A simple method to get a wifi device connected to the local network
Matthew Ford
about getting wifi connection parameters into the device.
So I have put up a suggested process here
http://www.forward.com.au/pfod/pfodWifiConnect/pfodWifiConnect.html
This uses QR code, an Android app (setting up a temporary AP) and a
small library in the Arduino to save the network parameters.
The QR code tell the android app the settings for the temporary AP that
Arduino will try and connect to, in setup mode, get its real parameters.
Any comments/ suggestions welcome
matthew
Tom Igoe
t.
> You received this message because you are subscribed to the Google Groups "Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to developers+...@arduino.cc.
dirk swart
matthew
--
You received this message because you are subscribed to the Google Groups "Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to developers+unsubscribe@arduino.cc.
Matthew Ford
Note: this process is designed to make it easy (easier) for the user
(not being the programmer) to get the device connected to the network.
You only need the QR code (attached to the device) and an Android
mobile. So just one device, the android mobile.
You only need the computer to run the Arduino IDE to program the device
initially, before you give it to the user.
(This process is also useful for the programmer to move the device
between networks without needing to get the computer out again and
re-program)
matthew
Tom Igoe
> On Feb 13, 2015, at 5:44 PM, Matthew Ford <matthe...@forward.com.au> wrote:
>
> Hi Tom,
> Note: this process is designed to make it easy (easier) for the user (not being the programmer) to get the device connected to the network.
> You only need the QR code (attached to the device) and an Android mobile. So just one device, the android mobile.
> You only need the computer to run the Arduino IDE to program the device initially, before you give it to the user.
t.
Matthew Ford
Thanks for the input.
See inline replies
On Feb 13, 2015, at 5:44 PM, Matthew Ford <matthe...@forward.com.au> wrote: Hi Tom, Note: this process is designed to make it easy (easier) for the user (not being the programmer) to get the device connected to the network.OK. If you’re thinking end user devices, then you’re thinking of things where the aesthetics matter. Is there a way to hide the QR code?
If you removed the QR code altogether and set a fixed SSID and passkey for the temporary setup Android AP, that would be a serious security flaw as anyone could sniff for this 'well known' SSID and passkey and then collect the real network SSID and password as it was being set to the device.
So it is important for security that the passkey for the temporary Android AP is random and not accessible without physical access to the device (i.e. access to the QR code) For ultra security, don't attach the QR code to the device but store it elsewhere. This is not necessary for general home and office use.
Of course there as other alternatives to the QR code, NFC for example or a BT connection, but that adds expense and development complexity. One of the aims to to make this easy for the developer to implement as well. Basically add the library and write two methods to suit the wifi hardware being used.
You only need the QR code (attached to the device) and an Android mobile. So just one device, the android mobile.Can it work on other platforms too? I wouldn’t want to lock in people to one. That was one of the early points of Arduino as a whole, to be cross-platform on the desktop . We should be the same on the palmtop. How about an HTML5/Cordova solution that could work on any phone? Pretty sure QR discovery can be done that way, and would expand your user base a lot while remaining open source.
"Android is by far the most dominant player with 81.9% of the market. The next closest players are iOS with 12.1% and Windows Phone with 3.6%." - See more at: http://www.dailytech.com/Gartner+Numbers+Show+Android+Holds+82+of+Worldwide+Smartphone+Market/article33748.htm#sthash.KwyetxPE.dpuf
You only need the computer to run the Arduino IDE to program the device initially, before you give it to the user.But you need to discover the device before you program it, unless you rely on USB, per the earlier thread. So it could be useful to have a discovery process that works for both.
I am expecting the device, when in setup mode, to automatically connect to the temporary AP setup on the Android phone, using the programmed SSID and passkey that are on the QR code. The Android app sets up a temporary AP using the parameters read from the QR code.
Generating random passkeys for each device (which the QR generator app will do) will ensure only one device connects at a time, even if two happen to be put into set up mode at the same time, since the other devices' passkey will not match the temporary AP passkey (assuming WPA2 PSK)
Although setting the same passkey for multiple devices and configuring them all at the same time would not be a problem either.
If the AP point is using an OPEN network then multiple devices could connect at the same time and this would be a problem as the encrypted network password would decrypted incorrectly for all but one of them (assuming random encryption passkeys)
So on reflection I should drop support for OPEN security on the temporary AP and insist on WPA2 PSK connections only. This does not restrict the type of security that is configured for the real network, only how the setup connection is made.
