Getting Wi-Fi Connected

Imagine yourself for a second a customer that just bought a laptop. They arrive home and want to connect to the internet. The customer wants to do so wirelessly so what do they do? Windows, Linux and Mac OS X each provide a list of Wireless Networks available. Once selected,the customer can provide a password and login. This process is used for hundreds of millions of devices and despite some issues with interoperability, signal strength, and other factors, usually works well.

Consider the same scenario for a customer who just bought a new Wi-Fi enabled Garage Door opener. This device has no native need for an LCD, and will have very few buttons, so connecting it to the network is not straightforward. Most manufacturers prefer to avoid adding unneeded interfaces due to the cost in terms of Bill of Materials, development, time to market and customer support. A Wi-Fi enabled Crock-Pot will have at most a few buttons and LEDs, not more

The initial step of connecting the product to the access point. Simply put, you only have once to make a good impression. IoT devices are inherently designed to help make our lives easier, and making a customer jump through hoops to get their device connected to the internet and running runs against that. Don’t believe me? Looking at Amazon reviews you can see several products returned by customers because of their bad experience installing it and using it. Worse, some customers get turned off to the idea of using these devices.

Making the connection between the device and the router is usually never considered until the user purchases the product. As a developer of consumer goods, its important to understand all the ways the initial connection to the router can be made, their advantages and disadvantages. When looking to implement provisioning, we generally look for the following characteristics:

  • Ease of Use – Its important to ensure that the method can be performed by anyone without a technical background. This factor should not be underestimated
  • Interoperability – Given the wide range of Access Points used by customers, its important to ensure interoperability of the method if it depends on the Access Point.
  • Security – The mechanism for association should not leak the key or passphrase.
  • Ease of Implementation – The mechanism should avoid requiring the manufacturer to create a significant infrastructure to support

We can categorize mechanisms for associating the device to the network into two main bins: Specification mechanisms and Vendor mechanisms. Specification mechanisms are typically those specified by the 802.11 or Wi-Fi standards themselves, either mechanisms already built into 802.11 or building on top of existing protocols to make the process of association a breeze. Aside from these mechanisms we cover some of the more popular methods created by vendors, both Wi-Fi chipset and OEMs. There are many many ways to give the Wi-Fi controller the SSID and passphrase or key.

Specification Mechanisms

Wi-Fi Protected Setup [1]

Wi-Fi Protected Setup Logo

Lets start with Specification mechanisms, especially those built in to 802.11 and Wi-Fi. The first of which is WiFi Protected Setup. Long ago, the Wi-Fi alliance realized that the initial step of connecting the device to the network could be difficult. The passphrase for Wi-Fi can be up to 63 characters long. Most customers don’t readily know it and it can be frustrating to type it into a system with a limited interface.In 2006, the Wi-Fi Alliance released the WPS spec. WPS actually consists of several mechanisms, most optional and some required which need to be implemented if a product wishes to be WPS certified

  • USB – A USB Flash drive is configured with the association information when connected to a router or another device. It is then connected to the product that needs to associate. This method is rare and deprecated since it requires a USB port and a full USB stack on the device. The Wi-Fi Alliance does not even mention it on their site online.
  • PIN Method – Another method by which the PIN number from the product is input to an interface provided by the Access Point. Typically the user goes into the router webpage located at the router IP address and uses the PIN to allow the device to associate.
  • Push Button – This is probably the most popular mechanism. A user presses the WPS button on the AP, which opens a time window. During this time (a few minutes typically), the customer presses the WPS button on the product. The product and the AP manage all the underlying communications, which allows the product to completely connect to the Wi-Fi network.
  • NFC – Uses RFIC tags to transmit information, thus avoiding having the customer input information, either with a tag supplied to the product or a mobile phone using NFC

Only the PIN method is required for WPS certification. In 2011, security researchers found major flaws that allowed an attacked to connect to the Access Point by attacking the PIN method and the implementation of WPS done by some vendors. Using brute force it is possible to recover the PIN of the router and with that the actual key. Although many vendors have released firmware updates that make the attack impractical, the vulnerability itself remains. Some customers have disabled WPS on their routers to avoid the vulnerability. Another issue with WPS Pushbutton method is that an attacker could easily abuse the Pushbutton method by using WPS on another device during the time window that the AP WPS is enabled by a legitimate customer installing a product. This is as simple as pressing a button at the right time.

With all this said, WPS is supported in most if not all Access Points sold today.

Using Access Point (AP) Mode

Another popular mechanism for connection is making the product begin as an Access Point. WLAN chipsets are very flexible, and many can operate as an Access Point. When the customer starts the product for the first time, the product starts as an Access Point. The customer can then use a laptop or mobile phone to enter the access point and input the information of the actual Access Point to which the product should connect. The product then turns off the AP functionality. Using the credentials given by the user, the products connects to the Access Point. Given that the initial connection uses security such as WPA or WPA2, the transfer of the SSID and key to the product is secure, although it is possible to attack. WPA and WPA2 are vulnerable to dictionary attacks under certain conditions. Since most manufacturers provide short passwords for the product when in AP mode to avoid having the user type a long passphrase, a dictionary attack is possible. There are, however,ways to improve on this mechanism by using a 2D barcode with the information so the customer avoids typing and the passphrase and key can be long and random.

