Skip to main content
SpringerLink
Log in

Capturing Antique Browsers in Modern Devices: A Security Analysis of Captive Portal Mini-Browsers

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13905))

Included in the following conference series:

  • 710 Accesses

Abstract

Granting access to public Wi-Fi networks heavily relies on captive portals that are accessible using dedicated browsers. This paper highlights that such browsers are crucial to captive portals’ security, yet have not been emphasized in prior research. To evaluate the security of captive portal mini-browsers, we built an assessment tool called Wi-Fi Chameleon and evaluated them on 15 popular devices. Our evaluation revealed that they all lacked the essential security mechanisms provided by modern browsers. Indeed, many provided no warnings even when using HTTP or encountering invalid TLS certificates, and some did not isolate sessions, enabling attackers to silently steal users’ sensitive information (e.g., social networking accounts and credit card numbers) typed in captive portals and stored in their browsing histories. Moreover, even if a captive portal mini-browser is equipped with all security protections that modern browsers provide, users are still susceptible to existing captive portal attacks. We discuss the best practice of a secure captive portal mini-browser and two possible approaches to mitigate the vulnerabilities. For end-users, we proposed a browser extension for immediate deployability. For access points and captive portal mini-browser vendors, we proposed a comprehensive solution compatible with RFC 8952, the standard of captive portals.

This work was done while the first author was at National Taiwan University.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We reported this issue to Xiaomi. They initially misunderstood it as a Wi-Fi router’s issue. We provided additional information about this security vulnerability, but we have not received any response yet.

  2. 2.

    Devices without a designated captive portal mini-browser use their default browsers.

  3. 3.

    The Wi-Fi Chameleon code is available here (https://github.com/csienslab/Wi-Fi-Chameleon).

  4. 4.

    MacBook Air’s captive portal mini-browser uses http://captive.apple.com/hotspot-detect.html to detect a captive portal, while Firefox uses http://detectportal.firefox.com/canonical.html.

  5. 5.

    This does not indicate that ASUS and D-Link devices do not support HTTPS for the user portals, but they may require special configurations or workarounds.

  6. 6.

    Our extension for Firefox is available at https://mzl.la/3iBVtD8, and our code is available at https://tinyurl.com/2baakxt2. To install our extension on Android, please use Firefox Nightly and add a custom add-on collection with user ID “16929574’ and collection name “Wifi-Chameleon”.

References

  1. Ali, S., Osman, T., Mannan, M., Youssef, A.: On privacy risks of public WiFi captive portals. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds.) DPM/CBT -2019. LNCS, vol. 11737, pp. 80–98. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31500-9_6

    Chapter  Google Scholar 

  2. Alliance, W.F.: Passpoint (2019). https://www.wi-fi.org/discover-wi-fi/passpoint

  3. Alliance, W.B.: Captive network portal behavior (2019). https://captivebehavior.wballiance.com/

  4. Alotaibi, B., Elleithy, K.: An empirical fingerprint framework to detect rogue access points. In: 2015 Long Island Systems, Applications and Technology, pp. 1–7. IEEE (2015)

    Google Scholar 

  5. Android: Captive portal API support | android developers (2022). https://developer.android.com/about/versions/11/features/captive-portal

  6. Apple: Just how limited is the captive network assistant? - apple coummunity (2013). https://discussions.apple.com/thread/5258403?tstart=0

  7. Apple: How to modernize your captive network - discover - apple developer (2020). https://developer.apple.com/news/?id=q78sq5rv

  8. April King, Lucas Garron, C.T.: Badssl (2015). https://badssl.com/

  9. ASUS: [guest network ] how to set up captive portal? | official support | asus global (2021). https://www.asus.com/support/FAQ/1034977/

  10. Bauer, K., Gonzales, H., McCoy, D.: Mitigating evil twin attacks in 802.11. In: 2008 IEEE International Performance, Computing and Communications Conference, pp. 513–516. IEEE (2008)

