The purpose of this research is to evaluate the effectiveness of the Internet kill switch (herein IKS) functionality of the Mudi (GL-E750) by GL.iNet [1].
The IKS is defined thus [2]
[...] if the VPN client is not running, the clients are Not Allowed to access the Internet
When a device is connected to the Mudi with IKS & VPN enabled, the device's traffic should not be visible to the interface the Mudi uses for WAN access.
| Name | charlie |
|---|---|
| Make | GL Technologies (HK) Limited & Microuter Technologies Limited trading as GL-iNet [3] |
| Manufacturer | Shenzhen Guanglianzhitong Tech Co., Ltd. [4] |
| Model | Mudi (GL-E750C6-E) [4] |
| Firmware | As shipped (version: 3.100, compile time: 2019-12-16 15:45:15) [5] |
| VPN Client | OpenVPN, UDP, ch-uk-01.protonvpn.com [6] |
| IKS | Enabled |
| Network Mode | Router [7] |
| WiFi Settings | 2.4GHz WPA2-PSK [8] |
| 802.11 BSSID | 94:83:C4:02:1A:35 |
| 802.11 EDDID | charlie |
| Name | RabbitSeason |
|---|---|
| Make | Huawei Technologies Co., Ltd. |
| Model | HUAWEI Home Gateway (HG659) |
| 802.11 BSSID | 5C:03:39:CC:B1:78 |
| 802.11 ESSID | RabbitSeason |
| Name | strike |
|---|---|
| Make | Apple Inc. |
| Manufacturer | Hon Hai Precision Industry Co. Ltd. trading as Foxconn [9] |
| Model | iPhone 11 Pro |
| VPN | Disabled |
| OS | iOS 13.3.1 |
| 802.11 MAC | f8:4e:73:84:a7:b8 |
| Name | hollywood |
|---|---|
| OS | Kali 2020.1 x64 |
| WiFi Card | Qualcomm Atheros AR9271 |
| Software | aircrack-ng suite, wireshark |
For both control and research environments:
hollywood
sudo airmon-ng check kill
sudo airmon-ng start wlan0
Environments
Control
strike -> RabbitSeason -> WAN
Research
strike -> charlie -> RabbitSeason -> WAN
Capture packets in different environments and compare them to determine validity of the claim made in the Research aim section.
charlie's IKS is:
- ineffective if
aircrack-ngis able to retrievestrike's TCP/IP packets when enabled. - effective if
aircrack-ngis unable retrievestrike's TCP/IP packets with enabled [11].
wireshark filters to determine packets captured by aircrack-ng:
| Case | wireshark filter |
|---|---|
A. strike connected directly to RabbitSeason |
wlan.addr==f8:4e:73:84:a7:b8 && ip |
B. strike connected to RabbitSeason via charlie |
wlan.addr==f8:4e:73:84:a7:b8 && ip |
Null hypothesis: A control [10] ensuring aircrack-ng can retrieve strike's TCP/IP packets when not protected by charlie, i.e. union of cases A and B form the null hypothesis.
Alternative hypothesis: No display of TCP/IP packets [11] from strike when protected by charlie. This is the rejection of the null hypothesis.
| Outcome | Condition |
|---|---|
| Null hypothesis is rejected | Case (A) shows packets and case (B) shows no packets. |
| Null hypothesis is accepted | Case (A) shows packets and case (B) shows packets. |
| Inconclusive | Case (A) shows no packets. |
- Connect
striketoRabbitSeason - Capture packet TX/RX for
RabbitSeason
sudo airodump-ng -w cap/RabbitSeason.pcap --output-format pcap -a --bssid 5C:03:39:CC:B1:78 --channel 11 wlan0mon
- Open
RabbitSeason.pcap-01.capinwiresharkwith filterwlan.addr==f8:4e:73:84:a7:b8 && ip - Examine packets [10]
- Existence of packets would support case (A)
- Connect
striketocharlie - Capture packet TX/RX for
RabbitSeason
sudo airodump-ng -w cap/RabbitSeason-with-charlie.pcap --output-format pcap -a --bssid 5C:03:39:CC:B1:78 --channel 11 wlan0mon
- Open
RabbitSeason-with-charlie.pcap-01.capinwiresharkwith filterwlan.addr==f8:4e:73:84:a7:b8 && ip - Examine packets [11]
- A lack of packets would support case (B)
Cases (A) and (B) were observed when following the above methodology. We can therefore reject the null hypothesis and accept the alternative hypothesis: the Mudi device under audit's IKS when used with OpenVPN protected IP traffic from interception when monitoring the ultimate 802.11 access point, RabbitSeason.
There is a significant amount of work that can, and should, be done to further audit the Mudi device to validate the vendor's claims and the device's many features, e.g.:
- the physical rocker switch (to enable, say, Tor)
- OpenVPN server
- WireGuard client and server
- other modes of WAN access for the Mudi (tethering, 4G)
Given the open nature of the device (one can ssh into it, and add and remove arbitrary Linux packages), this should be reasonably easy compared to WiFi AP's running closed software.
As always the hardware, in our case specifically, the baseband processor (in the Mudi's case the Quectel EP06 unit), as well as other components, present auditing challenges.
-
"GL-E750 / Mudi - GL.iNet" GL.iNet, accessed February 24, 2020,
-
"Internet Kill Switch - GL.iNet Docs" GL.iNet Docs, February 24, 2020,
-
"Contacts - GL.iNet", accessed February 24, 2020,
-
GL-E750 Packaging, photograph by author, February 24, 2020,
https://raw.githubusercontent.com/benkant/rf_prac/master/img/package_detail.png
-
Device UI - Firmware, screenshot by author, February 24, 2020,
https://raw.githubusercontent.com/benkant/rf_prac/master/img/fimware.png
-
Device UI - VPN Client, screenshot by author, February 24, 2020,
https://raw.githubusercontent.com/benkant/rf_prac/master/img/vpn_config.png
-
Device UI - Network Mode, screenshot by author, February 24, 2020,
https://raw.githubusercontent.com/benkant/rf_prac/master/img/network_mode.png
-
Device UI - WiFi Settings, screenshot by author, February 24, 2020,
https://raw.githubusercontent.com/benkant/rf_prac/master/img/wifi_settings.png
-
Wikipedia - Foxxcon, accessed February 24, 2020,
-
Wireshark - transmitted in the clear, screenshot by author, February 27, 2020,
https://raw.githubusercontent.com/benkant/rf_prac/master/img/RabbitSeason_strike-in-the-clear.png
-
Wireshark - transmitted via Mudi & OpenVPN, screenshot by author, February 27, 2020,
https://raw.githubusercontent.com/benkant/rf_prac/master/img/RabbitSeason_strike-in-the-blind.png
