How to prevent QR code scan to access home WiFi?

MaxPayneXL

Is there any way to prevent someone accessing the home Wi-Fi, by scanning the QR code from the mobile device of someone already connected to the same Wi-Fi?

irishgeo

https://www.boards.ie/discussion/2058403196/how-to-prevent-qr-code-scan-to-access-home-wifi

The simple answer is you can't, there is way to do it but we need more information on your modem.

wandererz

Not that I know of.

Unless you do mac address filtering /restriction on your WiFi router and only allow known Mac addresses to connect.

CalamariFritti

https://www.boards.ie/discussion/comment/123276872#Comment_123276872

Can you not simply change the wifi credentials? I'm not 100% sure tbh since I never ran into that problem myself but I thought the qr code was specific to the credentials at the time the qr code was taken. Consequently changing SSID or passkey would invalidate the old qr code?

It would mean you'd have to re-enter passkey or re-qr all your own devices but if there was a genuine security concern then this wouldnt be too bad an option, no?

smuggler.ie

As QR has SSID/pass information, you cannot prevent user, that already have this info, to share it to others. Same way you could read this info from laptop or computer that is/was connected to the WiFi network(admin account needed). Change password and dont share.

More detail might help to determine different approach/best options:
family member/flatmate? neighbor? work?
Device make/model ?

*.Providing you must share WiFi to someone, but this person might share it further without your consent - you could create "allowed" MAC address list and thus block all other connections except that person. Bit of inconvenience if you need add another device later, but sure thing most secure ("intruder" would need to know permitted MAC addresses)
*.MAC address "block" list is weaker version of this feature and require constant monitoring - MAC spoofing/randomizer is vastly available on mobile devices without even need for third party tools.
*.Update password at intervals and update only relevant users.
*.Share connection to "guest WiFi" only - guest network has client isolation thus somewhat protect your other devices.


Depend on WiFi router you have some other features might be available , like bandwidth control on networks, time schedules, etc

wandererz

To add to what I said above, if your WiFi router allows multiple SSID's then set up separate ones to depending on your environment e.g. Multimedia, IOT, Kid's, Guests etc. with different passwords for each.

Then only give the relevant passwords to the relevant people e.g. Kids & Guests.

Take note of the MAC addresses of your kids devices when they connect and name them if you can . After a little while, you can just allow those devices onto that network / SSID.

Everyone else will have to go onto the Guest network. And you can do bandwidth limitation etc if your router allows you that functionality.

MarkR

As mentioned above, you can specify Mac addresses of specific devices that are allowed to connect, and then prevent all additional ones.

CalamariFritti

Or else, sorry for repeating myself, why not simply change the password?

It really is the only way. All the other ideas are convoluted and are missing the point IMO.

The OP gave someone the credentials to their WIFI network and the OP believes they may pass them on or already have. Whether the OP gave them the credentials via QR code or whether they gave them the cleartext passkey doesn't matter, it's the same thing. Credentials are now compromised so they need to change the passkey. 🤷‍♂️

wandererz

https://www.boards.ie/discussion/comment/123277532#Comment_123277532

Changing the passphrase doesn't stop the problem from recurring because whomever shared the credentials can do so again if they are a trusted and allowed user.

CalamariFritti

But the CR code they have will no longer match the updated credentials. They will no longer be able to access the WIFI with their outdated credentials and the old QR code they have will be useless.
Also they are not automatically a router administrator able to look up a potentially new QR code again only because they once had WIFI access. WIFI access and router login are not the same thing at all.
Thats before the fact once you change the passkey they can no longer get through to the router anyway. They are simply out.

AFAIK the QR code is simply a user convenience feature allowing you to give visitors (or anyone really) access without them having to type tedious passkeys. Obviously only for phones or other devices with a camera like tablets. Its for the typical scenario friends come over 'whats your wifi', 'here just scan that'.
But at the end of the day it will simply log them onto the WIFI with SSID and passkey which are encoded in the QR code. The same way as if they browsed the SSID and then entered the passkey manually. Its just a shortcut doing the same thing.

The moment you change the passkey all previously authorised devices are out. And there is no way for them get back unless you give them the new CR code.

If this was not the case QR codes would be an insane security leak as they could never be invalidated.

