MIT Demos Wi-Fi That's So High-Tech It Doesn't Need a Password (mic.com) 92
An anonymous reader shares an article on MIC: Researchers at the Massachusetts Institute of Technology want to change how we connect to Wi-Fi. To avoid the cumbersome network login process, a team has come up with a way to grant computers access to a Wi-Fi network based on their proximity to a router. Applied practically, that means you could walk into a cafe and your device would automatically connect to a network -- no annoying password necessary. The same could be true for a home network. When your friends come over, they could immediately be granted access to your Wi-Fi. The paper (PDF), sadly, doesn't offer details on the security aspect. Security researchers advise that one should be careful when connecting to a public Wi-Fi. Say you forget to turn off Wi-Fi on your device, and you walk into a cafe. Your phone will automatically establish a connection with this supposed network. If the network is compromised, plenty of devices will be exposed to attack.
Cool (Score:5, Funny)
It's like every open access point ever. Range-limited authentication. Great work MIT. Patent that shit.
Re:Cool (Score:5, Insightful)
(In fact, I'm only here today to watch and comment on the OVER-reaction of people who don't realize what SlashDot becomes on April 1.)
Re: (Score:2)
This is why certain people shouldn't read SlashDot on...April Fools Day.
(In fact, I'm only here today to watch and comment on the OVER-reaction of people who don't realize what SlashDot becomes on April 1.)
Sadly, this was first posted yesterday and appears to possibly not be an April Fool's joke.
Re: Cool (Score:1)
I've always wondered why I can't to passwordless, but encrypted Wi-Fi.
I can do it with a credit card.
It shouldn't be that hard to do, at least for phones where you can side channel a trusted cert over mobile do avoid MITM.
Re: (Score:2)
I've always wondered why I can't to passwordless, but encrypted Wi-Fi.
I can do it with a credit card.
It shouldn't be that hard to do, at least for phones where you can side channel a trusted cert over mobile do avoid MITM.
Because without some arrangement beforehand (establishing trust in a cert signer, establishing a key etc) MITM is always possible, and on a wireless connection, trivial.
What should be possible but generally isn't, is SSH style session continuation, where you're vulnerable in the initial session where you agree on the other end you're connecting to being the other end, but keys are stored and provided you were not MITMed the first time, subsequent sessions will use the keys and you will be ok from there on.
Re: (Score:1)
Also, I think they should be able to side channel certs over mobile, for at least as much security as SSL.
That wouldn't work for laptops, but would for phones.
Another way would be to allow the cert to be checked post authentication over the internet, you could use SSL to check the cert, and see if it's properly signed or was a MITM (I assume this would work because you can't (in theory) MITM SSL). There's no reason the initial connection needs to be secure, it can be open, and then verified before it is tru
Re:Cool (Score:5, Funny)
I have mod points, but using them on April Fools day seems like shooting blanks at the Moon- pointless and/or meaningless.
Which, now that I think of it, makes me wonder if my mod points are actually real or not....
Ah well, perhaps it's best to wait a few days until all the posts about solar-powered slippers and helium-filled paperweights have ceased being posted.
Re: (Score:2)
No... I care.
You might think I'm kidding but I do care. Why? Meh, it's interesting and I like interesting things. It's well worded, well reasoned, and that they've got mod points is the reason for their post.
So, no... I care. Thus you, you are still wrong. And, obviously, they care. That's at least two people who care. I bet there are more people who care, perhaps not a lot nor caring a lot, so you're probably even more wrong. Why you'd post such obviously wrong things is beyond me. It's obvious that they c
Re:Cool (Score:5, Insightful)
In other words, you have to actually think or understand the technology to see why it's a lie.
Re: (Score:3)
This is why certain people shouldn't read SlashDot
Read it? I barely parse the subject line before formulating a response.
Re: (Score:3)
Slashdot, much like the language it was originally written in (Perl), is write-only.
Re: (Score:2)
It looks like serious research.
The paper is actually about localizing Wi-Fi users with a single access point. The rest is just potential applications.
Re: (Score:2)
Re: (Score:3)
Honestly, I think the idea of being able to specify and exact perimeter does make sense in some cases. Essentially it means "if you can get inside this door, you can access the wifi".
A fun application of this could be having internet and no internet rooms so people A more practical example might be for conferences or conventions where you what to provide free wifi to your guest.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
My wifi might have a 11001000' range, but being able to say only authenticate if within 10100' is still useful.
FTFY. Happy April 1. Love, Slashdot.
Re: (Score:1)
I've heard that the terrorists are using an encryption method called "plain text."
