Abstract
Granting access to public Wi-Fi networks heavily relies on captive portals that are accessible using dedicated browsers. This paper highlights that such browsers are crucial to captive portals’ security, yet have not been emphasized in prior research. To evaluate the security of captive portal mini-browsers, we built an assessment tool called Wi-Fi Chameleon and evaluated them on 15 popular devices. Our evaluation revealed that they all lacked the essential security mechanisms provided by modern browsers. Indeed, many provided no warnings even when using HTTP or encountering invalid TLS certificates, and some did not isolate sessions, enabling attackers to silently steal users’ sensitive information (e.g., social networking accounts and credit card numbers) typed in captive portals and stored in their browsing histories. Moreover, even if a captive portal mini-browser is equipped with all security protections that modern browsers provide, users are still susceptible to existing captive portal attacks. We discuss the best practice of a secure captive portal mini-browser and two possible approaches to mitigate the vulnerabilities. For end-users, we proposed a browser extension for immediate deployability. For access points and captive portal mini-browser vendors, we proposed a comprehensive solution compatible with RFC 8952, the standard of captive portals.
This work was done while the first author was at National Taiwan University.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We reported this issue to Xiaomi. They initially misunderstood it as a Wi-Fi router’s issue. We provided additional information about this security vulnerability, but we have not received any response yet.
- 2.
Devices without a designated captive portal mini-browser use their default browsers.
- 3.
The Wi-Fi Chameleon code is available here (https://github.com/csienslab/Wi-Fi-Chameleon).
- 4.
MacBook Air’s captive portal mini-browser uses http://captive.apple.com/hotspot-detect.html to detect a captive portal, while Firefox uses http://detectportal.firefox.com/canonical.html.
- 5.
This does not indicate that ASUS and D-Link devices do not support HTTPS for the user portals, but they may require special configurations or workarounds.
- 6.
Our extension for Firefox is available at https://mzl.la/3iBVtD8, and our code is available at https://tinyurl.com/2baakxt2. To install our extension on Android, please use Firefox Nightly and add a custom add-on collection with user ID “16929574’ and collection name “Wifi-Chameleon”.
References
Ali, S., Osman, T., Mannan, M., Youssef, A.: On privacy risks of public WiFi captive portals. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds.) DPM/CBT -2019. LNCS, vol. 11737, pp. 80–98. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31500-9_6
Alliance, W.F.: Passpoint (2019). https://www.wi-fi.org/discover-wi-fi/passpoint
Alliance, W.B.: Captive network portal behavior (2019). https://captivebehavior.wballiance.com/
Alotaibi, B., Elleithy, K.: An empirical fingerprint framework to detect rogue access points. In: 2015 Long Island Systems, Applications and Technology, pp. 1–7. IEEE (2015)
Android: Captive portal API support | android developers (2022). https://developer.android.com/about/versions/11/features/captive-portal
Apple: Just how limited is the captive network assistant? - apple coummunity (2013). https://discussions.apple.com/thread/5258403?tstart=0
Apple: How to modernize your captive network - discover - apple developer (2020). https://developer.apple.com/news/?id=q78sq5rv
April King, Lucas Garron, C.T.: Badssl (2015). https://badssl.com/
ASUS: [guest network ] how to set up captive portal? | official support | asus global (2021). https://www.asus.com/support/FAQ/1034977/
Bauer, K., Gonzales, H., McCoy, D.: Mitigating evil twin attacks in 802.11. In: 2008 IEEE International Performance, Computing and Communications Conference, pp. 513–516. IEEE (2008)
Chae, S., Jung, H., Bae, I., Jeong, K.: A scheme of detection and prevention rogue ap using comparison security condition of ap. In: 2012 Universal Association of Computer and Electronics Engineers International Conference on Advances in Computer Science and Electronics Engineering, pp. 302–306 (2012)
Chen, L., Grassi, M.: Exploiting user-land vulnerabilities to get rogue app installed remotely on IoS 11 (2018). https://recon.cx/2018/montreal/schedule/events/113.html
Chen, W.L., Wu, Q.: A proof of MITM vulnerability in public WLANS guarded by captive portal. In: Proceedings of the Asia-Pacific Advanced Network, vol. 30, p. 66 (2010). https://doi.org/10.7125/APAN.30.10
Cisco: Configuring captive portal (2022). https://www.cisco.com/assets/sol/sb/isa500_emulator/help/guide/ad1982733.html
D-Link: Nuclias cloud documentation (2020). https://media.dlink.eu/support/products/dba/dba-2820p/documentation/dba-2820p_man_reva1_1-10_eu_multi_20201202.pdf
