of 2
Current View
MultiNet: Usable and Secure WiFi Device Association
Anthony Brown Richard Mortier
Tom Rodden
School of Computer Science, University of Nottingham, UK
This demo presents
, a novel method for joining
devices to a domestic Wi-Fi network. MultiNet dynami-
cally recon gures the network to accept each device, rather
than con guring each device to t the network as is the
norm. It does so by assuming that each device is pre-
con gured with a cryptographically generated WPA2 net-
work SSID/passphrase pair, and then providing a lightweight
interaction through which the user creates a new network for
each device. This approach makes securely adding devices
to a wireless network straightforward without compromising
security or burdening the user, and maintaining backward
compatibility with existing deployed standards and proto-
The demo deploys a MultiNet Access Point (AP) and a
number of Wi-Fi enabled consumer devices to allow viewers
to dynamically construct and deconstruct the network via
the MultiNet controller currently implemented as an app
on an Android phone (Figure 1). The code for MultiNet is
publicly available under open-source licenses.
Categories and Subject Descriptors
C.2.1 [
Network Architecture and Design
]: Wireless com-
Usable security, domestic environments, 802.11, infrastruc-
ture intervention
Usability of domestic network security mechanisms re-
mains a challenge, with the HCI community suggesting
terface veneers
alone cannot solve all the apparent issues [1].
MultiNet is an infrastructure intervention which changes the
way in which devices are joined to the network,
con guring
of the infrastructure to the device
rather than con guring
each device to t the infrastructure as is the norm. This
approach has allowed us to redesign the joining interaction
to be consistent across all devices while retaining backwards
compatibility with legacy equipment. In our rst prototype
the interaction relies on a visual out-of-band channel created
Available at
Copyright is held by the author/owner(s).
August 13–17, 2012, Helsinki, Finland.
ACM 978-1-4503-1419-0/12/08.
Figure 1: Joining a printer using MultiNet.
Step One
Use the camera on the MultiNet controller to
read the QR Code on the joining device.
Step Two
Request that the joining device is added to the
network by sending the SSID/passkey pair for
the virtual network to the AP.
Step Three
Establish the virtual network allowing the pre-
con gured joining device to connect.
Figure 2: MultiNet data ow for adding a device.
via the use of an intermediary device possessing a camera
We assume devices are pre-con gured, and we then modi ed
to dynamically create and destroy WPA2 secured
networks on demand. The result is that the router o ers
multiple networks, approximately one per device.
Credential exchange takes place via an intuitive \capture
image and connect" interaction. The MultiNet controller
connects to the router over a dedicated WPA2 secured
trol network
, which forms a secure signalling channel over
which the credentials can be passed. Devices are assumed
to be precon gured by the manufacture with an SSID and
intuitively named the "MultiNet Controller"
Figure 3: Overview of MultiNet implementation.
Throughput (Mb/s)
Number of networks
Figure 4: Device to AP throughput (Mb/s) as the
number of con gured networks on the AP increases.
a passphrase; in our prototype these are encoded visually as
a QR Code, which the MultiNet controller acquires through
its built-in camera. These credentials are then securely con-
veyed to the router. On receipt the router creates a virtual
AP with the required SSID/passphrase pair and the joining
device joins this newly created network. The overall proto-
col ow is depicted in Figure 2. This approach e ectively
con gures the AP to accept the device and creates a \one
network per device" infrastructure.
The AP uses the
user-space daemon to provide
wireless access point with authentication via IEEE 802.11i
WPA2. We modi ed
to enable dynamic creation
and destruction of WPA2 secured networks, and to change
the con guration re-load code to only de-authenticate sta-
tions when the SSID or passphrase of a network is changed
or removed from the con guration le. After creation, these
virtual network interfaces are connected to the standard
Linux layer 2 bridge (
), enabling communication between
them. An overview of the design is depicted in Figure 3.
The AP is controlled through a set of RESTful web ser-
vices allowing the MultiNet controller to add and remove
networks by con guring
. These services are only ac-
cessible over HTTPS using the trusted controller network.
The admin network is completely isolated from the device
speci c networks, protecting the admin functions from all
non-trusted devices connected to the network. In our pro-
totype the MultiNet controller is implemented as a simple
Android application; other implementations are possible.
. We con gured the MultiNet AP to o er
the required number of networks and to act as an Iperf traf-
c sink. Once con gured a device was added to act as a Iperf
trac source and measurements of throughput, latency and
jitter were made. The AP to device throughput shows ap-
proximately linear reduction as the number of networks and
associated overheads increases, as expected. At 20 networks
there is a 13% reduction in maximum throughput, and by
50 networks this gure has risen to 27%, this is shown in
Figure 4. Results for per-packet latency show a generally
linear upward trend from from 8 ms to 15 ms for up to 20
networks. Jitter also rises slowly from 3 ms to 5 ms in the
1 to 20 network region. While MultiNet has some impact
on throughput, latency and jitter it is acceptably small for
up to 20 devices (a recent survey [2] put the UK household
average at 4.3).
. We performed an initial usability evaluation
comparing MultiNet to Wi-Fi Protected Setup (WPS) with
16 participants. The trial consisted of one task building a
small home network with three consumer devices under two
conditions: (
) using WPS, (
) using MultiNet. All par-
ticipants experienced both conditions in a lab environment.
Several metrics were used to asses the overall usability of
both systems. The e ectiveness and eciency were mea-
sured using task completion time, while user satisfaction
was measured using SUS scales and post trial interviews.
In all cases MultiNet showed a statistically signi cant im-
provement over WPS.
Recently discovered brute force attacks on the In-band
WPS con guration highlight the issues of trading usability
for security [3] and the danger of hiding security related
features from the user: MultiNet exposes security related
features making them more easily perceivable. Use of a vi-
sual out-of-band channel reduces the opportunity for un-
detected attacks, as reading the credentials from the QR
codes requires reasonable physical proximity and line of sight
to acquire a decodable image. By removing the choice of
SSID and passphrase from the users we are also able to
use securely generated values which are much longer and
use a larger alphabet than could be entered by a human.
Finally, MultiNet e ectively maps network security to the
physical security of devices and MultiNet controller which
should help users better manage the risks associated with
their actions as they manage the physical security of objects
This work was supported by the Doctoral Training Cen-
tre in Ubiquitous Computing, RCUK grant EP/G037574/1
and by Horizon Digital Economy Research, RCUK grant
[1] K. Edwards, R. Grinter, R. Mahajan, and
D. Wetherall. Advancing the state of home networking.
Communications of the ACM
, 54(6):62{71, June 2010.
[2] TP-Link. 2011 connectivity report.
[3] S. Viehb

ock. Us-cert vulnerability note vu#723755 -
wi protected setup (wps) pin brute force vulnerability,