Just like open networks? (Score:2)
Applied practically, that means you could walk into a cafe and your device would automatically connect to a network -- no annoying password necessary
Why would a cafe need a password? Are those leeching in front of the cafe to get WiFi without buying anything a real problem? And if it is, aren't they smart enough to walk in to get the password and walk out again without buying anything?
Re: (Score:2)
Some places make you buy something to get the code or you need to ask.
Some hotels are like that there is a basic code that may or may not change and it's a cheap and easy way to keep non guests off.
Re: (Score:2)
Is it worth it to piss off your customers with passwords? How many non-customers do they avoid because of that? What is the impact on the bandwidth?
Re: (Score:2)
well don't drop the soap when one of your non customers does some CP over your link and you are the one doing the hard time.
Re: (Score:2)
Re: (Score:2)
I don't think it's a huge burden. First-time customers would have to put in the password, but it's not like they're going to say "oh, you're making me put in a password for the wifi? I'll go eat somewhere else". Non-first-timers would already have the password saved.
But if you don't change the password at least semi-regularly then it's trivial for the password to be leaked to those same non-customers. The most secure (and annoying) system is where the password is on your receipt and is specific to you. There is a coffeeshop in my town that does that and also has it expire after 1 hour. No idea if it meets their business goals or not but they somehow manage to still have one of the slowest connections in town so I rarely go there.
Re: (Score:2)
Security. It protects fools, children, and ships named Enterprise.
Re: (Score:2)
And it doesn't really cater for buildings with multiple occupancy; the people outside your premises walls may not get access but people on the floor above or the floor below are going to be nearer.
What's that line in Star Trek II? Something like "Khan may be remarkably intelligent but his tactics seem to be exhibiting two dimensional thinking".
Re: Just like open networks? (Score:1)
Security, you encrypt the connections and don't allow clients to talk.
Re: (Score:2)
Re: (Score:2)
Good luck with that. Building materials and paint that block WiFi probably would also block cell-phone service. I doubt the café clientèle will go for that.
Re: (Score:2)
Blocking the WiFi is good. Reduced inter cell interference.
But what blocks the WiFi also blocks the cell phone.
Re: (Score:2)
Open wifi does not use encryption. It's surprising that no standard has developed for this, but when you connect to an open wifi network, you are subject to possibly having your traffic sniffed.
Yes, you should be using secure protocols whenever possible (HTTPS), but it's an entire layer of security missing.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
True but you really aren't any better off using public wifi with a publicly posted key as long as someone else still has that same key they can still see your traffic.
So yes I suppose it could keep people that have never been inside your business and are unable to google "business name wifi password" from using your wifi.
Sure windows won't complain that its unsecured. But it's wrong.
Lets say you have a box that takes a password to open.
Then you write the password on the lid of the box.
Wouldn't it have been
Re: (Score:2)
Each device on a WPA2 network has their own private keys with the AP and use that for passing data.
https://en.wikipedia.org/wiki/... [wikipedia.org]
So you actually have to capture the handshake to have any real chance of capturing the data. Which isn't to say it's not possible, but it is not as simple as having the password.
Re: (Score:2)
Your right its not quite that easy but it is still pretty simple.
From 2014 http://www.howtogeek.com/20433... [howtogeek.com]
Wireshark had the capability to do it back then. If you want to prevent it the only option still considered secure against it is wpa2 enterprise which actually does give each device its own key.
Re: (Score:2)
Open wifi does not use encryption. It's surprising that no standard has developed for this, but when you connect to an open wifi network, you are subject to possibly having your traffic sniffed.
Yes, you should be using secure protocols whenever possible (HTTPS), but it's an entire layer of security missing.
When you use secure WiFi with AES-CCM encryption using keys established with RSA, the AP conveniently decrypts your wireless traffic and passes it onto the internet in plaintext form. 802.11 security is necessary for controlling access, but not sufficient for privacy.
Re: (Score:2)
No, it's not sufficient for privacy. Did you read my second sentence? I already addressed that.
It doesn't just control access, it encrypts all traffic in a way that's at least slightly more than trivial (i.e. you have to also sniff the handshake) to crack. If you must use HTTP, it's far more likely to be intercepted on a LAN rather than on the WAN, NSA excepted.
What could possibly go wrong? (Score:1)
Dumb (Score:2)
I thought maybe this was a way to establish a WPA-secure connection without user input, based off proximity.
No, this is open access authentication based off location. Yawn. Set you AP to "low power" and centralize it in the building, then remove all authentication.
If they had figured out a way to initiate a key exchange based on proximity, then I'd possibly be impressed. Maybe with the password being exchanged with human inaudible sound and triggered by proximity.
Wifi always on (Score:2)
Date on TFA is 3/31 so I am assuming this is not a joke.
