41

I have a replica of Huawei B535-333 LTE modem. While I was working from home on my computer I randomly got a security alert saying that certificate for connection with outlook.office365.com was issued by untrusted company and the certificate name and site name are not the same.

enter image description here

When I checked the certificate it was issued for: mediarouter.home and the issuer was root.home. enter image description here

Should I be worried that the router tried to switch the certificate and start sniffing my Outlook traffic? Or is this just a 'glitch' that randomly occured?

Tom Bowen
  • 279
  • 2
  • 8
gtu
  • 513
  • 1
  • 2
  • 6
  • Welcome to the community. We need additional information, for example what is your search domain? – Sir Muffington Dec 06 '23 at 15:57
  • 3
    Search domain meaning to which server I was connecting? It was outlook.office365.com. It is statet above and in the first image. – gtu Dec 06 '23 at 20:10
  • 3
    Search domain meaning the DNS setting to add a certain domain when trying to access an unsuffixed name (e.g. "ping mail" + search domain "corp.example.net" = results in "mail.corp.example.net"). On Windows, in particular, the search domain gets added to all names, even if they appear to already have a suffix, due to a technicality, so "google.com" would also be tried as "google.com.corp.example.net" first – giving an opportunity for the latter to resolve to the wrong thing. The search domain can be set manually or received from DHCP, and is shown in ipconfig. – grawity Dec 07 '23 at 05:43
  • 5
    Aside - what's a "replica huawei modem" ? A knockoff ? – Criggie Dec 07 '23 at 17:55
  • 4
    @Criggie: I'm guessing it's a Zowee, which is the "We're totally not Huawei, promise" rebrand used by Huawei Europe. – grawity Dec 08 '23 at 04:59
  • @SirMuffington I checked my ipconfig and Connection-specific DNS Suffix . : is empty. – gtu Dec 08 '23 at 09:41
  • 5
    @Criggie It was sold as Huawei B535, but actually it is another brand (Soyealink) with the same model number B535-333 and software as Huawei. It is also controlled by HUAWEI AI Life app. – gtu Dec 08 '23 at 09:54

2 Answers2

80

The router had briefly lost its WAN uplink. It's a “feature” in several manufacturers' routers and modems (specifically including Huawei, but others as well) to redirect you to the router's local "connection status" web page when there is no Internet connection, presumably to simplify the initial setup process (e.g. entering the SIM card's PIN without having to hunt for the gateway's IP address) or as an attempt to improve user experience.

Functionally it's the same as those public Wi-Fi networks which use the browser-based "captive portal" login process, which also involves MITMing and redirecting HTTP requests (to the extent that web browsers have learned to detect it, which probably made it more attractive for Huawei to implement this feature as well).

These are easy to distinguish based on the received certificate – a deliberately malicious MITM attack would at least have attempted to spoof the correct domain name in the 'Subject' field, whereas in a 'captive portal' setup, the certificate would just identify the gateway itself (and "mediarouter.home" is indeed what Huawei modems use).

grawity
  • 1,716
  • 15
  • 19
  • 27
    While the intent is not malicious, this is bad design and irresponsible of Huawei, and you should not attempt to click through the bad cert to accept it. If you do, your connection to the site is subject to future MITM. – R.. GitHub STOP HELPING ICE Dec 07 '23 at 13:37
  • 3
    @R..GitHub: The other problem is that they are using .home instead of .home.arpa as specified in RFC 8375. Unfortunately, said RFC says nothing at all about TLS certificates, and so there is no standard way to issue a cert for spoofed split-horizon domains like this, even though we have an RFC which acknowledges domain spoofing as a legitimate configuration. Arguably, the web PKI was not designed to support such certs in the first place. – Kevin Dec 07 '23 at 22:20
  • 7
    @Kevin: captive portal intercepting https is just always wrong. Any reasonable modern device will detect the portal and handle it without the need to attempt mitm. – R.. GitHub STOP HELPING ICE Dec 08 '23 at 01:02
  • 1
    @R..GitHub: Unfortunately, that's about a 90% solution. Last time I dealt with a captive portal, it took several minutes of fiddling before I eventually discovered that it was trying to use DoH instead of the captive portal's DNS, and failing because of course that's not going to work on a split-horizon setup. The device knew it was dealing with a captive portal (it displayed a "sign into WiFi network" prompt) and used DoH anyway. – Kevin Dec 08 '23 at 22:03
5

Yes, the modem did try to MITM you. With probably good intentions.

This is an impressively bad (in regard to security) approach to getting the user's attention.

The problem is, they train the user to click ok on security warnings like this.

On the other hand, it could be worse - the next iteration will be a modem driver that installs its own CA root cert in order not to annoy the user.

fraxinus
  • 3,568
  • 7
  • 20