Accept any Wi-Fi password on OpenWRT (hostap) - wifi

After reading this article on Ars Technica I started looking for a way to enable an encrypted, yet passwordless public network. It is probably not possible due to specifications which require a certain number of characters and OSs complying with them, but what about accepting any password?
It will most definitely require custom scripting or even modifying the sources, so I've chosen OpenWRT to try this out. The relevant sources can be found here and here, which are used for building the wpad, hostpad and wpa-supplicant packages. By default OpenWRT uses wpad-mini (suffix mini means an absence of the WPA Enterprise support).
One of my thoughts was to also try WPA Enterprise for this purpose. Would it be possible to write a simple script to mimic the Radius server response, being always positive, as if credentials were correct?
Another aspect of this question is security. If accepting any password was possible, wouldn't it mean that anyone could trick my device to connect to an AP with the same name, as say, I use at home, and have control over the traffic? This can be a very serious issue and it is better to talk about it publicly than just pretending that if we don't publish a way to do this, no one else will do the same on black markets or in governments.
upd: Would it be possible to use a simple captive portal to 'negotiate' encryption, ideally, without any user interaction apart of opening the page? Naturally, it won't be WPA. Here is a good list of captive portal solutions for OpenWRT. A precaution: with the current OS-level implementations this wouldn't prevent leaking unencrypted data before the negotiation happens. But since OSs already recognize captive portals and display notifications, it should be possible to add a security feature to prevent any data transfers before passing the captive portal.

Related

Can I use the ESP-01 (ESP8266) to connect securely to MQTT broker?

The latest ESP-WROOM-02 support TLS1.2 over AT commands (I got this confirmed by Expressif). However I would like to use the ESP-01 unmodified to connect to an MQTT-broker, using TLS1.2. Is it possible to use the ESP01? Does it use the same firmware or codebase? I can't seem to find concrete answers.
Note that my app runs on another MCU (unavoidable). In principle I could reflash the ESP module, but that would add a step in the production process, plus yet another development environment. An advantage would be that the ESP01 firmware version would be strictly known.
I've seen that many advise to reflash the ESP with an Arduino derived firmware aka WiFiClientSecure and thus avoid working with the AT-commands (indeed I found NO library to specifically (and reliably) work with them).
Any advice greatly appreciated.
If you're concerned about security, then ESP8266 family modules (such as the ESP-01, ESP-WROOM-02, D1, NodeMCU) are likely not a practical choice.
They don't provide a mechanism for encrypting credentials on the device or a way to ensure that no one has altered the code that's running, and you end up in a situation like this one: https://thehackernews.com/2016/01/doorbell-hacking-wifi-pasword.html
However, the ESP-32 does provide that. It also allows you to make a secure MQTT connection. While it's more expensive than the ESP-01, it's still pretty affordable (about $6 on AliExpress).
The doorbell hack example is just stupid.
Why didn't they add a password for the Access Point connection.

ATS will be mantaory in IOS apps. What about simple feeds?

As we heard this year's WWDC, at the end of 2016, Apple will make ATS mandatory for all developers who hope to submit their apps to the App Store. http://9to5mac.com/2016/06/15/ats-https-ios-apps/
http://www.cso.com.au/article/577197/apple-tells-ios-9-developers-use-https-exclusively/
It is understandable in cases where privacy, encryption (...) is a factor. But what about simple (news...) feeds, API-s whare it is not the case?
What about simple json or rss feeds? E.g. I have a very simple public json feed that can be called without any authorization, will it also need https? And what about simple RSS feeds? Huge majority of them communicates now via http. What about downloading image files from the web in an app?
Thanks in advance!
This is very rapidly becoming "the new normal." (Did you notice that even WikiPedia now uses https connections to their site?) Non-encrypted communications can be effortlessly intercepted, e.g. in the coffee shops and public places where so many people routinely find themselves. The problem is even more severe now that "free public WiFi" is available in "ordinary" stores and Wal-Marts, and people have their phones set to automatically connect to any of them. (People do not realize how insecure they are! But, they're learning ...)
The most appropriate solution, then, is to "encrypt everything." And so, this is what Apple is now mandating.
Yes, even "routine" communications, news-feeds and such. All of the traffic that passes through the airwaves will be encrypted.
Remember, also, that these techniques not only secure the communication, but are capable of identifying the sender and the receiver to one another through mutually-held certificates. (Web sites don't always use client-identification, although they can, and apps definitely should.) This, if used properly, will close a very big headache-hole for servers, because they now will know just who they are talking to. Client software can trust that they are talking to the right server, and that their communications are "received as tendered."
"Android or iOS or Windows or what-have-you," you should be doing this. Every mobile device implements SSL and possibly other encryption stacks. Do not send anything over air-waves "in the clear."
A "simple feed", in some country, can kill you. Protect your users, encrypt everything.