I just don't like the idea of my device connecting to any hotspot that it may come close enough to.
I am already annoyed that my MAC address is being harvested if I happen to forget to turn off the wifi before I leave the house.
If my device automatically connects to a hotspot who knows what kind of MITM mischief could happen if some background app's protocol is vulnerable when it phones home for whatever.
Re: (Score:2)
MAC addresses are now world wide routable, using IPV6. Its actually part of the Spec.
There are ways around this, that are also built into the spec, but just wanted people to know.
Re: (Score:2)
Encrypt your home wifi don't connect to any unencrypted network or network with a publicly known key.
To setup a MITM wifi you would need to know a wifi name (And key if set) the device will auto connect to. Try "Linksys" most devices have connected to one of those at some point.
Even if your network name happens to be "Linksys"
If your AP has a key set the MITM AP would have to have the same network key.
This is why if your network name is the same as an open network or another encrypted network you will be un
Re: (Score:2)
Would be nice.
Device isolation and each device given its own encryption key for the router.
Should have been done years ago.
Re: (Score:2)
Would be nice.
Device isolation and each device given its own encryption key for the router.
Should have been done years ago.
You mean like the EAP+4 way handshake that was put in the spec years ago providing pairwise keys for every STA-AP pair?
Re: (Score:2)
Yes your right 802.11x can actually do that.
Not sure if you can set it up without requiring login tho.
Now that just leaves me wondering why I've never seen one setup in the wild.
Might be a good project for this weekend.
Re: (Score:2)
You can. It's just a royal pain in the arse setting up RADIUS servers and configuring EAP methods and settings certs or whatever other credential is required by the EAP method,
This is morass of complexity in security systems that in order to be secure need to be as simple as possible.
Brilliant! (Score:1)
Re: (Score:2)
ON a sphere. ON a sphere. Or are you a Hobbit?
Re: (Score:1)
Re: (Score:2)
I used to tell people that:
"I have Chewy Chewbaccason's Disease. I grow hair out of weird places all over my body and when I talk it comes out roowwrrrooowwrraaaa."
Yes, yes I did drink a lot back then.
3% Fail (Score:1)
TFA: "It works with 97% accuracy"
So hackers only have to try about 30 places on average to get in.
Re: (Score:3)
TFA: "It works with 97% accuracy"
So hackers only have to try about 30 places on average to get in.
It says 97% accuracy within the building and 10 inch resolution so if that 3% failure rate was double or even triple then that's still accurate to less than 3 feet which would be plenty accurate enough. Honestly, I'm just guessing and 97% accuracy is almost meaningless in this context. It would be much better to say "accurate to 10 inches +/- 5 inches" or something along those lines or "works reliably 97% of the time and 3% of the time someone inside the building can't connect" which would be the other li
Public Hotspot software (Score:2)
This kind of application desperately needs to include hotspot software that does a VPN over SSL or TLS (https security layer, relying on PKI). An ideal platform for doing this would be for email providers to add VPN for internet access alongside the SSL/TLS links they already operate for IMAP/POP3/SMTP, as it provides for some level of user authentication and traceability. There's also existing standalone VPN hotspots, but incorporating VPN into email would help make VPN ubiquitous.
Re: (Score:2)
>https security layer, relying on PKI
Right, because that's shown to be so secure with the thousands of perfectly run CAs.
April fool's (Score:2)
Well... (Score:2)
Re: (Score:2)
Re: (Score:2)
I think I'm wasting a post due to the April 1 chaos today, but everyone seems to be missing the point here. This is real, and it's not just an open network. And it's not vulnerable to range boosters - it's fundamentally undefeatable range-based authentication. The system uses time-of-flight of the signal to measure the distance from access point to user much like radar. Some wifi hardware already does this, but doesn't use that information for authentication purposes. For example, Ubiquiti's AirOS devices provide an actual range measurement but with much lower resolution since they are intended for long-range links. This is just an improvement in accuracy combined with the use of measured range data for authentication. It's very clever.
So violate the IFS spec a little and appear to be closer than you are.
Android Automation FTW (Score:2)
This is one of the two reasons I have my phone set to disable WiFi as soon as I leave my house. I don't have to worry about my phone trying to connect to every open AP it comes across.
The other reason I auto-disable WiFi is to minimize store tracking which seeks to ID me when I enter their building.
Why use public wifi? (Score:1)
Re: (Score:2)
Don't know if this is an April Fools article or not, but with Net Neutrality no mobile carrier is allowed to restrict tethering on any mobile device nor charge a fee for it, so I don't see why anyone actually needs public wifi anymore.
In my experience, most of the time, public wifi is still faster than tethering. It's also usually free and unlimited compared to the expensive per gig pricing of tethering.