Microsoft Surface Hub 2 SmCamera User Manual

Wi-Fi Direct vulnerability

Surface Hub
mitigation

In addition to denial-of-service attacks, deauthentication packets can be used
to trigger a reconnect that re-opens the window of opportunity for active
attacks against WPS-PBC.

Enable WPS-
PIN security in
the Surface
Hub
configuration.

Basic wireless information disclosure:

Wireless networks, 802.11 or otherwise, are

inherently at risk of information disclosure. Although this information is mostly
connection or device metadata, this problem remains a known risk for any 802.11
network administrator. Wi-Fi Direct with device authentication via WPS-PIN effectively
reveals the same information as a PSK or Enterprise 802.11 network.

Wi-Fi Direct vulnerability

Surface Hub mitigation

During broadcast, connection setup, or even normal operation
of already-encrypted connections, basic information about
devices and packet sizes is wirelessly transmitted. At a basic
level, a local attacker who's within wireless range can examine
the relevant 802.11 information elements to determine the
names of wireless devices, the MAC addresses of
communicating equipment, and possibly other details, such as
the version of the wireless stack, packet sizes, or the configured
access point or group owner options.

The Wi-Fi Direct network that
Surface Hub uses can't be
further protected from
metadata leaks, just like for
802.11 Enterprise or PSK
wireless networks. Physical
security and removal of
potential threats from wireless
proximity can help reduce
potential information leaks.

Wireless evil twin or spoofing attacks:

Spoofing the wireless name is a simple, well-

known exploit a local attacker can use to lure unsuspecting or mistaken users to
connect.

Wi-Fi Direct vulnerability Surface Hub mitigation

By spoofing or cloning the
wireless name or "SSID" of
the target network, an
attacker may trick the user
into connecting to a fake,
malicious network. By
supporting
unauthenticated, auto-join
Miracast, an attacker could
capture the intended
display materials or launch
network attacks on the
connecting device.

While there are no specific protections against joining a spoofed
Surface Hub, this vulnerability is partially mitigated in two ways. First,
any potential attack must be physically within Wi-Fi range. Second,
this attack is only possible during the first connection. Subsequent
connections use a persistent Wi-Fi Direct group, and Windows will
remember and prioritize this prior connection during future Hub
use. (Note: Spoofing the MAC address, Wi-Fi channel, and SSID
simultaneously was not considered for this report and may result in
inconsistent Wi-Fi behavior.) Overall, this weakness is a fundamental
problem for any 802.11 wireless network that lacks Enterprise WPA2
protocols such as EAP-TLS or EAP-PWD, which Wi-Fi Direct doesn't
support.