Monday, December 2, 2013

Zenbu Version 2.0

Hi everyone,

Summer looks to be in full swing and Christmas just around the corner. Many of you out there will likely be revving up for the busy season and just in time for you we have an
 early present that should hopefully help things go even smoother than always. Something new to do with Zenbu that we would like to share and hope that you will find helpful.

So, let us start with a token *drum roll* ~~~~!

We would like to announce the arrival of our latest firmware version, Zenbu 2.0! *Cue the introductory catchphrase*
A new version of the Zenbu firmware years in the making, as reliable as ever and ready to restrict data usage, to seek out new features and security, boldly going where no Zenbu firmware has gone before.

There are numerous improvements added for the convenience of hotspot operators and also some behind the scenes alterations which have tackled a number of both relatively common and very rare annoyances (while much of the modification and fine tuning is likely never to be noticed, we implemented them just because we could).
Of probably most convenience, operators can now turn their Zenbu router's WiFi on/off and change the channel (operational frequency) that it is broadcasting on via our website.
This version also allows us more insight into the state of a Zenbu router itself and the environment in which it is operating. So, in the unlikely event that a need for troubleshooting arises, we are already at least a few steps out of the dark (and that much closer to identifying an issue).

Last but not least... some of you may have noticed the change and be wondering what on earth is the following signal; "Zenbu XS [user+pass=zen]"

This is the same signal coming from the Zenbu router but utilising WPA2 enterprise encryption, encapsulating with PEAPv0 MSCHAPv2 and authenticating by IEEE 802.1X.
However, putting aside the details and keeping it nice and simple;
Essentially... the Zenbu XS signal is more secure!

(For those interested, some of the technicalities are located below.)


As the signal name implies, the username and password for connecting to the wireless signal are both 'zen'. (Note; this is not the key used for encryption of your transferred data.) Once connected, the procedure for logging in via Zenbu is the same as always.

So the next time you see one of these signals, if your device is capable of handling these security features, then give it a go! (and feel assured with the knowledge that at that point in time, the data that you are transferring through the air has an extremely robust padlock on it!)


We hope you all enjoy the summer.  So far so good!

Regards,

The Zenbu Team.


======================================
Technicalities
When connecting to the XS signal, by checking the security certificate, you can confirm that what you are actually connecting to is indeed an authentic Zenbu hotspot.
Furthermore, due to the nature of the security protocols being used, a number of unique keys are negotiated on connection. These are dynamically generated, specific to the user's current connection and only the user device and Zenbu system know these. No one / nothing else (not even the user).
In the case of signals using pre-shared WEP/WPA encryption keys (PSK) the key (for connection AND encryption) is the same for all devices connecting to the network and must be provided to anyone who wants to connect. For it to be a public WiFi hotspot, this pre-shared key would be disclosed to an ever increasing number of individuals... which effectively renders encrypting the data transmission pointless. i.e. the same as an open signal.

When a signal is open or effectively open like in the above case using shared keys, people can potentially snoop on the wireless traffic of those connected and see what they are up to. Note however that...
Even in this type of open or "shared key" environment any data that should be secured (like your online banking) is likely using SSL or other encryption methods anyway. This is because it needs to be encrypted as it traverses the internet where there are likely many more nasties than in your immediate environment!

[Secure sites starting with https are encrypted from end to end (which also includes over the wireless link). Encryption of data being sent between a device (client) and a secure website (server) is unrelated to the encryption of all Wi-Fi transmission between a device and a wireless router. In the case of SSL traffic over a 'secure' wireless link... the data is effectively double encrypted, for the wireless portion.]

Given the above, an open signal isn't really that much of an issue... but of course, people do like to see "secured" on their connection label.
So, with that in mind, we have opted for the only worthwhile option that provides a real security benefit in the public Wi-Fi environment Zenbu must operate in (rather than the false sense of security proliferated by pre-shared keys).

In the case where
 negotiation of dynamic, unique keys is performed upon connection (e.g. to Zenbu XS signal), as the master key is not known, snooping is a futile cause (beyond using a supercomputer to brute-force the lock... such a culprit would have no means of comprehending the garbled data).

Even if someone were to attempt disguising their device as someone else's (by MAC address spoofing) this would not get them the key required to decrypt the data being transmitted. Due to the dynamic variables involved upon key creation, they would merely generate a different set of keys for their own connection at that point in time.
The only method left is to try and create a fake hotspot that imitates the Zenbu signal and try to capture the keys that users provide when someone carelessly connects. Which of course brings us full circle. Checking the security certificate.
secure.zenbu.net.nz / secure.zenbu.net.au are our domains and only ours. If it shows our domain when connecting to the XS signal, then you can be sure that what you are connecting to is an authentic Zenbu hotspot. Otherwise... run for the hills!
======================================

No comments: