python-broadlink
python-broadlink copied to clipboard
mjg59
No encryption during provisioning?
Was looking to implement the provisioning directly on android, and had a look at the setup method. Am i misunderstanding something here or are my wifi creds sent in unicode over open wifi?
Edit: typo
It's not open Wi-Fi, you need to connect to the Wi-Fi network that your Broadlink device generates in AP setup mode.
Hmm, might be that I've misunderstood wifi principles here, but aren't WiFi's with no password unencrypted?
It is a private network to which you only connect a single time with a single device. It's not like broadcasting your credentials on your main network, that's what I mean.
I feel I'm probably misunderstanding here? What I mean is if the wifi is not protected, it's not encrypted? And if there is no application layer encryption anyone sniffing the radio will then be able to read my wifi creds? I had a look at the JS in the "wifi login page" generated by my bulb, and it applies what appears to (to my untrained JS eyes) application layer encryption, which seems to support my suspections somewhat.
I fear my broadlink "Smart Bulb" doesent. There are no buttons on the bulb, no PIN requests, and netsh reports:
Network type : Infrastructure Radio type : 802.11n Authentication : Open Cipher : None
Sometimes it's not a button, but a specific way you turn the power on and off to put it in AP setup mode. I don't have the bulb, I don't know how it works exactly, but the configuration is probably similar to the other devices with Broadlink DNA.
Fair, i guess if there is WPS the device should only accept one concurrent connection? Otherwise the whole point of encrypting the data would be lost as anyone could just obtain the keys. I can connect multiple devices to the AP at the same time, and anyways as stated windows reports the connection as unencrypted. So, im getting fairly confident that the wifi creds are actually being broadcast unencrypted. Seing as broadlink has mitigated this with application level encryption i think you should look in to this, or at the very least disable the setup method for connections that have no encryption. I can take a swing at sniffing the packets if you need me to, and i can upload the JS encryption functions used by broadlink if you want to, but im afraid i can't make any PR's as my python is horrible.
When we connect via WPS, the Broadlink device restricts the connection to the client and the Wi-Fi configuration is done with encryption. WPS is like connecting with passwords, but we press a button to grant permission to the first device that connects.
I'm well aware what wps is, as stated there is no WPS in my lb2 (can get you the hex code if you want) the encryption is instead done in the application layer using a rabbit cipher that's run in JS on the the phone/tablet used for provisioning. As I've also already stated windows also reports the connection as unencrypted hence any credentials sent on the network without adding application layer encryption are subject to sniffing, and the only security granted here is by obscurity.
Really cool project, and super greatful for all the work ofc, but you should at least inform your users that the credentials are sent in cleartext instead of just saying there's WPS (which there at least isn't on my device) and closing the issue.
Okay, sorry, I'm short on time for the project so I end up having to make choices. I'll leave it open a little longer in case anyone wants to improve this with a PR. Thanks for reporting.
I deleted the JS, as i realized there might be some stuff in it pointing to my device. Also I would like to apologize for my tone in the previous communications.