1 of 27

Capturing antique browsers in modern devices: �A security analysis of captive portal mini-browsers

Ping-Lun Wang, Kai-Hsiang Chou, Shou-Ching Hsiao, Ann Tene Low,

Tiffany Hyun-Jin Kim, and Hsu-Chun Hsiao

ACNS, 06/19 2023

2 of 27

What are captive portals?

2

AP supporting captive portal

Connect to Wi-Fi

User’s device

3 of 27

Captive portals are everywhere!

3

▲ University campuses

▲ Coffee shops

▲ Public transport

4 of 27

How do devices detect captive portals?

4

User’s device

AP supporting captive portal

HTTP request (connectivity check)

http://captive.apple.com/hotspot-detect.html

HTTP/1.1 200 OK

Success

▲ Normal AP

HTTP/1.1 302 FOUND

Redirecting…

▲ Captive portal

Connect to Wi-Fi

OK! (with limited Internet access)

Popup mini-browsers (user portal browsers)!

5 of 27

Authentication for full Internet access

5

User portal browser

AP supporting captive portal

Satisfy access condition

Passwords, credit cards, …

6 of 27

Authentication for full Internet access

6

User portal browser

AP supporting captive portal

Satisfy access condition

Passwords, credit cards, …

What if the captive portal is malicious?

We are sending our passwords, credit cards, … to an attacker!

What makes captive portal different?

7 of 27

Challenges to secure captive portal

  • User portal browsers
    • Different from normal browsers
    • Security protection: unknown!

7

  • Limited Internet access
    • Cannot query safe browsing check, WHOIS, ChatGPT, …
    • Authenticate a captive portal with offline information!

8 of 27

Our work: analyze mini-browsers and protect them

8

Accept self-signed certificates!!

  • Analyze attacks on user portal browsers
  • Find critical vulnerabilities

1. Assessment tool: Wi-Fi Chameleon*

  • Secure browser extension
  • Identity verification

2. Defense schemes to secure captive portal

No HTTP warnings!!

* https://github.com/csienslab/Wi-Fi-Chameleon

9 of 27

Assessment tool: Wi-Fi Chameleon

  • Perform security checks on user portal browsers
  • Implement on a Raspberry Pi

9

In the next few slides…

  1. How Wi-Fi Chameleon works
  2. Simulated attacks
  3. Evaluation metrics

10 of 27

Wi-Fi Chameleon: simulate captive portal attacks

10

User portal browser

Connect to captive portal

Web-based security checks

Wi-Fi Chameleon

  • Captive portal attacks
  • Evil-twin attack
  • History-stealing attack

11 of 27

Evil-twin attack: fake Wi-Fi AP with the same SSID

11

SSID: CMU

SSID: CMU

▲ Real Wi-Fi AP

▲ Fake Wi-Fi AP

▲ Phishing captive portal

12 of 27

Performing evil-twin attack: URI modification

  • TLS certificates (HTTPS) protect the authenticity of the URI
    1. Perform an SSL stripping attack

https://captive-portal.com → http://captive-portal.com

    • Use a fake TLS certificate

Self-signed certificate, revoked certificate, …

    • Use a similar URI with modified domain

https://captive-portal.com → https://captive-porta1.com

12

HTTP warnings!

Validate certificates!

Verify domain name!

https://wifi-starbucks.com

(Not registered yet!)

13 of 27

History-stealing attack: steal browsing history

13

User portal browser

Connect to user portal

Web pages with malicious scripts

Attacker

User’s browsing history

  • Cookies
  • Local storage
  • HSTS records

→ violate privacy and infer location history

14 of 27

Evaluation metrics to check vulnerabilities

Evil-twin attacks

  • Warning messages and indicator
    • HTTPS/HTTP indication
    • Warnings for insecure/deprecated protocols
  • Certificate validation
    • Expired, self-signed, revoked
    • Common name mismatch
    • Untrusted root CA

14

History-stealing attacks

  • Cookie and local storage
    • Secure and HttpOnly cookies
    • Clean storage after a session ends

15 of 27

Security analysis of user portal browsers

  • 18 devices (2020 ~ 2022)

15

In the next few slides…

  1. Evaluation results for each metric
  2. Attack vulnerability analysis

Customized user portal browsers…

16 of 27

Warning message and indicator: not provided

  • HTTP/HTTPS indication
  • Warnings for insecure protocols
  • Warnings for deprecated protocols

16

▲ Apple (MacBook Air)

HTTP:

HTTPS:

Small lock icon…

HTTP:

HTTPS:

▲ Android (Pixel 5)

Not showing HTTP…

17 of 27

Certificate validation: mostly secure

17

Expired certificates

Self-signed certificates

Common name mismatch

Untrusted root CA

Revoked certificates

18 of 27

Cookie and local storage: not cleaned for Android

18

Secure and HttpOnly cookies

Clean cookie and local storage when a session ends

19 of 27

Under attack: mostly vulnerable!

  • Evil-twin attack
    • No warnings for an SSL stripping attack! (HTTPS → HTTP)
    • Xiaomi devices vulnerable to fake certificates
    • No device can detect a modified domain
  • History-stealing attack
    • Android and Xiaomi devices are vulnerable

19

How to defend against these attacks?

20 of 27

Challenge: how to verify the captive portal URI?

  • Which URI is real/fake?

20

1. https://sbux-portal.globalreachtech.com

2. https://sbux-portal.globalroutetech.com

We don’t have

Internet access!

21 of 27

Our work: browser extension + identity verification

  • Secure browser extension
    • Trust on first use + HTTPS list
    • Records the correct URI
    • Prevents URI modification

21

  • AP identity verification
    • Binds SSID with URI
    • Verifies with TLS certificate
    • Prevents evil-twin attack

low deployment cost vs. no trust assumption

22 of 27

How browser extension detects URI modification

  • First connection

22

Trust this URI

HTTPS List

sbux-portal.globalreachtech.com

  • Under attack

http://sbux-portal.globalreachtech.com

https://sbux-portal.globalroutetech.com

SSL Stripping!

Modified domain!

Can we remove the trust assumption?

23 of 27

How identity verification detects an evil-twin

23

Starbucks

▲ Real Wi-Fi AP

Starbucks

▲ Fake Wi-Fi AP

Before

24 of 27

How identity verification detects an evil-twin

24

Starbucks – globalreachtech.com

▲ Real Wi-Fi AP (modified)

Starbucks – globalreachtech.com

▲ Fake Wi-Fi AP

After – invalid AP

TLS

Invalid AP detected!

25 of 27

How identity verification detects an evil-twin

25

Starbucks – globalreachtech.com

▲ Real Wi-Fi AP (modified)

Starbucks – globalroutetech.com

▲ Fake Wi-Fi AP

After

Different SSID

26 of 27

Related work on captive portal protection

  • Client-side defense scheme
    • Fingerprinting
    • Network probing
    • Require prior knowledge of the real AP or baseline network environment
  • Passpoint*
    • Includes server’s logo and name in the TLS certificate
    • Enforces Online Certificate Status Protocol (OCSP) stapling
    • More difficult to deploy

26

* https://www.wi-fi.org/discover-wi-fi/passpoint

27 of 27

Takeaways

  • Captive portal mini-browsers lack essential security protections
  • Attackers can easily steal sensitive information
  • Our defense authenticates URI and AP identity

27

Thank you for listening!