Saturday, 12 November 2016

How does TI CC3000 wifi smart config work?

The ti cc3000 wifi chip has a special smart config mode, this is to allow the initial configuration of the wifi access details.
The cc3000 wiki page gives some details on how the process works,
  1. The chip enters a smart config "listen" mode
  2. Application on smart phone sends a "UDP" packet with access point settings
  3. The chip captures this data and configures itself
I am aware of packet capture and wifi sniffing, but how does the chip "decrypt" the raw packet to get any info out of it ? I use wpa2-personal with AES on my router.
***********
As @Colin mentions the scheme that TI now use to communicate a network SSID and keyphrase from a setup application to a CC3000 enabled device is called Smart Config.
Smart Config has to communicate information (the network SSID and keyphrase) from a secure wifi network to a CC3000 enabled device that is not yet able to decrypt the traffic on that network.
Initially the CC3000 is not connected to the network (but can monitor the traffic), so the Smart Config application cannot send its information directly to the device. Instead it sends UDP packets to another existing machine on the network - the wifi access point (AP). That the AP isn't interested in receiving them is irrelevant, it's just important that the packets be visible on the network.
While the CC3000 can monitor the traffic it can't decrypt it, it can't even tell for certain that a given encrypted packet contains UDP data. So how can it pick out the UDP packets or do anything useful with them?
Basically Smart Config encodes its information not in the content of the packets it is sending but in their length. Wifi encryption affects the length of packets, but in a consistent way, i.e. it adds L additional bytes to the size of every packet, where L is a constant.
The Smart Config application encodes the SSID and keyphrase into the packet lengths of a sequence of UDP packets. The CC3000 can see the encrypted packets and their sizes.
In many environments the CC3000 will be able to see traffic from multiple nearby networks so how can it spot the relevant traffic? Even after encryption one can still see the MAC addresses of the source and destination of a packet so one can group traffic this way. In addition to the primary information that Smart Config is trying to send it also sends out regularly repeating patterns of packet lengths, so the CC3000 groups the traffic as described and then looks out for such patterns, when it finds them in the traffic of a given source and destination pair it then focuses in to recover the primary information.
There's obviously more too it than that, e.g. even once the CC3000 has found the source and destination pair, that correspond to the AP and the machine running the Smart Config application, how does it filter the Smart Config packets from other unrelated traffic going between the AP and the machine? I've written this all up in a series of blog posts.
The most technically detailed one covers the heart of Smart Config - how it encodes the SSID and keyphrase and transmits them such that a CC3000 can pick them up:
Then I have a post that's less technical, more an opinion piece about why you should always use an AES key with Smart Config:
There is a technical bit in the middle that does describe briefly how you'd configure a cipher in Java with the necessary AES transformation needed to work as the CC3000 expects.
And finally the proof of the pudding - I wrote an application to emulate the Smart Config related behavior of the CC3000, i.e. it can recover the SSID and keyphrase transmitted by any Smart Config application without needing to be able to decrypt the relevant network traffic. You can find where to download the source and all the details here:
This should enable one to test the behavior of any Smart Config application one writes, i.e. one can see what a CC3000 would be able to reconstruct from the data transmitted by the application.
I also have a few more Smart Config / CC3000 related posts:
For some background information it can also be interesting to read through these threads on the TI forum relevant to the CC3000.
First one covering Smart Config itself:
And one on mDNS, the mechanism by which a Smart Config application detects that a CC3000 enabled device has joined the network:
In both threads some initial messages may not seem so relevant but there's some interesting information mixed in too. But there's also a lot of inaccurate information as well so don't assume all of it is correct, even information from TI employees or from me (I learned a lot eventually but started with some incorrect assumptions/beliefs).
Patents have been mentioned a few times, however I can't find any evidence that there are patents pending or granted on this technology.

No comments: