifi list I can actually see two entries for the network, one with the lock, one without. I'm not sure if the mismatch is because of WPA3-Personal running on the router's 6GHz band (the only options are that or "enhanced open" so no way to test); or if it's not lining up the security parameters because of the frequency difference (maybe it doesn't know what to match with?). In any event, it opened up my core network - the only workaround I've found for now is to disable the radio for that 2nd 5Ghz band on the RT-AC5300 node, which makes the unsecured network disappear.
Glad I caught it - the AX lives in the house and the house is basically wrapped in aluminum foil, so of course the secured networks are also pretty "radio contained" to the house, but the plan for the AC is to put it in the (unshielded) attic to give some good coverage out in the lawn and by our BBQ and fire pit; would've been broadcasting the unsecured network to all our neighbors (they're nice folks, but still ...)