    Google Scholar 

  11. Chae, S., Jung, H., Bae, I., Jeong, K.: A scheme of detection and prevention rogue ap using comparison security condition of ap. In: 2012 Universal Association of Computer and Electronics Engineers International Conference on Advances in Computer Science and Electronics Engineering, pp. 302–306 (2012)

    Google Scholar 

  12. Chen, L., Grassi, M.: Exploiting user-land vulnerabilities to get rogue app installed remotely on IoS 11 (2018). https://recon.cx/2018/montreal/schedule/events/113.html

  13. Chen, W.L., Wu, Q.: A proof of MITM vulnerability in public WLANS guarded by captive portal. In: Proceedings of the Asia-Pacific Advanced Network, vol. 30, p. 66 (2010). https://doi.org/10.7125/APAN.30.10

  14. Cisco: Configuring captive portal (2022). https://www.cisco.com/assets/sol/sb/isa500_emulator/help/guide/ad1982733.html

  15. D-Link: Nuclias cloud documentation (2020). https://media.dlink.eu/support/products/dba/dba-2820p/documentation/dba-2820p_man_reva1_1-10_eu_multi_20201202.pdf

  16. Dabrowski, A., Merzdovnik, G., Kommenda, N., Weippl, E.: Browser history stealing with captive Wi-Fi portals. In: 2016 IEEE Security and Privacy Workshops (SPW), pp. 234–240. IEEE (2016)

    Google Scholar 

  17. Gonzales, H., Bauer, K., Lindqvist, J., McCoy, D., Sicker, D.: Practical defenses for evil twin attacks in 802.11. In: 2010 IEEE Global Telecommunications Conference GLOBECOM 2010, pp. 1–6 (2010)

    Google Scholar 

  18. Google: Google safe browsing (2021). https://safebrowsing.google.com/

  19. Han, H., Sheng, B., Tan, C.C., Li, Q., Lu, S.: A timing-based scheme for rogue AP detection. IEEE Trans. Parallel Distrib. Syst. 22(11), 1912–1925 (2011)

    Article  Google Scholar 

  20. Hsu, F.H., Hsu, Y.L., Wang, C.S.: A solution to detect the existence of a malicious rogue AP. Comput. Commun. 142, 62–68 (2019)

    Article  Google Scholar 

  21. kleo: Evil portals (2016). https://github.com/kleo/evilportals

  22. Labs, Q.S.: SSL client test (2021). https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

  23. Lanze, F., Panchenko, A., Ponce-Alcaide, I., Engel, T.: Undesired relatives: protection mechanisms against the evil twin attack in IEEE 802.11. In: Proceedings of the 10th ACM Symposium on QoS and Security for Wireless and Mobile Networks. p. 87–94. Q2SWinet ’14, Association for Computing Machinery, New York, NY, USA (2014). https://doi.org/10.1145/2642687.2642691

  24. Larose, K., Dolson, D., Liu, H.: Captive Portal Architecture. RFC 8952, November 2020. https://doi.org/10.17487/RFC8952, https://rfc-editor.org/rfc/rfc8952.txt

  25. tp link: Omada sdn controller user guide (2022). https://static.tp-link.com/upload/software/2022/202203/20220331/1910013160-Omada%20SDN%20Controller%20User%20Guide.pdf

  26. Marques, N., Zúquete, A., Barraca, J.P.: EAP-SH: an EAP authentication protocol to integrate captive portals in the 802.1 x security architecture. Wirel. Personal Commun. 113(4), 1891–1915 (2020)

    Google Scholar 

  27. MikroTik: Hotspot customisation - routeros - mikrotik documentation (2022). https://help.mikrotik.com/docs/display/ROS/Hotspot+customisation

  28. Mónica, D., Ribeiro, C.: WiFiHop - mitigating the evil twin attack through multi-hop detection. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 21–39. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_2

    Chapter  Google Scholar 

  29. Mustafa, H., Xu, W.: Cetad: detecting evil twin access point attacks in wireless hotspots. In: 2014 IEEE Conference on Communications and Network Security, pp. 238–246. IEEE (2014)