(Thanks for raising that, I will update the design).
Randy Ferrell
Randy Ferrell
Victor Aprea
matthew
--
You received this message because you are subscribed to the Google Groups "Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to developers+unsubscribe@arduino.cc.
Matthew Ford
To unsubscribe from this group and stop receiving emails from it, send an email to developers+...@arduino.cc.
--
You received this message because you are subscribed to the Google Groups "Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to developers+...@arduino.cc.
Matthew Ford
I have used a similar RN networks wifi add on board for FioV3
see http://www.forward.com.au/pfod/ArduinoProgramming/FioV3/index.html
However, you are still faced with the problem of "how can the user (not you the programmer) connect this device to their network"
That is the problem I am trying to address with this method.
As a side issue, using this board with my proposed method is more complicated because changing the wifi board's configuration is via AT commands so you need to include some type AT response parser in the two configuration methods that the basic library will call to set up to connect to the temp Android AP and then to setup the real network parameters.
This was going to be one of examples when I get around to implementing this proposal.
matthew
Matthew Ford
This my non-expert analysis of the security issues associated with using pfodWifiConnect to connect a device to the local network.
Comments
welcome.
The critical piece of information to be protected is the password for the local network. Using pfodWifiConnect this password is entered into the Android mobile and then transferred to the device via a WPA2 PSK secured temporary wifi network.
There are three obvious attack vectors:-
I) The device being connected has been compromised and after captures the password (as it should) but then re-transmits it once it can. This issue is on the same level as installing any compromised hardware/software. So it is important to be confident of the manufacture of the device you are configuring.
II)
The Android mobile running pfodWifiConnect has been been
compromised by spyware with sniffs the keystrokes as you enter the
network password and then re-transmits it once it can. As you can
see from looking at the open source pfodWifiConnect code, the
network password is only held in memory by the pfodWifiConnect app
and not saved anywhere.
This narrows the attack vector. So it is important to use an Android mobile free from any such spyware. Removing all apps and doing a clean install of the OS will help, as will dedicating just one mobile to configuration. That mobile, not being in general use, is much less likely to be infected.
III)
Anyone who can access the QR code can read the password for the
temporary pfodWifiConnect network which transfers the real
network's password. It is assumed that using the pfodQRpsk application to generate the
random passwords, a different one for each device, prevents any
one just guessing it.
Having
that temporary pfodWifiConnect network password would allow a
malicious person to sniff the temporary pfodWifiConnect network
and collect the real network's password. This attack vector is
very narrow both in time and location. The sniff can only occur
while the device is being configured and only within a short range
due to the low power of the Android mobile's AccessPoint and the
attacker needs to have physical access to the device with the QR
code attached in order to read the pfodWifiConnect's temporary
network password.
An
obvious means to carry out this type of attack is for a malicious
person to arrive with a new 'toy' from a reputable manufacture
that needs to be connected to the network to run. The malicious
person gives it to you to connect, using pfodWifiConnect, making a
point of not looking while you enter the real network password.
However having scanned the QR code before arriving, their mobile
is sniffing the pfodWifiConnect temporary network and captures the
real networks password.
So Beware of Geeks bearing Gifts.
Victor Aprea
Vic
Arnav Gupta
With my highly limited experience... I think apps do not have access to directly switch on the phone's hotspot on iOS
Arnav Gupta
( http://championswimmer.in )
Sent from Android.
Pardon brevity and/or autocorrect errors.
Matthew Ford
i.e. scan the QR code and then copy and paste the settings into IOS softAP setting screen.
Maya Posch
functionality via a public API. One can do it on a jail-broken device
via the private APIs, but that's hardly suitable for this situation, I
think.
The easiest approach in my view would be to have the app provide the
info to punch into the personal hotspot UI of iOS itself based on the
scanned info from the QR tag, then enable it. This might require the
user to scribble some stuff down on paper or use the copy-paste
functionality (a few shades of infuriating on many touch-screens).
After setting things up like this the app can be set to listen on the
personal hotspot 'adapter' only and await the signal from the device.
Should be fairly newbie-friendly, I think.
