Security issues

[wthie]

Hi all

 

did some tinkering with a stack equipped with the WiFi extension and was stunned to see, that the SSID and WPA2 password was transmitted over the network when connecting to the stack with brickviewer?

 

[size=8pt][font=courier]sudo tcpflow -i en0 -C -B port 4223 | hexdump -C
tcpflow[21967]: listening on en0
00000000  00 fe 04 00 0a 00 fd 36  00 31 35 30 31 36 30 31  |.......6.1501601|
00000010  34 4d 61 73 74 65 72 20  42 72 69 63 6b 20 31 2e  |4Master Brick 1.|
00000020  30 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |0...............|
00000030  00 00 00 00 00 00 00 00  00 01 01 0a 00 ff 0c 00  |................|
00000040  31 35 30 31 36 30 31 34  0a 00 fd 36 00 ab c9 98  |15016014...6....|
00000050  de be 20 6f 39 52 6f 74  61 72 79 20 50 6f 74 69  |.. o9Rotary Poti|
00000060  20 42 72 69 63 6b 6c 65  74 20 31 2e 30 00 00 00  | Bricklet 1.0...|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 02 01 00  |................|
00000080  fd 36 00 40 65 00 00 00  00 00 00 41 6d 62 69 65  |.6.@e......Ambie|
00000090  6e 74 20 4c 69 67 68 74  20 42 72 69 63 6b 6c 65  |nt Light Brickle|
000000a0  74 20 31 2e 30 00 00 00  00 00 00 00 00 00 00 00  |t 1.0...........|
000000b0  00 00 00 03 01 0a 00 ff  38 00 31 35 30 31 36 30  |........8.150160|
000000c0  31 34 01 04 04 4d 61 73  74 65 72 20 42 72 69 63  |14...Master Bric|
000000d0  6b 20 31 2e 30 00 00 00  00 00 00 00 00 00 00 00  |k 1.0...........|
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 01 0a 01  |................|
000000f0  05 04 00 0a 01 05 05 00  00 0a 01 12 04 00 0a 01  |................|
00000100  12 05 00 00 0a 01 1a 04  00 0a 01 1a 05 00 01 0a  |................|
00000110  01 1c 04 00 0a 01 1c 33  00 SS ID SS ID SS ID SS  |.......3.SSIDSSI|
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000140  00 00 00 00 00 00 7f 10  0a 01 22 06 00 ff ff 0a  |..........".....|
00000150  01 22 25 00 00 00 00 00  00 00 00 00 00 00 00 00  |."%.............|
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000170  00 00 00 00 00 0a 01 22  06 00 fe ff 0a 01 22 25  |......."......"%|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001a0  00 00 0a 01 24 04 00 0a  01 24 05 00 00 0a 01 27  |....$....$.....'|
000001b0  04 00 0a 01 27 05 00 01  0a 01 1e 04 00 0a 01 1e  |....'...........|
000001c0  3f 00 00 pw pw pw pw pw  pw pw pw pw pw pw pw pw  |?..pwpwpwpwpwpwp|
000001d0  pw pw pw pw pw pw pw pw  pw pw pw pw 00 00 00 00  |pwpwpwpwpwpw....|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 00 01 00 00  00 00 00 00 00 0a 00 ff  |................|
00000200  0c 00 ab c9 98 de be 20  6f 39 0a 00 ff 38 00 ab  |....... o9...8..|[/font][/size]

 

Why is this happening? I assume that the brick extension is storing the password in a sensible way (meaning not lying around in some flash memory in the clear).

 

Is this so, or is the master storing the config/pw?

 

The stack being perfectly capable to register itself alone in a WiFi environment, there seems to me absolutely no necessity to transmit such information when only connecting.

 

Transmitting such sensible information over the network in the clear seems to me to much a risk taken, assuming that a rather naive usage of bricks could lead to very prominent security holes.

 

What is the stance of the development team towards these questions.

 

Password only transmittable when being connected to the stack via wire?

 

Cheers, Werner

[borg]

The Brick Viewer shows your WIFI configuration, so it reads it from the WIFI Extension (http://www.tinkerforge.com/en/doc/Software/Bricks/Master_Brick_Python.html#Master.get_wifi_encryption).

 

The data you are receiving is encrypted via WPA2, it is not transmitted "over the network in the clear".

 

If someone steals your WIFI Extension, he can read out the stored ssid and password, yes. There is no way around that, other then to remove the API for reading the configuration completely.

[wthie]

Hi

 

Just to describe this information transfer correctly, all data is of course transmitted in the clear over the network, only on WiFi infrastructure is it encrypted if whatever provided security is enabled.

 

And of course must the user be able to set the security relevant parameters, I'm not questioning this.

 

To be a bit more specific, good programming practice would call for the sensitive information only requested from the brick, if the user actually wants to adjust it. This is usually handled in a two staged modal dialog situation with the secondary dialog being the only one requesting and storing the sensitive information bits.

 

Of course would a protocol stack like SSH help to keep sensitive information much more safe on the wire, but on this level of processor this stretches resources way too far.

 

Amazing work your doing, keep it up - cheers, Werner

[borg]

You mean, that we have a button "show wifi encryption configuration" in the Brick Viewer and the data is only send after it is clicked, right? That sounds reasonable to me .

 

But then again, the Brick Viewer is only intended for testing purposes...

[AuronX]

I believe sending the data only when requested is a good option, but it leaves the open API...

 

There is no way around that, other then to remove the API for reading the configuration completely.

 

Looking at the method GetWifiEncryption I am not quite sure if it is neccessary to be able to retrieve the key-component. Sure it is convienient, but to argue with common practice in password-field: It is possible to Ctrl+V into a password-field, but it is usually not possible to Ctrl+C out of a password-field.

 

Which purpose - other than displaying the password to the user after reconnect - does reading it have?

 

You might just return an empty string for the key in GetWifiEncryption...

 

You might also want to show a warning before saving the password, whenever the brickv is not connected to localhost...