matthew
--
You received this message because you are subscribed to the Google Groups "Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to developers+unsubscribe@arduino.cc.
On Feb 13, 2015, at 5:44 PM, Matthew Ford <matthe...@forward.com.au> wrote: Hi Tom, Note: this process is designed to make it easy (easier) for the user (not being the programmer) to get the device connected to the network.OK. If you’re thinking end user devices, then you’re thinking of things where the aesthetics matter. Is there a way to hide the QR code?
You only need the QR code (attached to the device) and an Android mobile. So just one device, the android mobile.Can it work on other platforms too? I wouldn’t want to lock in people to one. That was one of the early points of Arduino as a whole, to be cross-platform on the desktop . We should be the same on the palmtop. How about an HTML5/Cordova solution that could work on any phone? Pretty sure QR discovery can be done that way, and would expand your user base a lot while remaining open source.
You only need the computer to run the Arduino IDE to program the device initially, before you give it to the user.But you need to discover the device before you program it, unless you rely on USB, per the earlier thread. So it could be useful to have a discovery process that works for both.
matthew
--
You received this message because you are subscribed to the Google Groups "Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to developers+unsubscribe@arduino.cc.
To unsubscribe from this group and stop receiving emails from it, send an email to developers+...@arduino.cc.
--
You received this message because you are subscribed to the Google Groups "Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to developers+...@arduino.cc.
This my non-expert analysis of the security issues associated with using pfodWifiConnect to connect a device to the local network.
Comments
welcome.
The critical piece of information to be protected is the password for the local network. Using pfodWifiConnect this password is entered into the Android mobile and then transferred to the device via a WPA2 PSK secured temporary wifi network.
There are three obvious attack vectors:-
I) The device being connected has been compromised and after captures the password (as it should) but then re-transmits it once it can. This issue is on the same level as installing any compromised hardware/software. So it is important to be confident of the manufacture of the device you are configuring.
II)
The Android mobile running pfodWifiConnect has been been
compromised by spyware with sniffs the keystrokes as you enter the
network password and then re-transmits it once it can. As you can
see from looking at the open source pfodWifiConnect code, the
network password is only held in memory by the pfodWifiConnect app
and not saved anywhere.
This narrows the attack vector. So it is important to use an Android mobile free from any such spyware. Removing all apps and doing a clean install of the OS will help, as will dedicating just one mobile to configuration. That mobile, not being in general use, is much less likely to be infected.
III)
Anyone who can access the QR code can read the password for the
temporary pfodWifiConnect network which transfers the real
network's password. It is assumed that using the pfodQRpsk application to generate the
random passwords, a different one for each device, prevents any
one just guessing it.
Having
that temporary pfodWifiConnect network password would allow a
malicious person to sniff the temporary pfodWifiConnect network
and collect the real network's password. This attack vector is
very narrow both in time and location. The sniff can only occur
while the device is being configured and only within a short range
due to the low power of the Android mobile's AccessPoint and the
attacker needs to have physical access to the device with the QR
code attached in order to read the pfodWifiConnect's temporary
network password.
An
obvious means to carry out this type of attack is for a malicious
person to arrive with a new 'toy' from a reputable manufacture
that needs to be connected to the network to run. The malicious
person gives it to you to connect, using pfodWifiConnect, making a
point of not looking while you enter the real network password.
However having scanned the QR code before arriving, their mobile
is sniffing the pfodWifiConnect temporary network and captures the
real networks password.
So Beware of Geeks bearing Gifts.
With my highly limited experience... I think apps do not have access to directly switch on the phone's hotspot on iOS
Arnav Gupta
( http://championswimmer.in )
Sent from Android.
Pardon brevity and/or autocorrect errors.
To unsubscribe from this group and stop receiving emails from it, send an email to developers+...@arduino.cc.
These are the steps your user would follow to connect your pfodWifiConnect™ equipped device to their network using telnet.
Scan the QR code attached to the Wi-Fi device using one of the scanning apps available for their mobile (either IOS or Android or Windows)
Configure a temporary Access Point using the setting just scanned. IPhone, Android, Mac IOS and Windows all provide support for configuring an Access Point, although some are easier to configure than others.
Turn the Wi-Fi device off and then turn it on while holding down the setup button. Keep the button held down for at least 5 seconds or until the device indicates it is in configuration mode.
Find the IP address of the device on the temporary network. There are apps for IPhone and Android to do this and command lines in Mac IOS and Windows.
Open a telnet program on any mobile or computer attached to the temporary network and connect to the device using the IP address just found and the portNo from the scanned data. This is usually done on the Access Point.
In the telnet window type the configuration data
in one the following format (Note: the characters ~ and } can not appear in any
of the fields as they are a separator and terminator
respectively)
{set~<networkSSID>~<password> [ ~<portNo> [ ~<staticIP> [ ~<serverIP_or_HostName:portNo> [ ~<security> ]]]] }
where the portNo, staticIP, security, serverIP_or_HostName and
serverPortNo are optional but must appear in that order if
they do.
If
portNo is not specified or is set as 0, then port 80 is assumed
for devices running as servers.
If staticIP is not specified or is set as 0.0.0.0 then DHCP is
assumed.
If serverIP_or_HostName:portNo is not specified then device can
only run as a server.
If security is not specified then the string WPA2-PSK is assumed (For Version 1
this is the only supported option)
For
example to configure a device connecting using WPA2 PSK and
running as a server on port 4989 using DHCP for its IP send the
command
{set~ssid~password~4989}
The
device should respond with a message indicating the configuration
has been accepted using the following format
{! <msg>}
If
there is an error in the setting, invalid port or IP, etc then the
device should respond with an error message using the format
{E~<msg>}