Do you know who's on your Wi-Fi?

The MOTOTRBO ION and R7 both require a one-time online activation (regionalisation) before programming using CPS or RM. To support this, these radios come preconfigured with a default SSID and passkey, so all one needs to do is to set up an enrolment Wi-Fi Access Point with the details mentioned in this post.

While this ensures a delivered radio has the latest firmware and features upon delivery, having a Wi-Fi network with a publicly known SSID and passkey can be a security risk, if your office network is not configured correctly.

The risk comes from connecting an Access Point, configured with the above, to your home office or company network. Although this provides internet connectivity for new radios, it can also allow unauthorised access to your network.

For example, someone can search for the above SSID on wigle.net and find locations where this has been seen. Knowing this, they can simply park their car or sit at a nearby café, access your network and do as they like.

The obvious solution to this is to put the enrolment Wi-Fi Access Point onto a separate VLAN which only has access to the internet. This might protect your network but it will still give an attacker internet access to use for other things. Therefore, in addition to putting the enrolment AP into a demilitarized zone on your network, you must also lock down the access on this network so that only the sites listed here can be accessed.