Portal de Periódicos da CAPES

Capturing Antique Browsers in Modern Devices: A Security Analysis of Captive Portal Mini-Browsers

2023; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-031-33488-7_10

1611-3349

Ping-Lun Wang, Kai-Hsiang Chou, Shou-Ching Hsiao, Ann Tene Low, Tiffany Hyun‐Jin Kim, Hsu‐Chun Hsiao,

IPv6, Mobility, Handover, Networks, Security

Granting access to public Wi-Fi networks heavily relies on captive portals that are accessible using dedicated browsers. This paper highlights that such browsers are crucial to captive portals' security, yet have not been emphasized in prior research. To evaluate the security of captive portal mini-browsers, we built an assessment tool called Wi-Fi Chameleon and evaluated them on 15 popular devices. Our evaluation revealed that they all lacked the essential security mechanisms provided by modern browsers. Indeed, many provided no warnings even when using HTTP or encountering invalid TLS certificates, and some did not isolate sessions, enabling attackers to silently steal users' sensitive information (e.g., social networking accounts and credit card numbers) typed in captive portals and stored in their browsing histories. Moreover, even if a captive portal mini-browser is equipped with all security protections that modern browsers provide, users are still susceptible to existing captive portal attacks. We discuss the best practice of a secure captive portal mini-browser and two possible approaches to mitigate the vulnerabilities. For end-users, we proposed a browser extension for immediate deployability. For access points and captive portal mini-browser vendors, we proposed a comprehensive solution compatible with RFC 8952, the standard of captive portals.