Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Wireless Networking Hardware Technology

MIT Demos Wi-Fi That's So High-Tech It Doesn't Need a Password (mic.com) 92

An anonymous reader shares an article on MIC: Researchers at the Massachusetts Institute of Technology want to change how we connect to Wi-Fi. To avoid the cumbersome network login process, a team has come up with a way to grant computers access to a Wi-Fi network based on their proximity to a router. Applied practically, that means you could walk into a cafe and your device would automatically connect to a network -- no annoying password necessary. The same could be true for a home network. When your friends come over, they could immediately be granted access to your Wi-Fi. The paper (PDF), sadly, doesn't offer details on the security aspect. Security researchers advise that one should be careful when connecting to a public Wi-Fi. Say you forget to turn off Wi-Fi on your device, and you walk into a cafe. Your phone will automatically establish a connection with this supposed network. If the network is compromised, plenty of devices will be exposed to attack.
This discussion has been archived. No new comments can be posted.

MIT Demos Wi-Fi That's So High-Tech It Doesn't Need a Password

Comments Filter:
  • Cool (Score:5, Funny)

    by Anonymous Coward on Friday April 01, 2016 @10:21AM (#51823491)

    It's like every open access point ever. Range-limited authentication. Great work MIT. Patent that shit.

    • Re:Cool (Score:5, Insightful)

      by xxxJonBoyxxx ( 565205 ) on Friday April 01, 2016 @10:24AM (#51823509)
      This is why certain people shouldn't read SlashDot on...April Fools Day.

      (In fact, I'm only here today to watch and comment on the OVER-reaction of people who don't realize what SlashDot becomes on April 1.)
      • This is why certain people shouldn't read SlashDot on...April Fools Day.

        (In fact, I'm only here today to watch and comment on the OVER-reaction of people who don't realize what SlashDot becomes on April 1.)

        Sadly, this was first posted yesterday and appears to possibly not be an April Fool's joke.

        • I've always wondered why I can't to passwordless, but encrypted Wi-Fi.

          I can do it with a credit card.

          It shouldn't be that hard to do, at least for phones where you can side channel a trusted cert over mobile do avoid MITM.

          • I've always wondered why I can't to passwordless, but encrypted Wi-Fi.

            I can do it with a credit card.

            It shouldn't be that hard to do, at least for phones where you can side channel a trusted cert over mobile do avoid MITM.

            Because without some arrangement beforehand (establishing trust in a cert signer, establishing a key etc) MITM is always possible, and on a wireless connection, trivial.

            What should be possible but generally isn't, is SSH style session continuation, where you're vulnerable in the initial session where you agree on the other end you're connecting to being the other end, but keys are stored and provided you were not MITMed the first time, subsequent sessions will use the keys and you will be ok from there on.

            • by AvitarX ( 172628 )

              Also, I think they should be able to side channel certs over mobile, for at least as much security as SSL.

              That wouldn't work for laptops, but would for phones.

              Another way would be to allow the cert to be checked post authentication over the internet, you could use SSL to check the cert, and see if it's properly signed or was a MITM (I assume this would work because you can't (in theory) MITM SSL). There's no reason the initial connection needs to be secure, it can be open, and then verified before it is tru

      • Re:Cool (Score:5, Funny)

        by JustAnotherOldGuy ( 4145623 ) on Friday April 01, 2016 @10:37AM (#51823613) Journal

        I have mod points, but using them on April Fools day seems like shooting blanks at the Moon- pointless and/or meaningless.

        Which, now that I think of it, makes me wonder if my mod points are actually real or not....

        Ah well, perhaps it's best to wait a few days until all the posts about solar-powered slippers and helium-filled paperweights have ceased being posted.

      • Re:Cool (Score:5, Insightful)

        by phantomfive ( 622387 ) on Friday April 01, 2016 @10:57AM (#51823761) Journal
        This one is actually pretty good.....instead of being an out-right lie, it seems like something that could be plausible.......and then suddenly you realize not only is it plausible, it's the original configuration for wifi, and you were trolled in a completely different way than what you expected.

        In other words, you have to actually think or understand the technology to see why it's a lie.
      • by PPH ( 736903 )

        This is why certain people shouldn't read SlashDot

        Read it? I barely parse the subject line before formulating a response.

