Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
github.com/rM-self-serve/webinterface-wifi
This program will make the ReMarkable Tablet's web interface available on wifi.
Password authentication and SSL supported, along with the ability to only run when connected to certain wifi networks.
Without additional programs, the web interface will only be available over wifi while the device is plugged in and the web interface is enabled/reachable at 10.11.99.1. To ensure the web interface is always available, use webinterface-onboot.
Drag and drop does not work well on mobile, though it is simple to add an upload button.
It is recommended to install via the toltec package manager.
$ opkg update
$ opkg install webinterface-wifi
$ opkg remove webinterface-wifi
$ wget https://github.com/rM-self-serve/webinterface-wifi/releases/latest/download/install-webint-wf.sh && bash install-webint-wf.sh
$ wget https://github.com/rM-self-serve/webinterface-wifi/releases/latest/download/install-webint-wf.sh && bash install-webint-wf.sh remove
$ systemctl enable --now webinterface-wifi
To view the web interface, type the remarkable's wifi ip address in the browser. It can be found in the copyrights and licenses tab in the settings. Ex : http://10.0.0.10/
By default, the web interface runs without authentication or encryption. This means anyone on the same wifi network can access your files. The only way to secure your device on public wifi is by enabling both authentication and encryption.
Obtain an SSL certificate and the corresponding private key, a self signed cert is sufficient. These can be placed at the following paths:
# Certificate default path
/home/root/.local/share/webinterface-wifi/ssl/ssl_cert.pem
# If installed with Toltec
/opt/etc/webinterface-wifi/ssl/ssl_cert.pem
# Private Key default path
/home/root/.local/share/webinterface-wifi/ssl/ssl_priv.rsa
# If installed with Toltec
/opt/etc/webinterface-wifi/ssl/ssl_priv.rsa
Or the paths can be specified in config.toml:
[conf]
ssl_cert_path="/etc/ssl/ssl_cert.pem"
ssl_priv_path="/etc/ssl/ssl_priv.rsa"
# ...
Then enable ssl in each network:
[networks.arbitrary_name]
ssl=true
# ...
[undefined_networks]
ssl=true
# ...
An SSL keypair will be included in this repository for testing purposes. This should not be considered secure as someone determined could use the provided private key to decrypt your network traffic. These will need to be downloaded separately.
A login consists of a username and password. The username will not be saved so ensure to remember it along with the password. Since the device is not encrypted, it is important to use a unique password not used elsewhere. Even with login enabled, anyone on the same wifi network can read whatever files are uploaded/downloaded, use SSL to mitigate this vulnerability.
To create a login, run the following command and enter a username and password:
$ webinterface-wifi create-login
User: myuser
Password:
Retype Password:
# Login file default path
/home/root/.local/share/webinterface-wifi/auth/login.pass
# If installed with Toltec
/opt/etc/webinterface-wifi/auth/login.pass
This will create a login file at the default path so that it does not need to be specified in config.toml.
To specify in config.toml:
[conf]
login_path="/etc/auth/login.pass"
# ...
The password is not stored in plaintext.
Each wifi network can have settings defined in the config:
[networks.home]
router_ssid="Home's Wifi Name"
ssl=false
login_enforced=false
listen_ip="auto"
listen_port=80
[networks.coffeshop]
router_ssid="Coffeshop's Wifi Name"
ssl=true
login_enforced=true
listen_ip="auto"
listen_port=443
http_redirect_port=80
When the wifi network with the matching SSID connects, these settings will be applied.
If the connected network is not defined (and is not filtered), it will run with the settings of the [undefined_networks] field:
[undefined_networks]
ssl=false
login_enforced=false
listen_ip="auto"
listen_port=80
If you would like your webinterface to be available on your home wifi network but not the airport, you can configure network filtering.
The more secure option, this feature ensures the webinterface will only be available on defined networks.
[conf]
network_filter="allowlist"
[networks.home]
router_ssid="Home Wifi Name"
# ...
[allowlist]
networks=[ "home" ]
This option lets you define which networks the webinterface should NOT run on, while running on any network that is not in the list.
[conf]
network_filter="blocklist"
[networks.airport]
router_ssid="Airport Wifi Name"
[blocklist]
networks=[ "airport" ]
[undefined_networks]
# ...
Webinterface-Wifi needs to be explicitly reloaded when the config is edited.
:warning: An invalid config will stop the daemon from running. Restart it with:
$ systemctl daemon-reload
$ systemctl restart webinterface-wifi
Open in the default config in your editor of choice, defined by the environment variable $EDITOR, or nano if not defined:
$ webinterface-wifi edit
After saving the file, validation will be performed on the config where potential errors will be raised.
# Default Config Path
/home/root/.config/webinterface-wifi/config.toml
You may wish to edit the config and reload the program without restarting the daemon.
$ webinterface-wifi reload
Config Valid
Config Reloaded
To ensure your modified config is valid and do a mock run to see which network may be currently active.
$ webinterface-wifi validate
$ webinterface-wifi net-info
wifi interface: wlan0 ip: 192.168.1.93
webint ip exists: 10.11.99.1
router ssid: Home Wifi Name
In the definition of a network, the 'listen_ip' field is set to "auto" by default. This will find the ip address of the wifi interface and start the server on it. It can also be configured to run on a static ipv4 ip address. The webinterface will be available on this ip address when the device has wifi.
[networks.home]
listen_ip="0.0.0.0"
[networks.coffeshop]
listen_ip="auto"
[undefined_networks]
listen_ip="169.254.229.31"
If the defined network has enabled SSL, it can enable the redirection of an unencrypted network connection to an encrypted one. Omitting this field will disable redirection.
[networks.home]
http_redirect_port=80
For more information on the config see the spec and examples in the config folder.
You will need docker/podman, cargo, and the cargo crate named cross. There are other ways to cross compile for 32 bit arm as well.
cross build --target armv7-unknown-linux-gnueabihf --release
Then copy the binary 'target/armv7-unknown-linux-gnueabihf/release/webinterface-wifi' to the device and enable/start it as a systemd service.
This program will start a reverse proxy on the wifi interface on the port specified. The proxy will start/stop based on if webinterface has the configured ip address and the wifi interface has an ip address. It will automatically be available whenever you connect to a new wifi network.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.