Enabling Wi-Fi on First boot

Eric Luehrsen ericluehrsen at gmail.com
Tue Jul 6 10:29:19 PDT 2021


 >
 > On Tue, Jul 6, 2021, 1:06 PM Henrique de Moraes Holschuh
 > <henrique at nic.br <mailto:henrique at nic.br>> wrote:
 >
 >     On 06/07/2021 12:05, Nishant Sharma wrote:
 >      > On 06/07/21 7:56 pm, Henrique de Moraes Holschuh wrote:
 >      >> So, to safely and responsibly enable wireless by default in a
 >     device (or
 >      >> firmware) you're delivering to a third-party, you need that
 >     "per-unit
 >      >> unique wireless password" per device thing most vendors are 
doing.
 >      >>
 >      >> [2] not really: openwrt sysugrade *does not help* in that there
 >     is no
 >      >> way to add variable information to an already *finished* image
 >     file, to
 >      >> be used on first-boot only, and which would *survive a factory
 >     reset*.
 >      >>
 >      >
 >      > How about a first-boot script that enables the Wi-Fi if it is
 >     disabled
 >      > and then sets the password (if not already set) using the 
first MAC
 >      > address it finds on the device?
 >
 >     MACs are not a secret.  It is absolutely trivial to know them: 
they're
 >     in just about every WiFi (and ethernet) frame.  Same goes for 
anything
 >     that is derived *just* from the MAC address.  And anyone that is 
going
 >     to automatically scan/exploit for that, will also use MAC-1, 
MAC+1, and
 >     other common variants.
 >
 >     What would work is to reuse the vendor-provided password that is
 >     already
 >     in the label and somewhere in FLASH, if you could always know 
where it
 >     is in FLASH (you don't).  And some models don't have it.
 >
 >     One also don't know the unit's MAC address beforehand, so any scheme
 >     that depends on that doesn't work (because you'd need that MAC 
address
 >     to print the label or generate the PDF).  In fact, this precludes the
 >     "generate secret at the device at 1st boot" too.
 >
 >     You could ask the user, but that isn't safe either: if she gets it
 >     wrong
 >     (or openwrt isn't correct about what MAC is in the printed label of
 >     that
 >     exact product version) you now have a device she can't access because
 >     the passwords won't match and it would require an ethernet cable to
 >     bypass and reset.


Some models are more obvious about device unique default password
storage than others. So like on my other reply if it is obvious then use
it and turn on wifi. For those with wifi-on-first support, make it a
check box in the hardware support table. Then small business using
openwrt know what options might meet their deployment needs.

- Eric





More information about the openwrt-devel mailing list