Social network scheme without server software

(I realize that this question might cost me a reputation score I still want to ask:)
Imagine a social networking software much like a trivial Facebook (Adding friends, sharing statuses and chatting) where the only software component needed is a client app. With no server farms and with no sensitive data stored on servers with no government control and with no server software at all.
Well while this is theoretically almost possible (If there is at least known one user address) still I cant figure out a way how can clients discover each other in the internet (Not in local IP range) if there is not some server where all client addresses are recorded in a least case.
Please drop any ideas how client can discover each other in the internet without server software if you got one or if there is already precedence case.

how do i access my cisco router details from ios mobile

Is it possible to access my Cisco router details like Name,Model,IP Address,Connection status etc from my iOS mobile.
I'm even ready to write small mobile app in iOS to get all router details.
Since I have just started learning in iOS, don't know if any library already exists for above task.
If my router does not work or gets hang.. I even want to try for restart of router using my mobile.
If example code exist, it will be very useful.
Like Cisco already has andriod and iOS app for same above function but dont want to use this app and want to write my own app with limited features only.
(http://www.addictivetips.com/mobile/cisco-connect-express-manage-router-settings-remotely-android-ios/)
Thanks,
Accessing network gear is best done by using SNMP. Cisco has extremely rich management/monitoring capabilities via SNMP and all of their MIBs are publicly available here.
Almost all Cisco gear supports the SNMPv2-SMI MIB (the 1.3.6.1.2.1 OID) so querying things like sysName, sysLocation, sysContact, sysDescription, sysUpTime should be very easy. This MIB even supports tables for listing all the interfaces and IP addresses and has a whole lot of other things that might be of interest to you.
If you have SNMP write access on the device then you can even make config changes and perform management functions like rebooting or bringing an interface up/down.
There are a few SNMP libraries for ObjectiveC and I think Net-SNMP is the most popular (It's not .net even though the title suggests that).
If you are new to SNMP then I suggest starting simple by querying easy objects like 1.3.6.1.2.1.1.5 (sysName) and 1.3.6.1.2.1.1.6 (sysLocation) before trying to jump into tables like 1.3.6.1.2.1.2.2 (ifTable)
Remember, you don't have to stick with the standard MIBs you can download all of the custom ones that are particular to your device which will give you incredible amounts of flexibility.
You could use a screen-scraping technique to telnet or ssh to the Cisco device and parse the "show version" output. This will give you some of the information you need. For others, like IP addresses, you can use "show ip interface brief", "show cdp neighbors" etc. as you need.
Keep security in mind: make sure that telnet/ssh credentials are adequately protected in your app's settings, and try to restrict your commands to those that do not need privileged access on the Cisco device.
Be aware that Cisco devices have a small pool of available VTYs, and every telnet/ssh access from your app will use up one VTY. So if you have for example 30 guys wanting to use the access the device simultaneously from their apps, some of those instances are not going to get access to the device.
If this is a concern, SNMP is a better and more scalable option as suggested by previous answer. Make sure that you (a) have a read-only community string configured on the device, and (b) use only the ro community string from the app.

Adding sensitive data to iOS application build

What are the best practices to add sensitive data to the iOS application?
For sensitive data I mean a key or token to communicate with some external server.
Can we compile a certificate in the app, and iOS can remove it on installation?
I feel like we can not really 100% guarantee security of it, but what is the best practice layer we can add.
There is no mechanism that will ensure to a server that only your application is allowed to speak to it. So if that is your goal, then it is unsolvable. This has been talked to death on SO. Just a few:
Secure Communication Between iPhone and Server?
Store an encryption key in Keychain while application installation process
Secure https encryption for iPhone app to webpage
(And the many other links within those postings.)
And elsewhere:
Obfuscating Cocoa
You cannot authenticate devices or software. You can only authenticate users. That means a login. Without a login that is partially stored in the user's brain (or at least in something separate from their iPhone), it's just obfuscation.
Now, that doesn't mean that obfuscation is useless. It isn't. You can get some mileage out of a simple authentication token (like a client key), but don't expect it to survive an attack. That doesn't mean you shouldn't do it; it just means you shouldn't spend a lot of time/money on it since it will fail pretty fast.
In no cases should you implement something that ticks off paying customers. Read the several threads linked above (and the several threads linked from those threads). If after that, you still absolutely need a solution, then you'll need to hire someone to keep track of the cracks and fix them every time a new one comes out. It will never stop.

Resources