智能设备Wi-Fi凭证安全分析:从SmartCfg漏洞探讨
需积分: 9 42 浏览量
更新于2024-09-12
收藏 747KB PDF 举报
"这篇研究论文揭示了智能设备中SmartCfg无线配置方案的安全漏洞,特别是针对Wi-Fi凭证的泄漏问题。作者来自上海交通大学,通过实验分析了八种不同的SmartCfg实现,发现它们在设置智能设备与无线路由器连接时,对凭证保护不足,可能导致Wi-Fi凭据被窃取。"
正文:
在当今的物联网(IoT)时代,许多智能设备如智能灯泡、安全摄像头等缺乏交互式用户界面,它们通常依赖特定的配置方案来连接到无线网络。SmartCfg是一种广泛采用的技术,用于简化智能设备与无线路由器之间的连接设置。然而,尽管SmartCfg技术提供了便捷的Wi-Fi配置方式,但现有的解决方案并未充分考虑凭证的保护,这在一定程度上引入了针对Wi-Fi凭据的安全威胁。
该论文"Passwords in the Air: Harvesting Wi-Fi Credentials from SmartCfg Provisioning"深入探讨了这一问题。作者指出,由于SmartCfg协议的设计缺陷,攻击者可能在智能设备进行配置过程中截取Wi-Fi网络的名称(SSID)和密码,从而窃取用户的身份验证信息。这种攻击可能发生在设备初始化设置阶段,甚至在用户不知情的情况下发生。
论文对八种不同的SmartCfg实现进行了安全性评估,发现所有这些实现都存在漏洞,使得攻击者有机会捕获敏感的Wi-Fi凭证。这些漏洞可能源于无线信号的未加密传输、设备对网络请求的响应处理不当,或是配置过程中认证机制的不足。
为了证明这些威胁的可行性,研究人员设计并实施了一系列实验,成功地从空中(即通过无线监听)捕获了Wi-Fi凭证。这些实验结果突显了当前智能设备安全性的脆弱性,以及对于SmartCfg技术改进的迫切需求。
论文还提出了针对这些问题的防御策略,包括增强无线通信的加密强度、改进SmartCfg协议以确保凭证的安全传输,以及提高用户的网络安全意识。此外,建议设备制造商在产品设计和开发阶段就充分考虑安全因素,对SmartCfg的实现进行安全审计和测试。
总结来说,这篇研究揭示了SmartCfg在Wi-Fi配置中的潜在风险,并呼吁业界重视物联网设备的安全性,采取有效措施防止Wi-Fi凭证的泄漏。通过提升设备的安全标准,可以降低智能家庭和企业网络遭受攻击的风险,保护用户的隐私和数据安全。
Passwords in the Air: Harvesting Wi-Fi Credentials from SmartCfg Provisioning WiSec ’18, June 18–20, 2018, Stockholm, Sweden
interactive UI (e.g., a smartphone or a tablet). This provisioning
procedure is a new application scenario and thus may introduce
new attack vectors.
2.2 SmartCfg Provisioning
2.2.1 Overview. First introduced by Texas Instruments (TI) in
2012 [15], SmartCfg is a provisioning technology designed to pro-
vide Wi-Fi credentials for smart devices without an interactive UI
(e.g., plug, washer, refrigerator). After ve years of development,
it is widely accepted by various wireless solution providers. Wire-
less chip manufacturers such as Realtek, MediaTek, MXCHIP, and
Espressif have also implemented their variants. In this paper we
use SmartCfg to refer to all those variants.
A SmartCfg provisioning is used to congure a smart device
and help it connect to the wireless network. Typically, a SmartCfg
solution possesses three typical features: First, it relies on a mobile
app to encode and send authentication credentials to the smart
devices through broadcasting. Second, smart devices passively lis-
ten to the encoded information without knowing the identity of
the sender. Third, the credentials (e.g., passwords) are encoded as
part of the metadata of 802.11 packet (e.g., packet length) rather
than the content of the packet. As a result, even though the data
eld in the 802.11 packet frame is encrypted with either WEP or
WPA2 [
30
], devices listening to the data in the air could intercept
the information of metadata regardless of the actual data content.
2.2.2 Provisioning Process. One typical process of SmartCfg
provisioning is illustrated in Figure 2. Before the provisioning, a
smart device in promiscuous mode continuously captures all the
packets in the network. When a provisioning procedure starts,
the mobile app encodes the Wi-Fi credentials (both
SSID
and pass-
word) into several packets and broadcasts those packets. Once those
packets are captured and decoded by the smart device, it uses this
information to connect to the wireless network
(1)
A smart device that supports SmartCfg technology enters its
SmartCfg state, in which the Wi-Fi module of the device is
enabled in a snier mode to receive broadcast information.
(2)
A user use the smart home app on a smart phone to input
the credentials (i.e., passwords). Then the smart home app
encodes the
SSID
and password as 802.11 packets of special
format, and sends them into the wireless network it connects.
