Enabling Wi-Fi on First boot

Henrique de Moraes Holschuh henrique at nic.br
Tue Jul 6 10:01:30 PDT 2021 

On 06/07/2021 12:05, Nishant Sharma wrote:
> On 06/07/21 7:56 pm, Henrique de Moraes Holschuh wrote:
>> So, to safely and responsibly enable wireless by default in a device (or
>> firmware) you're delivering to a third-party, you need that "per-unit
>> unique wireless password" per device thing most vendors are doing.
>>
>> [2] not really: openwrt sysugrade *does not help* in that there is no
>> way to add variable information to an already *finished* image file, to
>> be used on first-boot only, and which would *survive a factory reset*.
>>
> 
> How about a first-boot script that enables the Wi-Fi if it is disabled
> and then sets the password (if not already set) using the first MAC
> address it finds on the device?

MACs are not a secret.  It is absolutely trivial to know them: they're 
in just about every WiFi (and ethernet) frame.  Same goes for anything 
that is derived *just* from the MAC address.  And anyone that is going 
to automatically scan/exploit for that, will also use MAC-1, MAC+1, and 
other common variants.

What would work is to reuse the vendor-provided password that is already 
in the label and somewhere in FLASH, if you could always know where it 
is in FLASH (you don't).  And some models don't have it.

One also don't know the unit's MAC address beforehand, so any scheme 
that depends on that doesn't work (because you'd need that MAC address 
to print the label or generate the PDF).  In fact, this precludes the 
"generate secret at the device at 1st boot" too.

You could ask the user, but that isn't safe either: if she gets it wrong 
(or openwrt isn't correct about what MAC is in the printed label of that 
exact product version) you now have a device she can't access because 
the passwords won't match and it would require an ethernet cable to 
bypass and reset.

-- 
Henrique de Moraes Holschuh
Analista de Projetos
Centro de Estudos e Pesquisas em Tecnologias de Redes e Operações 
(Ceptro.br)
+55 11 5509-3537 R.:4023
INOC 22548*625
www.nic.br

More information about the openwrt-devel mailing list