Microsoft Surface Hub 2 SmCamera User Manual

Page 301

Advertising
background image

Wi-Fi Direct vulnerability

Surface Hub mitigation

WPS-PIN can be cracked by an offline attack because of weak
initial key (E-S1, E-S2) entropy. In 2014, Dominique Bongard
described a "Pixie Dust" attack where poor initial randomness for
the pseudorandom number generator (PRNG) in the wireless
device allowed an offline brute-force attack.

The Microsoft
implementation of WPS in
Surface Hub is not
susceptible to this offline
PIN brute-force attack. The
WPS-PIN is randomized for
each connection.

Unintended exposure of network services:

Network daemons that are intended for

Ethernet or WLAN services may be accidentally exposed because of misconfiguration
(such as binding to "all"/0.0.0.0 interfaces). Other possible causes include a poorly
configured device firewall or missing firewall rules.

Wi-Fi Direct vulnerability

Surface Hub mitigation

Misconfiguration binds a vulnerable or
unauthenticated network service to "all" interfaces,
which includes the Wi-Fi Direct interface. This can
expose services that shouldn't be accessible to Wi-Fi
Direct clients, which may be weakly or automatically
authenticated.

In Surface Hub, the default firewall rules
only permit the required TCP and UDP
network ports and, by default, deny all
inbound connections. Configure strong
authentication by enabling the WPS-PIN
mode.

Bridging Wi-Fi Direct and other wired or wireless networks:

Network bridging between

WLAN or Ethernet networks is a violation of the Wi-Fi Direct specification. Such a bridge
or misconfiguration may effectively lower or remove wireless access controls for the
internal corporate network.

Wi-Fi Direct vulnerability

Surface Hub mitigation

Wi-Fi Direct devices could allow unauthenticated or
poorly authenticated access to bridged network
connections. This might allow Wi-Fi Direct networks to
route traffic to internal Ethernet LAN or other
infrastructure or to enterprise WLAN networks in
violation of existing IT security protocols.

Surface Hub can't be configured to
bridge wireless interfaces or allow
routing between disparate networks.
The default firewall rules add defense
in depth to any such routing or
bridge connections.

The use of Wi-Fi Direct "legacy" mode:

Exposure to unintended networks or devices

may occur when you operate in "legacy" mode. Device spoofing or unintended
connections could occur if WPS-PIN is not enabled.

Wi-Fi Direct vulnerability

Surface Hub mitigation

Advertising
Popular Brands
Popular manuals