      • by GuB-42 ( 2483988 )

        It looks like serious research.
        The paper is actually about localizing Wi-Fi users with a single access point. The rest is just potential applications.

      • When I first checked Slashdot this morning they hadn't vandalized the site yet. I actually thought new ownership might bring an end to this. Slashdot on April Fools is like listening to a 30 year old telling knock-knock jokes.
    • Honestly, I think the idea of being able to specify and exact perimeter does make sense in some cases. Essentially it means "if you can get inside this door, you can access the wifi".
      A fun application of this could be having internet and no internet rooms so people A more practical example might be for conferences or conventions where you what to provide free wifi to your guest.

    • by Bengie ( 1121981 )
      My wifi might have a 200' range, but being able to say only authenticate if within 20' is still useful. Before you "whoosh", I did understand the joke :-)
      • My wifi might have a 11001000' range, but being able to say only authenticate if within 10100' is still useful.

        FTFY. Happy April 1. Love, Slashdot.

  • Applied practically, that means you could walk into a cafe and your device would automatically connect to a network -- no annoying password necessary

    Why would a cafe need a password? Are those leeching in front of the cafe to get WiFi without buying anything a real problem? And if it is, aren't they smart enough to walk in to get the password and walk out again without buying anything?

    • Some places make you buy something to get the code or you need to ask.

      Some hotels are like that there is a basic code that may or may not change and it's a cheap and easy way to keep non guests off.

      • Is it worth it to piss off your customers with passwords? How many non-customers do they avoid because of that? What is the impact on the bandwidth?

        • well don't drop the soap when one of your non customers does some CP over your link and you are the one doing the hard time.

        • I don't think it's a huge burden. First-time customers would have to put in the password, but it's not like they're going to say "oh, you're making me put in a password for the wifi? I'll go eat somewhere else". Non-first-timers would already have the password saved.
          • I don't think it's a huge burden. First-time customers would have to put in the password, but it's not like they're going to say "oh, you're making me put in a password for the wifi? I'll go eat somewhere else". Non-first-timers would already have the password saved.

            But if you don't change the password at least semi-regularly then it's trivial for the password to be leaked to those same non-customers. The most secure (and annoying) system is where the password is on your receipt and is specific to you. There is a coffeeshop in my town that does that and also has it expire after 1 hour. No idea if it meets their business goals or not but they somehow manage to still have one of the slowest connections in town so I rarely go there.

    • And it doesn't really cater for buildings with multiple occupancy; the people outside your premises walls may not get access but people on the floor above or the floor below are going to be nearer.

      What's that line in Star Trek II? Something like "Khan may be remarkably intelligent but his tactics seem to be exhibiting two dimensional thinking".

    • Security, you encrypt the connections and don't allow clients to talk.

    • Because of something magical. WIFI blocking building material and paint. No, this isn't a joke, yes you can buy the paint right now. It blocks wifi signals, so they can't get in (clean room) and they can't get out (secure). I know of approximately zero people and zero enterprises actually using this, but the technology is there. And I'd be willing to use it in my home for a few reasons. 1) to block my annoying neighbors from even ATTEMPTING to get into my network. 2) to create interference free rooms,
      • Good luck with that. Building materials and paint that block WiFi probably would also block cell-phone service. I doubt the café clientèle will go for that.

      • Blocking the WiFi is good. Reduced inter cell interference.
        But what blocks the WiFi also blocks the cell phone.

  • What could possibly go wrong? Okay, this is the Aprils Fools joke article. Right? Right. Even MIT isn't that stupid.
  • by chill ( 34294 )

    I thought maybe this was a way to establish a WPA-secure connection without user input, based off proximity.

    No, this is open access authentication based off location. Yawn. Set you AP to "low power" and centralize it in the building, then remove all authentication.

    If they had figured out a way to initiate a key exchange based on proximity, then I'd possibly be impressed. Maybe with the password being exchanged with human inaudible sound and triggered by proximity.

  • Date on TFA is 3/31 so I am assuming this is not a joke.

    I just don't like the idea of my device connecting to any hotspot that it may come close enough to.

    I am already annoyed that my MAC address is being harvested if I happen to forget to turn off the wifi before I leave the house.

    If my device automatically connects to a hotspot who knows what kind of MITM mischief could happen if some background app's protocol is vulnerable when it phones home for whatever.

