10

Certain tablets and PCs, including at least the Kindle Fire and Windows 10 computers, allow you to change WiFi settings even if the device is locked and you don't have the PIN/password.

The valid use case for this is that sometimes you have to authenticate yourself to the network in order to use the device. (On Windows 10, you might have to log on to a domain; on the Kindle Fire, if you forget your PIN code, you can reset your PIN by logging in to your Amazon account, which of course requires network access.) So if your WiFi network has changed, you need to be able to change WiFi settings before you can log in.

But this also means that an attacker could change your WiFi settings to point to a rogue hotspot they control, without having your PIN/password. Then when you log in to the device and use it later, all your traffic flows through the attacker's hotspot. Even though most important traffic is encrypted these days, they can still see what sites you're connecting to.

This seems like a valid security concern, and the easiest fix I can think of is that if the device's WiFi settings are changed while it's locked, the next time it's unlocked, display a message which says, "While this machine was locked, a user changed the WiFi network to . If you did not authorize this change, you should change your machine's WiFi settings back to their previous values."

Is this a valid security concern? Has this been publicly discussed anywhere? Is there a simpler way to mitigate this security threat, while still allowing users to change the WiFi settings on a locked device?

Bennett
  • 653
  • 3
  • 10
  • I wish I could upvote this question twice! Such a simple and obvious thing that I've never considered before! – Mike Ounsworth Mar 15 '19 at 22:07
  • 2
    The origin of this behaviour being considered ok might be "This wifi security model is no worse than the equivalent security model for ethernet", but that doesn't really hold water because 1) you'd probably notice if your ethernet cable went somewhere weird, though maybe not if it disappears off into the wall, and 2) an "it's no worse than" argument doesn't hold for mobile devices that are not typically on ethernet. – Mike Ounsworth Mar 15 '19 at 22:12
  • 1
    Not all devices allow this. The Pixel 2 for example prompts the user to log in before allowing these changes. It seems some vendors favor ease of use, and customer experience over security. If they wouldn't prompt for a pin/password it's unlikely they would display this prompt. This could be considered a security risk, but an attacker could also compromise the wifi router and get the same level of influence. – Daisetsu Mar 16 '19 at 00:40
  • This is a nice question, but the issue is also already thinked through so well that the answer would be simply: "Yes, you are right!" – Esa Jokinen Mar 16 '19 at 05:44

1 Answers1

3

Yes, this is a valid security concern. There might be anything going on on the network while the device is locked, and an attacker could get access to all that traffic even if you get notified after login. This would definitely enable MITM attacks, but of course there's other layers of security that can tackle the most: this is not a critical security issue.

In order to keep the possibility to reset password but prevent unauthorized change of network settings, I would suggest a sort of safe mode network: if network was changed while locked, firewall would block all other connections but the one required for password reset synchronization. When unlocked, the OS would prompt for a permission to remove this firewall policy. This would work for both wireless and wired network changes.

Esa Jokinen
  • 18,957
  • 6
  • 58
  • 61
  • "There might be anything going on on the network while the device is locked, and an attacker could get access to all that traffic even if you get notified after login." Well yes, if your default WiFi network is untrusted, you have no protection from traffic-flow analysis anyway. The scenario I'm assuming is where the user (reasonably) assumes their default network is trustworthy and secure. But after the attacker changes the network settings on their locked device, that's no longer true. – Bennett Mar 16 '19 at 19:44
  • This answer is exactly for that situation. – Esa Jokinen Mar 16 '19 at 19:47
  • (1/2) "If network was changed while locked, firewall would block all other connections but the one required for password reset synchronization. When unlocked, the OS would prompt for a permission to remove this firewall policy." I don't understand how this achieves anything more than my original "Your settings were changed while locked" message. The actual firewall rule doesn't achieve anything because the attacker is not using the device while locked; if you then show the legitimate user a message about "firewall settings changed", they might be confused; and they're likely to – Bennett Mar 16 '19 at 19:48
  • (2/2) click "OK, dismiss" just to remove the firewall rule so they can use the network again. If you tell the user specifically, "A user changed your Wi-Fi settings while your machine was locked", that gets right to the point, and alerts them in case they want to change the settings back. – Bennett Mar 16 '19 at 19:49
  • It's against the MITM attack, where the goal is to steal the traffic from the device in order to investigate or tamper the connections. Notification alone doesn't prevent that, it just gets your attention. – Esa Jokinen Mar 16 '19 at 19:51
  • Of course the dialog would have two options: allow the new network and remove the firewall policy or revert the changes made. – Esa Jokinen Mar 16 '19 at 19:55
  • (1/2) Ah OK, so it essentially forces the user to make a decision, by firewalling other connections (making the device useless for most purposes) until you decide. But in that case it would seem more direct to actually force the user to make a decision -- in other words, the dialog blocks user interaction and can't be dismissed until the user says, "Yes, I authorized this change" or "No, revert back to original settings." The trouble with the firewall is that it might block other useful activity like background security updates (which were authorized before the machine was compromised, – Bennett Mar 17 '19 at 21:21
  • (2/2) hence, can be assumed to be trusted). Also, allowing only the connections needed to authenticate the login is error-prone -- what if the domain has more than one domain controller, and you thought the PC was connected to one, so you whitelisted that one, but not the other one? What you really want is to block user-initiated actions (the kind of thing an eavesdropper would be interested in). So you could have a dialog that blocks all user interaction until they confirm or reject the network settings change. – Bennett Mar 17 '19 at 21:24
  • Not really a problem. If this was implemented by an operating system, everything critical to the OS to work would be taken into account. It would be problematic in many ways to let the user configure some "whitelist". (Also, disabling security updates for a a couple of hours isn't really a problem.) – Esa Jokinen Mar 18 '19 at 03:36