    Google Scholar 

  30. Northwoods: Mixed content examples (2021). https://www.mixedcontentexamples.com/

  31. P0cL4bs: wifipumpkin3 (2018). https://github.com/P0cL4bs/wifipumpkin3

  32. Pettersen, Y.N.: The Transport Layer Security (TLS) Multiple Certificate Status Request Extension. RFC 6961, June 2013. https://doi.org/10.17487/RFC6961, https://rfc-editor.org/rfc/rfc6961.txt

  33. Schmoe, J.: Tunneling through captive portals with DNS (2017). https://0x00sec.org/t/tunneling-through-captive-portals-with-dns/1465

  34. Song, Y., Yang, C., Gu, G.: Who is peeping at your passwords at starbucks?-to catch an evil twin access point. In: 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN), pp. 323–332. IEEE (2010)

    Google Scholar 

  35. StatCounter: Desktop operating system market share worldwide (2021). https://gs.statcounter.com/os-market-share/desktop/worldwide

  36. StatCounter: Mobile vendor market share worldwide (2021). https://gs.statcounter.com/vendor-market-share/mobile/

  37. sud0nick: Portalauth (2016). https://github.com/sud0nick/PortalAuth

  38. W3C: web-platform-tests (2019). https://web-platform-tests.org/

  39. Wikipedia: List of best-selling game consoles (2021). https://en.wikipedia.org/wiki/List_of_best-selling_game_consoles#cite_note-:0-35

Download references

Acknowledgement

This research was supported in part by the Ministry of Science and Technology of Taiwan under grants MOST 110-2628-E-002-002 and 111-2628-E-002-012.

Author information

Authors and Affiliations

  1. Carnegie Mellon University, Pittsburgh, PA, USA

    Ping-Lun Wang

  2. National Taiwan University, Taipei, Taiwan

    Kai-Hsiang Chou, Shou-Ching Hsiao, Ann Tene Low & Hsu-Chun Hsiao

  3. HRL Laboratories, Malibu, CA, USA

    Tiffany Hyun-Jin Kim

  4. Academia Sinica, Taipei, Taiwan

    Hsu-Chun Hsiao

Authors
  1. Ping-Lun Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kai-Hsiang Chou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shou-Ching Hsiao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ann Tene Low
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tiffany Hyun-Jin Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Hsu-Chun Hsiao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ping-Lun Wang .

Editor information

Editors and Affiliations

  1. NTT Social Informatics Laboratories, Tokyo, Japan

    Mehdi Tibouchi

  2. Indiana University at Bloomington, Bloomington, IN, USA

    XiaoFeng Wang

A Appendix

A Appendix

1.1 A.1 Tested Devices

Table 3. Tested devices, including 18 types of popular laptops and mobile devices. The bottom three have no captive portal mini-browsers and thus were excluded from our subsequent evaluation.
Full size table

1.2 A.2 Screenshots of Test Devices

In this section, we provide the screenshots of our test result.

Figure 6 shows the warning message provided by Nintendo Switch when the user portal is connected using HTTP. As shown in the figure, the user can press the ‘+’ button to see more information about the user portal. The page information then shows that this user portal is using HTTP and warns the user that this connection is not encrypted. While showing warning messages to the user provides situational awareness, users are unlikely to click a button to learn about the security warning. We suggest proactively warning users and helping them understand the risks before interactions begin.

Fig. 6.
figure 6

The warning message for HTTP connection provided by Nintendo Switch

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wang, PL., Chou, KH., Hsiao, SC., Low, A.T., Kim, T.HJ., Hsiao, HC. (2023). Capturing Antique Browsers in Modern Devices: A Security Analysis of Captive Portal Mini-Browsers. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13905. Springer, Cham. https://doi.org/10.1007/978-3-031-33488-7_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-33488-7_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-33487-0

  • Online ISBN: 978-3-031-33488-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation