Microsoft Surface Hub 2 SmCamera User Manual

Wi-Fi Direct vulnerability

Surface Hub mitigation

The discovery process may remain active for
an extended period of time, which could
allow invitations and connections to be
established without the approval of the
device owner.

Surface Hub only operates as the group owner,
which doesn't perform the client discovery or GO
negotiation processes. You can fully disable
wireless projection to turn off broadcast.

Invitation and discovery through PBC allow
an unauthenticated attacker to perform
repeated connection attempts, or
unauthenticated connections are
automatically accepted.

By requiring WPS PIN security, administrators can
reduce the potential for such unauthorized
connections or "invitation bombs," in which
invitations are repeatedly sent until a user
mistakenly accepts one.

Wi-Fi Protected Setup (WPS) push button connect (PBC) vs PIN entry:

Public

weaknesses have been demonstrated in WPS-PIN method design and implementation.
WPS-PBC has other vulnerabilities that could allow active attacks against a protocol
that's designed for one-time use.

Wi-Fi Direct vulnerability

Surface Hub mitigation

WPS-PBC is vulnerable to active attackers. The WPS specification
states:

"The PBC method has zero bits of entropy and only protects

against passive eavesdropping attacks. PBC protects against
eavesdropping attacks and takes measures to prevent a device from
joining a network that was not selected by the device owner. The
absence of authentication, however, means that PBC does not protect
against active attack."

Attackers can use selective wireless jamming

or other denial-of-service techniques to trigger an unintended Wi-
Fi Direct GO or connection. Also, an active attacker who merely has
physical proximity can repeatedly tear down any Wi-Fi Direct group
and attempt the attack until it succeeds.

Enable WPS-PIN security in
Surface Hub configuration.
The Wi-Fi WPS specification
states: "The PBC method
should only be used if no
PIN-capable registrar is
available and the WLAN
user is willing to accept the
risks associated with PBC."

WPS-PIN implementations can be subject to brute-force attacks
that target a vulnerability in the WPS standard. The design of split
PIN verification led to multiple implementation vulnerabilities over
the past several years across a range of Wi-Fi hardware
manufacturers. In 2011, researchers Stefan Viehböck and Craig
Heffner released information about this vulnerability and tools such
as "Reaver" as a proof of concept.

The Microsoft
implementation of WPS in
Surface Hub changes the
PIN every 30 seconds. To
crack the PIN, an attacker
must complete the entire
exploit in less than 30
seconds. Given the current
state of tools and research
in this area, a brute-force
PIN-cracking attack through
WPS is unlikely to succeed.