LAUSR

Wi-Fi Easy Connect is a protocol introduced by the Wi-Fi Alliance, as the core replacement of the Wi-Fi Protected Setup (WPS). It aims to facilitate user-friendly provisioning methods, such as scanning a QR code, or leveraging a short-range wireless protocol like Near-Field Communication and Bluetooth. In this paper, we thoroughly examine the security and privacy properties of Wi-Fi Easy Connect (version 3.0); an exhaustive assessment that has not been previously conducted to the best of our knowledge. In addition to uncovering security issues, we identified key aspects of the specification’s design that surprisingly may increase, rather than decrease the attack surface for malicious actors, when compared to its predecessor, WPS. All our findings have been shared with the Wi-Fi Alliance, and the responses regarding action items or risk acceptance have been considered in our analysis. Finally, we analyzed hostapd, the most popular software implementation of Wi-Fi Easy Connect, and we uncovered an implementation issue that allowed an attacker to subvert future connections, highlighting the risks when implementations do not fully adhere to the protocol’s design specifications. Our analysis illustrates the danger of introducing security and privacy vulnerabilities in protocols, when protocol design favors usability versus security.