In recent years, digital communications have spread to ever more digital devices, ranging from remote environmental sensors, appliances, miniature hand-held digital devices (e.g. cameras, dual-mode cellular telephones, etc.) to networking equipment (e.g. controllers, routers, etc.). For instance, digital devices may be connected to a local area network (LAN) through Ethernet adapters for wired network communications, or wireless adapters such as those operating according to the well-known IEEE 802.11a/ac/b/g/n standards. Such connectivity enables information to be communicated with other digital devices directly or indirectly connected to the LAN. Each of these devices must be configured for a particular network before it can operate on that network.
A headless networking device (HD) is a device that lacks a user interface but has a network interface. It can be an industrial device such as a robot. It can be an enterprise device such as a wireless access point, or it can be a home device such as a “smart grid”-enabled water heater.
A device that lacks a user interface has difficulty in obtaining the appropriate credentials and configuration to access or join a secure network. Such a device is typically configured by assuming that it is initially placed on a trusted network and the configuration protocol, therefore, does not need any security. The first device that contacts the HD is able to configure it. It is assumed that the configuration provided to the HD cannot be observed or intercepted by an unauthorized party and that an unauthorized party cannot access the device to provide a different configuration. However, this assumption may often be false. Headless devices can be placed on a medium which cannot be completely trusted. A wireless medium increases the potential for adversaries to observe, interfere or attack the configuration of the HD.
“Wireless Protected Setup (WPS)” from the Wi-Fi Alliance (WFA) is proposed to increase the security of the configuration of a new device on a Wi-Fi network. The device, such as an HD, to be configured has a PIN (Personal Identification Number) or password burned into the device at manufacture. This PIN or password is also written on a label or on documentation accompanying the HD. This PIN or password is then entered into the user interface of a configuring device (CD). The CD and HD perform a handshake proving possession of the PIN or password and the CD can then configure the HD.
Unfortunately, WPS is susceptible to a dictionary attack that attempts to guess the password. It is also susceptible to snooping to detect the password. An adversary might also take the password directly from the label or documentation. Given the PIN or password the adversary can configure, and take control of, the HD. The adversary may also or instead intercept the configuration that the CD provides after the spoofed authentication. The network configuration information allows the adversary the same access to the secured network that the CD is intended to have. This may be more valuable than configuring the HD.