Dabrowski, A., Merzdovnik, G., Kommenda, N., Weippl, E.: Browser history stealing with captive Wi-Fi portals. In: 2016 IEEE Security and Privacy Workshops (SPW), pp. 234–240. IEEE (2016)
Gonzales, H., Bauer, K., Lindqvist, J., McCoy, D., Sicker, D.: Practical defenses for evil twin attacks in 802.11. In: 2010 IEEE Global Telecommunications Conference GLOBECOM 2010, pp. 1–6 (2010)
Google: Google safe browsing (2021). https://safebrowsing.google.com/
Han, H., Sheng, B., Tan, C.C., Li, Q., Lu, S.: A timing-based scheme for rogue AP detection. IEEE Trans. Parallel Distrib. Syst. 22(11), 1912–1925 (2011)
Hsu, F.H., Hsu, Y.L., Wang, C.S.: A solution to detect the existence of a malicious rogue AP. Comput. Commun. 142, 62–68 (2019)
kleo: Evil portals (2016). https://github.com/kleo/evilportals
Labs, Q.S.: SSL client test (2021). https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
Lanze, F., Panchenko, A., Ponce-Alcaide, I., Engel, T.: Undesired relatives: protection mechanisms against the evil twin attack in IEEE 802.11. In: Proceedings of the 10th ACM Symposium on QoS and Security for Wireless and Mobile Networks. p. 87–94. Q2SWinet ’14, Association for Computing Machinery, New York, NY, USA (2014). https://doi.org/10.1145/2642687.2642691
Larose, K., Dolson, D., Liu, H.: Captive Portal Architecture. RFC 8952, November 2020. https://doi.org/10.17487/RFC8952, https://rfc-editor.org/rfc/rfc8952.txt
tp link: Omada sdn controller user guide (2022). https://static.tp-link.com/upload/software/2022/202203/20220331/1910013160-Omada%20SDN%20Controller%20User%20Guide.pdf
Marques, N., Zúquete, A., Barraca, J.P.: EAP-SH: an EAP authentication protocol to integrate captive portals in the 802.1 x security architecture. Wirel. Personal Commun. 113(4), 1891–1915 (2020)
MikroTik: Hotspot customisation - routeros - mikrotik documentation (2022). https://help.mikrotik.com/docs/display/ROS/Hotspot+customisation
Mónica, D., Ribeiro, C.: WiFiHop - mitigating the evil twin attack through multi-hop detection. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 21–39. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_2
Mustafa, H., Xu, W.: Cetad: detecting evil twin access point attacks in wireless hotspots. In: 2014 IEEE Conference on Communications and Network Security, pp. 238–246. IEEE (2014)
Northwoods: Mixed content examples (2021). https://www.mixedcontentexamples.com/
P0cL4bs: wifipumpkin3 (2018). https://github.com/P0cL4bs/wifipumpkin3
Pettersen, Y.N.: The Transport Layer Security (TLS) Multiple Certificate Status Request Extension. RFC 6961, June 2013. https://doi.org/10.17487/RFC6961, https://rfc-editor.org/rfc/rfc6961.txt
Schmoe, J.: Tunneling through captive portals with DNS (2017). https://0x00sec.org/t/tunneling-through-captive-portals-with-dns/1465
Song, Y., Yang, C., Gu, G.: Who is peeping at your passwords at starbucks?-to catch an evil twin access point. In: 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN), pp. 323–332. IEEE (2010)
StatCounter: Desktop operating system market share worldwide (2021). https://gs.statcounter.com/os-market-share/desktop/worldwide
StatCounter: Mobile vendor market share worldwide (2021). https://gs.statcounter.com/vendor-market-share/mobile/
sud0nick: Portalauth (2016). https://github.com/sud0nick/PortalAuth
W3C: web-platform-tests (2019). https://web-platform-tests.org/
Wikipedia: List of best-selling game consoles (2021). https://en.wikipedia.org/wiki/List_of_best-selling_game_consoles#cite_note-:0-35
Acknowledgement
This research was supported in part by the Ministry of Science and Technology of Taiwan under grants MOST 110-2628-E-002-002 and 111-2628-E-002-012.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
1.1 A.1 Tested Devices
1.2 A.2 Screenshots of Test Devices
In this section, we provide the screenshots of our test result.
Figure 6 shows the warning message provided by Nintendo Switch when the user portal is connected using HTTP. As shown in the figure, the user can press the ‘+’ button to see more information about the user portal. The page information then shows that this user portal is using HTTP and warns the user that this connection is not encrypted. While showing warning messages to the user provides situational awareness, users are unlikely to click a button to learn about the security warning. We suggest proactively warning users and helping them understand the risks before interactions begin.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Wang, PL., Chou, KH., Hsiao, SC., Low, A.T., Kim, T.HJ., Hsiao, HC. (2023). Capturing Antique Browsers in Modern Devices: A Security Analysis of Captive Portal Mini-Browsers. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13905. Springer, Cham. https://doi.org/10.1007/978-3-031-33488-7_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-33488-7_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33487-0
Online ISBN: 978-3-031-33488-7
eBook Packages: Computer ScienceComputer Science (R0)