(3)
The Wi-Fi module of smart device captures all 802.11 data
packets in a few seconds and tries to decode them using
certain algorithm to obtain the
SSID
and password. After
obtaining Wi-Fi credentials, the device then connects to the
wireless network.
2.2.3 Data Encoding Mode of SmartCfg. SmartCfg solutions
encode the credentials into the metadata of 802.11 packets. However,
dierent solutions adopt dierent encoding modes. In general, there
are three popular encoding modes as Table 1 illustrates:
s
• Data in Multicast Addresses (DMA)
In this mode, the in-
formation is encoded into the last 23 bits of the Destination
Address eld of the packets. The DMA row of Table 1 gives
a concrete example. In this example every two bytes of the
payload are encoded into the last 2 bytes of the destination
Table 1: Examples of dierent types of SmartCfg
Mode Source Address Destination Address Length
DMA
00:90:4c:17:1a:9b 01:00:5e:01:49:6f 43
00:90:4c:17:1a:9b 01:00:5e:02:54:36 43
00:90:4c:17:1a:9b 01:00:5e:03:36:36 43
00:90:4c:17:1a:9b 01:00:5e:04:37:38 43
00:90:4c:17:1a:9b 01:00:5e:05:39:cc 43
DPL
00:90:4c:17:1a:9b FF:FF:FF:FF:FF:FF 47
00:90:4c:17:1a:9b FF:FF:FF:FF:FF:FF 67
00:90:4c:17:1a:9b FF:FF:FF:FF:FF:FF 47
00:90:4c:17:1a:9b FF:FF:FF:FF:FF:FF 67
00:90:4c:17:1a:9b FF:FF:FF:FF:FF:FF 96
Hybrid
00:90:4c:17:1a:9b 01:00:5e:01:01:01 556
00:90:4c:17:1a:9b 01:00:5e:02:02:02 555
00:90:4c:17:1a:9b 01:00:5e:03:03:03 554
00:90:4c:17:1a:9b 01:00:5e:04:04:04 291
00:90:4c:17:1a:9b 01:00:5e:05:05:05 338
00:90:4c:17:1a:9b 01:00:5e:06:06:06 198
address, while the ante-penultimate byte of the address is
used as the index.
• Data in Packet Length (DPL)
In this mode, the informa-
tion is encoded into the length eld of each packet (the
content is randomly lled). As illustrated in the DPL row
of the Table 1, messages are encoded into the length of the
packet sequence and then are broadcasted.
• Hybrid
In this mode, both the Destination Address eld and
the packet length are used to encode the information. The
Destination Address is usually used as the index and the
message is often stored at the length eld. The advantage of
Hybrid mode is that one packet contains more information
and it is thus more ecient.
According to our observation, one important feature of SmartCfg
data encoding is that it introduces a preamble. A preamble is a
sequence of packets (e.g., three packets) with same length and
content. The purpose of this preamble is to help devices locate the
data payload. We nd that in most provisioning procedures the app
will rst issue a preamble (or synchronization code) to the network.
The advantage of sending the preamble sequence rst is that the
device could locate, by the preamble, the beginning of a series of
packets that matches a particular protocol. Then it is able to extract
data from these packets.
Another usage of the preamble is to help measure the padding
length introduced by the encryption. Since the app does not know
what is the exact length of an encrypted data packet of WPA or
WPA2, it can only prepare a set of preamble packets and broadcast
them. Then the device capturing and identifying the preamble could
calculate the length of padding data. Therefore, the use of preamble
helps devices adjust the packet length.
3 SECURITY ANALYSIS OF SMARTCFG
In this section, we highlight the security analysis against SmartCfg
provisioning solutions with a focus on their Wi-Fi credential encod-
ing schemes. Before introducing the concrete analysis procedure,
we rst illustrate the threat model and challenges. Then we detail
剩余10页未读,继续阅读
471 浏览量
312 浏览量
125 浏览量
190 浏览量
109 浏览量
2021-03-22 上传
106 浏览量
186 浏览量
FunctionY
- 粉丝: 121
我的内容管理
展开
最新资源
- ITween插件实用教程:路径运动与应用案例
- React三纤维动态渐变背景应用程序开发指南
- 使用Office组件实现WinForm下Word文档合并功能
- RS232串口驱动:Z-TEK转接头兼容性验证
- 昆仑通态MCGS西门子CP443-1以太网驱动详解
- 同步流密码实验研究报告与实现分析
- Android高级应用开发教程与实践案例解析
- 深入解读ISO-26262汽车电子功能安全国标版
- Udemy Rails课程实践:开发财务跟踪器应用
- BIG-IP LTM配置详解及虚拟服务器管理手册
- BB FlashBack Pro 2.7.6软件深度体验分享
- Java版Google Map Api调用样例程序演示
- 探索设计工具与材料弹性特性:模量与泊松比
- JAGS-PHP:一款PHP实现的Gemini协议服务器
- 自定义线性布局WidgetDemo简易教程
- 奥迪A5双门轿跑SolidWorks模型下载
