Microsoft Surface Hub 2 SmCamera User Manual

Wi-Fi Direct vulnerability

Surface Hub mitigation

By supporting both Wi-Fi Direct and 802.11 infrastructure
clients, the system is operating in a "legacy" support mode.
This may expose the connection-setup phase indefinitely,
allowing groups to be joined or devices invited to connect
well after their intended setup phase terminates.

Surface Hub doesn't support Wi-
Fi Direct legacy clients. Only Wi-
Fi Direct connections can be
made to Surface Hub even when
WPS-PIN mode is enabled.

Wi-Fi Direct GO negotiation during connection setup:

The group owner in Wi-Fi Direct

is analogous to the "access point" in a conventional 802.11 wireless network. The
negotiation can be gamed by a malicious device.

Wi-Fi Direct vulnerability

Surface Hub mitigation

If groups are dynamically established, or the Wi-Fi Direct
device can be made to join new groups, the group owner
negotiation can be won by a malicious device that always
specifies the maximum group owner "intent" value of 15. (But
the connection fails if the device is configured to always be a
group owner.)

Surface Hub takes advantage of
Wi-Fi Direct "Autonomous
mode," which skips the GO
negotiation phase of connection
setup. And Surface Hub is always
the group owner.

Unintended or malicious Wi-Fi deauthentication:

Wi-Fi deauthentication is an old

attack in which a local attacker can expedite information leaks in the connection-setup
process, trigger new four-way handshakes, target Wi-Fi Direct WPS-PBC for active
attacks, or create denial-of-service attacks.

Wi-Fi Direct vulnerability

Surface Hub
mitigation

Deauthentication packets can be sent by an unauthenticated attacker to cause
the station to re-authenticate and then sniff the resulting handshake.
Cryptographic or brute-force attacks can be attempted on the resulting
handshake. Mitigation for these attacks includes enforcing length and
complexity policies for pre-shared keys, configuring the access point (if
applicable) to detect malicious levels of deauthentication packets, and using
WPS to automatically generate strong keys. In PBC mode, the user interacts
with a physical or virtual button to allow arbitrary device association. This
process should happen only at setup, within a short window. After the button is
automatically "pushed," the device will accept any station that associates via a
canonical PIN value (all zeros). Deauthentication can force a repeated setup
process.

Surface Hub
uses WPS in
PIN or PBC
mode. No PSK
configuration is
permitted. This
method helps
enforce
generation of
strong keys. It's
best to enable
WPS-PIN
security for
Surface Hub.