Maya
On 2015-02-16 4:55 PM, Victor Aprea wrote:
> Are there any IOS developers on the list (or friends of the list) that
> can comment about whether the whole phone as a temporary SoftAP aspect
> of this notional process is possible on Apple products?
>
> Cheers,
> Vic
>
> Victor Aprea // Wicked Device
> T: @vicatcu <http://twitter.com/vicatcu/>
>> T: @vicatcu <http://twitter.com/vicatcu/>
>> On Thu, Feb 12, 2015 at 7:27 PM, Matthew Ford
>>
>> I was prompted by the discussion on IDE: Yun's not showing up
>> in port menu
>> about getting wifi connection parameters into the device.
>> So I have put up a suggested process here
>>
>> http://www.forward.com.au/pfod/pfodWifiConnect/pfodWifiConnect.html
>>
>> This uses QR code, an Android app (setting up a temporary AP)
>> and a small library in the Arduino to save the network parameters.
>> The QR code tell the android app the settings for the
>> temporary AP that Arduino will try and connect to, in setup
>> mode, get its real parameters.
>>
>> Any comments/ suggestions welcome
>>
>> matthew
>>
>> --
>> You received this message because you are subscribed to the
>> Google Groups "Developers" group.
>> To unsubscribe from this group and stop receiving emails from
>> it, send an email to developers+...@arduino.cc
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Developers" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to developers+...@arduino.cc
> --
> You received this message because you are subscribed to the Google
> Groups "Developers" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to developers+...@arduino.cc
>
> --
> You received this message because you are subscribed to the Google
> Groups "Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to developers+...@arduino.cc
Ricardo JL Rufino
To unsubscribe from this group and stop receiving emails from it, send an email to developers+...@arduino.cc.
Victor Aprea
Matthew Ford
pfodQRpsk.jar (and source code).
http://www.forward.com.au/pfod/pfodWifiConnect/pfodQRpsk.html
This java application generate a random WPA2 PSK key and saves a QR code
image file with the details
Matthew Ford
So I have added the procedure for configuring via telnet.
This lets non-Android uses do the configuration also (although the Android app will still be the easiest method)
Quick Start for Users using Telnet – Version 1
These are the steps your user would follow to connect your pfodWifiConnect™ equipped device to their network using telnet.
-
Scan the QR code attached to the Wi-Fi device using one of the scanning apps available for their mobile (either IOS or Android or Windows)
-
Configure a temporary Access Point using the setting just scanned. IPhone, Android, Mac IOS and Windows all provide support for configuring an Access Point, although some are easier to configure than others.
-
Turn the Wi-Fi device off and then turn it on while holding down the setup button. Keep the button held down for at least 5 seconds or until the device indicates it is in configuration mode.
-
Find the IP address of the device on the temporary network. There are apps for IPhone and Android to do this and command lines in Mac IOS and Windows.
-
Open a telnet program on any mobile or computer attached to the temporary network and connect to the device using the IP address just found and the portNo from the scanned data. This is usually done on the Access Point.
-
In the telnet window type the configuration data in one the following format (Note: the characters ~ and } can not appear in any of the fields as they are a separator and terminator respectively)
{set~<networkSSID>~<password> [ ~<portNo> [ ~<staticIP> [ ~<serverIP_or_HostName:portNo> [ ~<security> ]]]] }
where the portNo, staticIP, security, serverIP_or_HostName and serverPortNo are optional but must appear in that order if they do.
If
portNo is not specified or is set as 0, then port 80 is assumed
for devices running as servers.
If staticIP is not specified or is set as 0.0.0.0 then DHCP is
assumed.
If serverIP_or_HostName:portNo is not specified then device can
only run as a server.
If security is not specified then the string WPA2-PSK is assumed (For Version 1
this is the only supported option)
For
example to configure a device connecting using WPA2 PSK and
running as a server on port 4989 using DHCP for its IP send the
command
{set~ssid~password~4989}
The
device should respond with a message indicating the configuration
has been accepted using the following format
{! <msg>}
If
there is an error in the setting, invalid port or IP, etc then the
device should respond with an error message using the format
{E~<msg>}
Matthew Ford
(CC3000) and LinkIt ONE boards
and have published them, with tutorials on how to use Telnet to make the
connection, here
http://www.forward.com.au/pfod/pfodWifiConnect/index.html
matthew