Hello team, I would like to write a program that will enable users to select a wifi network to connect to once a scan has completed on the Arduino Rev 4 Wifi and that will allow the user to enter the wifi password via a touch screen display.
Once a connection is successful, users will be given the option to save these details via EEPROM.
Before writing the code I thought I'd check whether there is any security risks associated with entering and saving password details in this way. Thanks.
It depends on the threat level. In this scenario it would certainly be possible for a motivated attacker to steal the board and read the EEPROM.
In most cases that is not a real issue. If someone broke into my house they wouldn't need to steal my device to get the WiFi password because my wife has it written on a sticky note by the monitor. Right?
But if it is the case that this particular password might be secret enough and valuable enough to warrant further security, then it might make sense to encrypt the password before you store it.
Nothing will ever make it 100% absolutely secure. For every lock you build someone will build a better lock-pick.
BTW: The R4 supposedly has some peripherals to handle encryption, but I haven't really looked into it further than noticing the section heading in the data sheet.
See section 46 in the Hardware User's Manual for the RA4M1.
Thanks for the response this is good to know.
I think I can safely assume that the physical hardware is unlikely to get stolen (the project is for a gym). You have given me an idea though of adding the option for users to delete saved wifi networks if they please.
If we assume the physical board is unlikely to get stolen, would there be any way for a hacker to access, EEPROM password data or an entered password in another way.
Thanks again for the help on this one.
Oh there is always some way. There's no way to 100% stop everything. But it is not very likely that someone is going to be able to get to it over the internet. At least you can say that there would be easier ways in the same situation to get those same passwords.
Without physical access to the device it becomes much easier to steal the password by intercepting the radio transmissions than by trying to hack the hardware.
Thanks that makes sense, would I be right in saying that in order to intercept the radio transmissions our hacker would need to be in local proximity to the board and router? (I'll look out for dodgy characters hanging about with radio receivers )
I don't know a lot of details but I know people can do some interesting things with WiFi transmissions.
But at that point it's not really in your hands. If they don't grab it on your network then they'll grab it on another one. At this point we're way out into "what-if" land.
The point is that if someone is well enough motivated and funded then you really can't stop them. At the end of the day if all you're protecting is a WiFi password, well those aren't really that secure to begin with. So as long as you aren't the weak link in the chain you should be ok.
At least that's my take. Why spend a bunch of time adding more locks to the door if you can't close the window?
'why add more locks to a door if you can't close the window'
thats a keeper, thanks again for your time, some peace of mind.