28064212

This has all the hallmarks of an XY problem. The OP wants to do "something". They've decided that the best way to do that "something" is to prevent QR code scans from giving access to the WiFi.

It's very unlikely that will solve anything. @MaxPayneXL, what problem are you actually trying to solve?

wandererz

If you go to the WiFi settings on your phone you have the option of sharing the WiFi details with anyone else simply by choosing to show a QR code that anyone else can scan and connect.

So if your kids friend comes over, all they have to do is scan the QR code that your kid shows them on his/her phone and they are connected to your WiFi network. Even if you have a strong password that you have typed into your kids phone yourself and that you haven't given to them.

No need to even go near the router.

smuggler.ie

https://www.boards.ie/discussion/comment/123278400#Comment_123278400

^^^^ this

CalamariFritti

https://www.boards.ie/discussion/comment/123278336#Comment_123278336

I think it is fair to assume the OP gave someone access via QR code and they no longer want anyone with that access in. They probably have concerns credentials go wandering. Chances are they don't fully understand what WIFI CR codes do and don't so they came to this idea of disabling QR codes.

The only solution is to change credentials, changing passkey will do this.

smuggler.ie

https://www.boards.ie/discussion/comment/123278447#Comment_123278447

Changing SSID/pass invalidate QR that is default on router label. Phone that has current valid connectivity to that WiFi, as described above, produces new QR with valid credentials.

CalamariFritti

Changing passkey will invalidate QR codes. Whats printed on the router sticker is only representing the default credentials for first initial setup or after restore to factory settings. They are not a forever master access key.

And of course during initial setup you are strongly encouraged to change the default SSID credentials. Which would be mad not to do. And as you change those the WIFI QR code changes too. Anything else would be madness.

Then of course the QR code itself is no magical thing which is alive and self adjusting to config changes. A QR code is simply there to easily share SSID/encryption type/passkey without having to enter them manually. It represents current credentials at the time when shared. Once you change credentials all devices which have the old credentials will no longer be authorised. Whether they got them manually or via QR code makes no difference.

This snippet from wikipedia says whats encoded in the QR code:

A URI using the WIFI scheme can specify the SSID, encryption type, password/passphrase, and if the SSID is hidden or not, so users can follow links from QR codes, for instance, to join networks without having to manually enter the data.[139] A MeCard-like format is supported by Android and iOS 11+.[140]

• Common format: WIFI:S:<SSID>;T:<WEP|WPA|blank>;P:<PASSWORD>;H:<true|false|blank>;
• Sample WIFI:S:MySSID;T:WPA;P:MyPassW0rd;;

MarkR

Anyone with a phone can share any password from any router. You can't change that. What you can change is weather the router accepts the new device. You can limit additional devices in the router settings by only allowing certain IP addresses. No point in changing network names or passwords.

28064212

https://www.boards.ie/discussion/comment/123278447#Comment_123278447

There are lots of scenarios where changing the passkey will do absolutely nothing to solve the OP's problem. Simple example:

• OP's child has WiFi credentials stored on their mobile device
• Child's friend comes over, child shares credentials using the QR code from their phone (which is generated from the current credentials on the phone)
• OP doesn't want friend on the WiFi network
• OP changes WiFi credentials, and connects their child's device to network
• Child's friend comes over, child shares credentials using the QR code from their phone (which is generated from the current credentials on the phone)
• OP doesn't want friend on the WiFi network
• OP changes WiFi credentials, and connects their child's device to network
• Child's friend comes over…

Congrats, you've provided a solution that does nothing to solve the problem. And that's because we have no idea what the problem is. Unless the OP tells us what the problem actually is, providing solutions is like throwing darts blindfolded

CalamariFritti

Fair enough

I'll adjust my advice accordingly. Don't give child access in the first place 😃 or better again don't have children 😂.

MaxPayneXL

Thanks all for your replies and suggestions.

My two teens and wife are using the home Wi-Fi mentioned. My children share the QR Code with their friends when they come to my home for a sleepover etc. When friends come home and they request for Wi-Fi password it is not possible to deny the request.

It is not practical to change the WiFi SSID, Password etc every now and then. MAC address binding to the main SSID (restricting my family alone to use it) is an option. Then I can create a Guest SSID and change the password for it often and instruct my children to give out that Guest Wi-Fi Password instead of one for the main SSID.