What NOT to spend time/resource developing
-
A simpler solution would be to implement a white-list of MAC addresses that the printer will allow to connect to it. Still not exactly rocket science to defeat, I accept, but it would stop accidental connections and block the casual experimenter at public events.
At a public event, even if the config is untouched and the Duet is still in "client" WiFi mode, it will not connect, because there are no WPA2 APs with the correct SSID and Password of the printer owner's home network.
To be clear, the SSID can't be discovered, because clients don't broadcast it.
The WiFi client in the duet will be sending an 802.11 management packet known as a "probe request". This contains NO information about the SSID; even if an 'evil' AP responds to it, that evil AP would have to have prior knowledge of the SSID and the Password of the printer owner's home network to associate and authenticate the Duet.
Short version: Config untouched, all is still secure, no one can connect, including the printer owner.
-
To summarize two posts:
Public event. Config untouched. Perfectly secure, as the printer client has no network to which it will connect. However, printer owner can't connect either; only paneldue usable.
Public event. Config changed to AP mode with a throwaway SSID and PWD for that event (that the owner of the printer never tells anyone). Perfectly secure. And, the printer owner can connect, if they choose to put their mobile on that network.
-
To summarize two posts:
Public event. Config untouched. Perfectly secure, as the printer client has no network to which it will connect. However, printer owner can't connect either; only paneldue usable.
Public event. Config changed to AP mode with a throwaway SSID and PWD for that event (that the owner of the printer never tells anyone). Perfectly secure. And, the printer owner can connect, if they choose to put their mobile on that network.
Good call. I don't know if AP mode was implemented last year when I took my own AP. I'll probably switch it to AP mode for MRRF, and see if I can get a connection at all. If not, SD card should be good enough.
-
AP mode wasn't working this time last year.
-
AP mode wasn't working this time last year.
Ah, did not know that. In that case, an extra router would be the secure way to have WiFi at a show.
Resummary given the above:
Public show, no config changes. All secure. No one can use WiFi, including the printer owner.
Public show, change config SSID and PWD and also bring a WiFi router, to effectively act as an AP. Printer owner can use WiFi. As can anyone he tells the SSID/PWD. Secure from everyone who doesn't have the SSID/PWD.
-
Another thing to bear in mind is that, although you can use a self signed certificate, it would only stop casual snooping and is easily spoofed. To implement SSL properly (and stop browsers and web security packages bleating) would require an official SSL certificate per printer at a cost of about £40 per year.)
If you configure your browser/OS to trust your self-signed cert, you get the same kind of security as an expensive bought cert. Spoofing it with a MITM attack would trigger a security warning, just like spoofing any website cert would. So there's nothing insecure about using self-signed certs, really.