This method is secure, but has the disadvantage that support for AP mode varies among chipset vendors, and it also requires having a webserver with which the user can interact to input the data. It also adds another step that can confuse some customers.

Using Ad-Hoc Mode

Ad-hoc Mode has largely fallen out of favor, especially given AP mode. Basically, when a product is in Ad-hoc mode it can connect directly to another device such as a laptop without using an Access Point as an intermediary. The user connects to the product using Ad-hoc mode via a computer with wireless capabilities, inputs the settings for the credentials of the actual Access Point. The product then connects to the actual AP. Ad-hoc mode is difficult for customers to use, usually counterintuitive and has lost support from WLAN vendors.

Vendor Mechanisms

If you saw all the 802.11 and Wi-Fi mechanisms, you probably realized that the industry is still looking for reliable, security and commonly available methods to provide credentials to the product to connect. Because of this, various vendors and companies have developed mechanisms that can provide the credentials to a system. Most of these rely on Out-Of-Band non Wi-Fi related.

BlinkUp [3]

Lets start with Specification mechanisms, especially those built in to 802.11 and Wi-Fi. The first of which is WiFi Protected Setup. Long ago, the Wi-Fi alliance realized that the initial step of connecting the device to the network could be difficult. The passphrase for Wi-Fi can be up to 63 characters long. Most customers don’t readily know it and it can be frustrating to type it into a system with a limited interface.In 2006, the Wi-Fi Alliance released the WPS spec. WPS actually consists of several mechanisms, most optional and some required which need to be implemented if a product wishes to be WPS certified

  • USB – A USB Flash drive is configured with the association information when connected to a router or another device. It is then connected to the product that needs to associate. This method is rare and deprecated since it requires a USB port and a full USB stack on the device. The Wi-Fi Alliance does not even mention it on their site online.
  • PIN Method – Another method by which the PIN number from the product is input to an interface provided by the Access Point. Typically the user goes into the router webpage located at the router IP address and uses the PIN to allow the device to associate.
  • Push Button – This is probably the most popular mechanism. A user presses the WPS button on the AP, which opens a time window. During this time (a few minutes typically), the customer presses the WPS button on the product. The product and the AP manage all the underlying communications, which allows the product to completely connect to the Wi-Fi network.
  • NFC – Uses RFIC tags to transmit information, thus avoiding having the customer input information, either with a tag supplied to the product or a mobile phone using NFC

Only the PIN method is required for WPS certification. In 2011, security researchers found major flaws that allowed an attacked to connect to the Access Point by attacking the PIN method and the implementation of WPS done by some vendors. Using brute force it is possible to recover the PIN of the router and with that the actual key. Although many vendors have released firmware updates that make the attack impractical, the vulnerability itself remains. Some customers have disabled WPS on their routers to avoid the vulnerability. Another issue with WPS Pushbutton method is that an attacker could easily abuse the Pushbutton method by using WPS on another device during the time window that the AP WPS is enabled by a legitimate customer installing a product. This is as simple as pressing a button at the right time.

With all this said, WPS is supported in most if not all Access Points sold today.

TI Smart Config [4]

Texas Instruments has developed its own Wi-Fi based mechanism called SmartConfig. Technically it is in-band, but since it is vendor specific so we will cover it here. The TI CC3000 is currently the only device known to support the mechanism. At product startup, the Wi-Fi chipset is listening in a special mode that can receive packets from a mobile phone. A special application provided by TI runs on the phone and it can send the SSID and passphrase encrypted by AES. The CC3000 receives the data and forwards it to the microcontroller. The microcontroller, having the AES key decodes the credentials and configures the CC3000 to use them to associate. One issue to consider is key management. If the same AES key is used for all products, attackers could sniff the exchange between the mobile phone and the CC3000 to decode the credentials. Using AES keys for each product requires careful consideration in choosing the key.

Bluetooth [4]

Bluetooth is another mechanism that can be supported by combo Wi-Fi+Bluetooth devices. Bluetooth has long been integrated with Wi-Fi since Mobile Phones typically have to support both. Bluetooth integrates security that allows a Bluetooth enabled product to connect to a mobile phone and exchange information, such as the association credentials for the Wi-Fi connection. Once the product gets the information using Bluetooth, it can connect to the Wireless Access Point. The exchange of information is usually quite secure and can be further secured with Application layer techniques. However, it requires a Bluetooth enabled chipset as well as a controller managing the exchange of information.

Bluetooth Low Energy security, however, has been largely weakened to simplify the device and may be compromised if not used carefully.

References