    • MAC addresses are now world wide routable, using IPV6. Its actually part of the Spec.

      There are ways around this, that are also built into the spec, but just wanted people to know.

    • by sims 2 ( 994794 )

      Encrypt your home wifi don't connect to any unencrypted network or network with a publicly known key.

      To setup a MITM wifi you would need to know a wifi name (And key if set) the device will auto connect to. Try "Linksys" most devices have connected to one of those at some point.

      Even if your network name happens to be "Linksys"
      If your AP has a key set the MITM AP would have to have the same network key.

      This is why if your network name is the same as an open network or another encrypted network you will be un

  • That's brilliant! Thank God I live in a sphere!
  • TFA: "It works with 97% accuracy"

    So hackers only have to try about 30 places on average to get in.

    • TFA: "It works with 97% accuracy"

      So hackers only have to try about 30 places on average to get in.

      It says 97% accuracy within the building and 10 inch resolution so if that 3% failure rate was double or even triple then that's still accurate to less than 3 feet which would be plenty accurate enough. Honestly, I'm just guessing and 97% accuracy is almost meaningless in this context. It would be much better to say "accurate to 10 inches +/- 5 inches" or something along those lines or "works reliably 97% of the time and 3% of the time someone inside the building can't connect" which would be the other li

  • This kind of application desperately needs to include hotspot software that does a VPN over SSL or TLS (https security layer, relying on PKI). An ideal platform for doing this would be for email providers to add VPN for internet access alongside the SSL/TLS links they already operate for IMAP/POP3/SMTP, as it provides for some level of user authentication and traceability. There's also existing standalone VPN hotspots, but incorporating VPN into email would help make VPN ubiquitous.

    • >https security layer, relying on PKI

      Right, because that's shown to be so secure with the thousands of perfectly run CAs.

  • I call it "open network"
  • I'm guessing this is an April Fool's story, because even if the signal is encrypted, there's no authentication factor to it, all you have to do is get in range. Furthermore, range boosters become a serious weakness; slip a tiny one in a corner or something, and BOOM! Instant security breach. I will say though, this was a pretty good one - not nearly so obvious as previous years.
    • I think I'm wasting a post due to the April 1 chaos today, but everyone seems to be missing the point here. This is real, and it's not just an open network. And it's not vulnerable to range boosters - it's fundamentally undefeatable range-based authentication. The system uses time-of-flight of the signal to measure the distance from access point to user much like radar. Some wifi hardware already does this, but doesn't use that information for authentication purposes. For example, Ubiquiti's AirOS devices p
      • I think I'm wasting a post due to the April 1 chaos today, but everyone seems to be missing the point here. This is real, and it's not just an open network. And it's not vulnerable to range boosters - it's fundamentally undefeatable range-based authentication. The system uses time-of-flight of the signal to measure the distance from access point to user much like radar. Some wifi hardware already does this, but doesn't use that information for authentication purposes. For example, Ubiquiti's AirOS devices provide an actual range measurement but with much lower resolution since they are intended for long-range links. This is just an improvement in accuracy combined with the use of measured range data for authentication. It's very clever.

        So violate the IFS spec a little and appear to be closer than you are.

  • Say you forget to turn off Wi-Fi on your device, and you walk into a cafe[...]

    This is one of the two reasons I have my phone set to disable WiFi as soon as I leave my house. I don't have to worry about my phone trying to connect to every open AP it comes across.

    The other reason I auto-disable WiFi is to minimize store tracking which seeks to ID me when I enter their building.

  • Don't know if this is an April Fools article or not, but with Net Neutrality no mobile carrier is allowed to restrict tethering on any mobile device nor charge a fee for it, so I don't see why anyone actually needs public wifi anymore.
    • Don't know if this is an April Fools article or not, but with Net Neutrality no mobile carrier is allowed to restrict tethering on any mobile device nor charge a fee for it, so I don't see why anyone actually needs public wifi anymore.

      In my experience, most of the time, public wifi is still faster than tethering. It's also usually free and unlimited compared to the expensive per gig pricing of tethering.

How many QA engineers does it take to screw in a lightbulb? 3: 1 to screw it in and 2 to say "I told you so" when it doesn't work.

Working...