Enabling Wi-Fi on First boot

Tue Jul 6 11:02:20 PDT 2021

On 06/07/2021 14:29, Eric Luehrsen wrote:
>  > On Tue, Jul 6, 2021, 1:06 PM Henrique de Moraes Holschuh
>  > <henrique at nic.br <mailto:henrique at nic.br>> wrote:
>  >
>  >     On 06/07/2021 12:05, Nishant Sharma wrote:
>  >      > On 06/07/21 7:56 pm, Henrique de Moraes Holschuh wrote:
>  >      >> So, to safely and responsibly enable wireless by default in a
>  >     device (or
>  >      >> firmware) you're delivering to a third-party, you need that
>  >     "per-unit
>  >      >> unique wireless password" per device thing most vendors are 
> doing.
>  >      >>
>  >      >> [2] not really: openwrt sysugrade *does not help* in that there
>  >     is no
>  >      >> way to add variable information to an already *finished* image
>  >     file, to
>  >      >> be used on first-boot only, and which would *survive a factory
>  >     reset*.
>  >      >>
>  >      >
>  >      > How about a first-boot script that enables the Wi-Fi if it is
>  >     disabled
>  >      > and then sets the password (if not already set) using the 
> first MAC
>  >      > address it finds on the device?
>  >
>  >     MACs are not a secret.  It is absolutely trivial to know them: 
> they're
>  >     in just about every WiFi (and ethernet) frame.  Same goes for 
> anything
>  >     that is derived *just* from the MAC address.  And anyone that is 
> going
>  >     to automatically scan/exploit for that, will also use MAC-1, 
> MAC+1, and
>  >     other common variants.
>  >
>  >     What would work is to reuse the vendor-provided password that is
>  >     already
>  >     in the label and somewhere in FLASH, if you could always know 
> where it
>  >     is in FLASH (you don't).  And some models don't have it.
>  >
>  >     One also don't know the unit's MAC address beforehand, so any scheme
>  >     that depends on that doesn't work (because you'd need that MAC 
> address
>  >     to print the label or generate the PDF).  In fact, this precludes 
> the
>  >     "generate secret at the device at 1st boot" too.
>  >
>  >     You could ask the user, but that isn't safe either: if she gets it
>  >     wrong
>  >     (or openwrt isn't correct about what MAC is in the printed label of
>  >     that
>  >     exact product version) you now have a device she can't access 
> because
>  >     the passwords won't match and it would require an ethernet cable to
>  >     bypass and reset.
> 
> 
> Some models are more obvious about device unique default password
> storage than others. So like on my other reply if it is obvious then use
> it and turn on wifi. For those with wifi-on-first support, make it a
> check box in the hardware support table. Then small business using
> openwrt know what options might meet their deployment needs.

We're barely there with the metadata (in openwrt) to actually know what 
would be the label's MAC address.

This ("use the vendor password") is going to be highly device-specific 
for a LONG time, and unless it is actually something people start paying 
attention when adding new models, it won't get better with time either 
(unlike the MAC one, which is getting better coverage as new models get 
added).

I'd prefer if we could have an option to do it generically in OpenWRT 
itself.  And not just for passwords, if you're going to do it, do it in 
a way that anything UCI can potentially benefit, IMHO...

-- 
Henrique de Moraes Holschuh
Analista de Projetos
Centro de Estudos e Pesquisas em Tecnologias de Redes e Operações 
(Ceptro.br)
+55 11 5509-3537 R.:4023
INOC 22548*625
www.nic.br