Capturing antique browsers in modern devices: �A security analysis of captive portal mini-browsers
Ping-Lun Wang, Kai-Hsiang Chou, Shou-Ching Hsiao, Ann Tene Low,
Tiffany Hyun-Jin Kim, and Hsu-Chun Hsiao
ACNS, 06/19 2023
What are captive portals?
2
AP supporting captive portal
Connect to Wi-Fi
User’s device
Captive portals are everywhere!
3
▲ University campuses
▲ Coffee shops
▲ Public transport
How do devices detect captive portals?
4
User’s device
AP supporting captive portal
HTTP request (connectivity check)
http://captive.apple.com/hotspot-detect.html
HTTP/1.1 200 OK
Success
▲ Normal AP
HTTP/1.1 302 FOUND
Redirecting…
▲ Captive portal
Connect to Wi-Fi
OK! (with limited Internet access)
Popup mini-browsers (user portal browsers)!
Authentication for full Internet access
5
User portal browser
AP supporting captive portal
Satisfy access condition
Passwords, credit cards, …
Authentication for full Internet access
6
User portal browser
AP supporting captive portal
Satisfy access condition
Passwords, credit cards, …
What if the captive portal is malicious?
We are sending our passwords, credit cards, … to an attacker!
What makes captive portal different?
Challenges to secure captive portal
7
✕
Our work: analyze mini-browsers and protect them
8
Accept self-signed certificates!!
1. Assessment tool: Wi-Fi Chameleon*
2. Defense schemes to secure captive portal
No HTTP warnings!!
* https://github.com/csienslab/Wi-Fi-Chameleon
Assessment tool: Wi-Fi Chameleon
9
In the next few slides…
Wi-Fi Chameleon: simulate captive portal attacks
10
User portal browser
Connect to captive portal
Web-based security checks
Wi-Fi Chameleon
Evil-twin attack: fake Wi-Fi AP with the same SSID
11
SSID: CMU
SSID: CMU
▲ Real Wi-Fi AP
▲ Fake Wi-Fi AP
▲ Phishing captive portal
Performing evil-twin attack: URI modification
https://captive-portal.com → http://captive-portal.com
Self-signed certificate, revoked certificate, …
https://captive-portal.com → https://captive-porta1.com
12
HTTP warnings!
Validate certificates!
Verify domain name!
https://wifi-starbucks.com
(Not registered yet!)
History-stealing attack: steal browsing history
13
User portal browser
Connect to user portal
Web pages with malicious scripts
Attacker
User’s browsing history
→ violate privacy and infer location history
Evaluation metrics to check vulnerabilities
Evil-twin attacks
14
History-stealing attacks
Security analysis of user portal browsers
15
In the next few slides…
Customized user portal browsers…
Warning message and indicator: not provided
16
▲ Apple (MacBook Air)
HTTP:
HTTPS:
Small lock icon…
HTTP:
HTTPS:
▲ Android (Pixel 5)
Not showing HTTP…
✕
✕
✕
Certificate validation: mostly secure
17
Expired certificates | ✓ | ✓ | ✓ | ✕ |
Self-signed certificates | ✓ | ✓ | ✓ | ✕ |
Common name mismatch | ✓ | ✓ | ✓ | ✕ |
Untrusted root CA | ✓ | ✓ | ✓ | ✕ |
Revoked certificates | ✕ | ✕ | ✕ | ✕ |
Cookie and local storage: not cleaned for Android
18
Secure and HttpOnly cookies | ✓ | ✓ | ✓ | ✓ |
Clean cookie and local storage when a session ends | ✓ | ✓ | ✕ | ✕ |
Under attack: mostly vulnerable!
19
How to defend against these attacks?
Challenge: how to verify the captive portal URI?
20
1. https://sbux-portal.globalreachtech.com
2. https://sbux-portal.globalroutetech.com
We don’t have
Internet access!
Our work: browser extension + identity verification
21
low deployment cost vs. no trust assumption
How browser extension detects URI modification
22
Trust this URI
HTTPS List
sbux-portal.globalreachtech.com
http://sbux-portal.globalreachtech.com
https://sbux-portal.globalroutetech.com
SSL Stripping!
Modified domain!
Can we remove the trust assumption?
How identity verification detects an evil-twin
23
Starbucks
▲ Real Wi-Fi AP
Starbucks
▲ Fake Wi-Fi AP
Before
How identity verification detects an evil-twin
24
Starbucks – globalreachtech.com
▲ Real Wi-Fi AP (modified)
Starbucks – globalreachtech.com
▲ Fake Wi-Fi AP
After – invalid AP
TLS
Invalid AP detected!
How identity verification detects an evil-twin
25
Starbucks – globalreachtech.com
▲ Real Wi-Fi AP (modified)
Starbucks – globalroutetech.com
▲ Fake Wi-Fi AP
After
Different SSID
Related work on captive portal protection
26
* https://www.wi-fi.org/discover-wi-fi/passpoint
Takeaways
27
Thank you for listening!