Security
Contact Information
Email spr-security [at] supernetworks.org or reach out on the discord chat
Security Goals
Router is secure against compromises via the web services, remote uplink, or local network attack surfaces
Practical to use strong passwords for wifi devices
One compromised device should not be able to impersonate other devices on the network or intercept their network traffic
Devices can only communicate to systems they are explicitly allowed to. No spoofing.
Out of scope for Now
Power & Radio Sidechannel attacks
Physical attacks, physical supply chain
Key Security Features
Multi-PSK & VLANs
SPR places each WiFi device into its own VLAN. The device password and MAC address combination is used to authenticate into the DHCP assigned VLAN. The device does not need to be aware it is in a VLAN, except that DHCP has provided a /30 "tiny" network, and communications to other LAN devices should be routed over the AP.
There is no limit to the number of VLANs and a user does not have to assign devices to VLANs.
No MAC spoofing and other layer 2 network pivoting
Firewall rules enforce the MAC address for the authenticated device to block MAC spoofing. Further OS configuration blocks ARP spoofing from interfaces on a VLAN. The packet forwarding to other devices is default deny. If a device has the LAN policy, or is in a group with other devices, then traffic will be allowed.
GTK are unique per VLAN so devices can't bypass the router to communicate. TDLS is disabled.
These rules are also enforced with mesh networking, supported today in SPR PLUS over wired backhaul.
Multicast Limitation
Currently the multicast proxy will relay multicast traffic to all devices. A further hardening step is to enforce routing policy for multicast traffic as well.
Upstream LAN Traffic Blocked By Default
Typically, users of SPR will plug the SPR into their existing network which will be called an upstream LAN.
By default, SPR will block traffic to upstream Private LANs rfc1918 for devices, unless the lan_upstream tag is enabled. This prevents SPR devices from accessing upstream private addresses.
WPA3 Support
WPA3 uses the Simultaneous Authentication of Equals (SAE) protocol for authentication. The Key Exchange can not be sniffed and cracked as with WPA2 (PBKDF2 based) because it's a zero knowledge-proof of the password.
WPA3 Also provides for Management Frame Protection (MFP) 802.1w which is optional for WPA2 but mandatory in WPA3.
Practical Limitations of WPA3
iOS Device QR-Code WPA2 Downgrade
iOS has a long standing flaw where networks with WPA3 that are scanned with a QR Code are later saved as WPA2. As a result, SPR supports both WPA2 and WPA3 for devices.
Many devices don't support WPA3 yet, some still require WPA1 even
Since not all devices support WPA3, a bssid, SPR runs MFP with mixed mode (ieee80211w=1).
Network Visibility
SPR provides for DNS, traffic monitoring capabilities as well as authentication logs for the APIs.
Threat Actors
Remote Internet Attacker
Anyone on the internet that can send packets to the WAN/Uplink interface
Man In The Middle / Malicious ISP
An attacker with a man in the middle position on the uplink
Supply Chain Attacker
An attacker looking to insert code into the SPR project to compromise routers
Physical Proximity Attacker (Evil Neighbor)
An attacker with physical proximity to WiFi
Inside Perimeter Attacker (Evil Guest)
An attacker with physical access
Compromised Device Attacker (Implant)
An attacker operating from a compromised device, authenticated on the network